The Current State of U.S. Consumer Privacy Laws: An Early 2025 Update

Navigating the patchwork: The rapid evolution of State privacy laws

Remember when consumer privacy laws in the U.S. were mostly synonymous with the California Consumer Privacy Act (CCPA)? Those days are long gone. In 2025, the patchwork of state privacy laws has expanded dramatically, with 20 states enacting comprehensive privacy regulations—and more on the way. For privacy professionals, staying ahead of these changes is crucial to mitigating risks, maintaining consumer trust, and avoiding costly penalties.

This article comprehensively reviews each state’s privacy regulations, explores their similarities and differences, and offers practical insights to help businesses maintain compliance and future-proof their operations in 2025 and beyond.

A State-by-State breakdown: What’s in effect, what’s coming

As of 2025, the following states have enacted privacy laws:

Laws already in effect:

• California (CPRA) – Effective January 1, 2023
• Virginia (VCDPA) – Effective January 1, 2023
• Colorado (CPA) – Effective July 1, 2023
• Connecticut (CTDPA) – Effective July 1, 2023
• Utah (UCPA) – Effective December 31, 2023
• Florida (FDBR), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA) – Effective mid-2024

New laws taking effect in 2025:

• Iowa, Delaware, Nebraska (NDPA), New Hampshire (NHPA), New Jersey (NJCPA) – January 1, 2025
• Tennessee (TIPA) – July 1, 2025
• Minnesota (CDPA) – July 31, 2025
• Maryland (MODPA) – October 1, 2025

For a comprehensive look at the new data privacy laws taking effect in 2025, check out Preparing for 2025: A Dive into New U.S. Data Privacy Laws.

Looking ahead to 2026:

• Indiana (INCDPA), Kentucky (KCDPA), Rhode Island – January 1, 2026

With this ever-expanding landscape, businesses must develop adaptive compliance strategies to address varying requirements across jurisdictions.

The common threads: Key similarities across state privacy laws

Despite the diversity in these laws, most state privacy acts share common principles, making it possible to create a unified compliance strategy. These include:

• Threshold-based applicability: Most laws apply to businesses that process data for a minimum number of consumers or derive revenue from data sales.
• Core consumer rights: Access, correction, deletion, data portability, and opt-out rights are standard across most states.
• Privacy notice requirements: Transparency mandates include detailed disclosure of data practices, processing purposes, and consumer rights.
• Opt-out and consent mechanisms: Many laws mandate opt-out mechanisms for targeted advertising and the sale of personal data, with some requiring explicit opt-in consent for sensitive data processing.
• Privacy Impact Assessments (PIAs): Several states, including Colorado and Virginia, require risk assessments for high-risk processing, such as biometric data collection and profiling.
• Vendor management and contractual requirements: Organizations must ensure data processors adhere to strict contractual obligations concerning data handling.
• Limitations on data retention and secondary use: Data minimization principles restrict how long organizations can retain consumer data and limit its use beyond disclosed purposes.

Regulatory crackdowns: Key enforcement actions and lessons learned

Recent enforcement actions provide insight into how regulators interpret and enforce these laws. California’s Attorney General and Privacy Protection Agency (CPPA) have been actively pursuing violations related to non-compliance with consumer opt-out rights, dark patterns, and inadequate disclosures. Meanwhile, Texas has focused on consent violations for sensitive data processing, signaling a growing regulatory crackdown beyond just California.

For example, in 2024, a major e-commerce retailer was fined $10 million for failing to provide clear opt-out mechanisms, reinforcing the need for organizations to prioritize transparency. Similarly, an ad-tech company in Texas faced enforcement for collecting biometric data without proper disclosures, illustrating the need for explicit consent mechanisms.

The differences: Where States deviate from the norm

While a broad compliance framework can cover most state laws, key differences require additional attention. Some of the most significant variations include:

1. Consumer rights and their scope

• Right to correct data: Not included in Utah and Iowa.
• Third-party data sales lists: Required in Oregon, Delaware, Rhode Island, and potentially Connecticut.
• Right to contest automated profiling: Minnesota introduces this new right, requiring businesses to explain profiling results and allow consumers to contest them.
• Opt-out rights in mergers and acquisitions: California mandates that consumers’ previous opt-out choices must be honored post-merger.

2. Data minimization standards: Maryland’s groundbreaking approach

Maryland’s Online Data Privacy Act (MODPA) goes beyond traditional notice-and-consent models by imposing a strictly necessary standard for data collection and use. This means businesses can only process sensitive data if it is strictly necessary to provide a consumer-requested service, which raises significant compliance challenges.

3. Privacy notices and retention policies

• Minnesota uniquely requires businesses to include data retention policies in privacy notices.
• Maryland requires businesses to provide a third-party notice if they use or share data in ways inconsistent with original disclosures.
• Rhode Island mandates additional privacy notices for commercial websites and internet service providers.

4. Opt-out signal recognition

Several states, including California, Colorado, Connecticut, and Texas, require businesses to honor universal opt-out mechanisms such as the Global Privacy Control (GPC) signal, effectively enabling consumers to opt out of data sales and targeted advertising at the browser level. Other states provide more flexibility, creating inconsistencies in enforcement.

5. Special protections for sensitive data

Children’s data

Maryland prohibits the sale of children’s data, while Colorado and Virginia require Data Protection Assessments (DPA) for minor-related processing.

Health data

Maryland and Connecticut have introduced geofencing restrictions to prevent tracking individuals near sensitive locations like reproductive health clinics.

Biometric data

Colorado and Illinois impose stricter rules for biometric data collection, including explicit consent requirements.

Practical strategies for multi-state compliance in 2025

Sector-Specific Privacy Considerations

Specific industries face additional regulatory scrutiny due to sector-specific privacy laws. For example:

• Healthcare: Organizations handling health data must comply with both state privacy laws and HIPAA, which imposes stringent requirements on how protected health information (PHI) is collected, stored, and shared.
• Financial services: Under GLBA (Gramm-Leach-Bliley Act), financial institutions must provide clear disclosures and safeguard sensitive consumer financial data, which may exempt them from some state privacy laws but still requires compliance with strict federal requirements.
• AdTech and data brokers: States like California and Vermont impose additional restrictions on data brokers, requiring registration and transparency in data sales.

Ensuring compliance in these sectors requires businesses to harmonize state privacy laws with existing federal mandates, often necessitating layered compliance strategies.

1. Standardize where possible, differentiate where needed

• Implement a baseline compliance framework that meets the highest common denominator across all states.
• Where laws diverge (e.g., Maryland’s strict data minimization rule), tailor compliance approaches accordingly.

2. Future-proof your compliance program

• Monitor ongoing rulemaking and legislative amendments—laws evolve quickly.
• Keep an eye on enforcement trends—California and Texas have aggressively pursued privacy violations.
• Prepare for new biometric, AI, and children’s privacy laws emerging as key regulatory priorities.

3. Automate and streamline consumer rights requests

With the rise of automated third-party bots submitting mass deletion requests, businesses should leverage identity verification tools and web-based request intake systems to reduce fraud risks.

4. Prioritize privacy by design

• Integrate Privacy Impact Assessments (PIAs) into product development cycles.
• Adopt data minimization techniques and default privacy settings to ensure compliance from the ground up.

Compliance as a strategic business imperative

Yes, the U.S. consumer privacy landscape is complex, but businesses that proactively adapt can turn compliance into a competitive advantage. By investing in robust privacy management frameworks, automation, and privacy-first product design, organizations can build consumer trust while staying ahead of regulatory changes.

With new laws on the horizon and enforcement ramping up, now is the time for businesses to solidify their privacy strategies. Because in 2025, managing compliance isn’t just about avoiding fines—it’s about future-proofing your business in a privacy-first world.