The Current State of U.S. Consumer Privacy Laws: An Early 2025 Update

Navigating the patchwork: The rapid evolution of State privacy laws

Remember when consumer privacy laws in the U.S. were mostly synonymous with the California Consumer Privacy Act (CCPA)? Those days are long gone. In 2025, the patchwork of state privacy laws has expanded dramatically, with 20 states enacting comprehensive privacy regulations, some amending current laws, and more on the way. For privacy professionals, staying ahead of these changes is crucial to mitigating risks, maintaining consumer trust, and avoiding costly penalties.

This article comprehensively reviews each state’s privacy regulations, explores their similarities and differences, and offers practical insights to help businesses maintain compliance and future-proof their operations in 2025 and beyond.

A State-by-State breakdown: What’s in effect, what’s coming

As of 2025, the following states have enacted privacy laws:

Laws already in effect:

• California (CPRA) – Effective January 1, 2023
• Virginia (VCDPA) – Effective January 1, 2023
• Colorado (CPA) – Effective July 1, 2023
• Connecticut (CTDPA) – Effective July 1, 2023
• Utah (UCPA) – Effective December 31, 2023
• Florida (FDBR), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA) – Effective mid-2024
• Iowa, Delaware, Nebraska (NDPA), New Hampshire (NHPA), New Jersey (NJCPA) – January 1, 2025
• Tennessee (TIPA) – July 1, 2025
• Minnesota (CDPA) – July 31, 2025
• Maryland (MODPA) – October 1, 2025

For a comprehensive look at the new data privacy laws taking effect in 2025, check out Preparing for 2025: A Dive into New U.S. Data Privacy Laws.

Looking ahead to 2026:

• Indiana (INCDPA), Kentucky (KCDPA), Rhode Island – January 1, 2026
• Amendments to Virginia, California, Connecticut, Utah, Oregon, and Kentucky.

With this ever-expanding landscape, businesses must develop adaptive compliance strategies to address varying requirements across jurisdictions.

The common threads: Key similarities across state privacy laws

Despite the diversity in these laws, most state privacy acts share common principles, making it possible to create a unified compliance strategy. These include:

• Threshold-based applicability: Most laws apply to businesses that process data for a minimum number of consumers or derive revenue from data sales.
• Core consumer rights: Access, correction, deletion, data portability, and opt-out rights are standard across most states.
• Privacy notice requirements: Transparency mandates include detailed disclosure of data practices, processing purposes, and consumer rights.
• Opt-out and consent mechanisms: Many laws mandate opt-out mechanisms for targeted advertising and the sale of personal data, with some requiring explicit opt-in consent for sensitive data processing.
• Privacy Impact Assessments (PIAs): Several states, including Colorado and Virginia, require risk assessments for high-risk processing, such as biometric data collection and profiling.
• Vendor management and contractual requirements: Organizations must ensure data processors adhere to strict contractual obligations concerning data handling.
• Limitations on data retention and secondary use: Data minimization principles restrict how long organizations can retain consumer data and limit its use beyond disclosed purposes.

The differences: Where States deviate from the norm

While a broad compliance framework can cover most state laws, key differences require additional attention. Some of the most significant variations include:

1. Consumer rights and their scope

• Right to correct data: Not included in Iowa.
• Third-party data sales lists: Required in Oregon, Delaware, Tennessee, and Connecticut.
• Right to contest automated decision making: Minnesota introduces this new right, requiring businesses to explain profiling results and allow consumers to contest them. This right is also included in the 2025 amendments to the CCPA Regulations and the Amendments to the Connecticut (CTDPA). CCPA Regulations also include the right to access information and to appeal significant decisions.
• Opt-out rights in mergers and acquisitions: California mandates that consumers’ previous opt-out choices must be honored post-merger.

2. Data minimization standards: Maryland’s groundbreaking approach

Maryland’s Online Data Privacy Act (MODPA) goes beyond traditional notice-and-consent models by imposing a strictly necessary standard for data collection and use. This means businesses can only process sensitive data if it is strictly necessary to provide a consumer-requested service, which raises significant compliance challenges.

3. Privacy notices and retention policies

• Minnesota uniquely requires businesses to include data retention policies in privacy notices.
• Maryland requires businesses to provide a third-party notice if they use or share data in ways inconsistent with original disclosures.
• Rhode Island mandates additional privacy notices for commercial websites and internet service providers.

4. Opt-out signal recognition

Most states require organizations to recognize opt-out signals, which allow users to opt out of the sale of their personal information, targeted advertising, and profiling through preference signals sent to an organization with the consumer’s consent by a platform, technology, or mechanism. Preferences signals were first required by California and have been added to the privacy laws of several other states, excluding Virginia, Utah, Iowa, Indiana, Kentucky, Tennessee, and Rhode Island.

California is the only state that explicitly requires organizations to recognize Global Privacy Controls (GPC), while in Colorado, the AG designated GPC as an acceptable universal up-out mechanism (UUOM). Other states refer to the opt-out signal with general terms such as opt-out mechanisms or signals. Additionally, California is the only state that requires organizations to confirm to consumers if their opt-out request has been honored through a conspicuous sign on their website or similar means

Finally, California signed into law the California Opt Me Out Act, adding a new section to the CCPA. This law requires businesses that develop or maintain a browser to establish a function that enables consumers to send them an opt-out preference signal via the browser, which must be easily located and configurable, and clearly notify in a public disclosure how the opt-out preference signal functions and its intended effects. This requirement comes into effect in 2027.

5. Special protections for sensitive data

Children’s data

Maryland prohibits the sale of children’s data, while Colorado and Virginia require Data Protection Assessments (DPA) for minor-related processing. Colorado, Virginia, Connecticut, and Montana include prescriptive requirements for the processing of children’s data when offering an online service, product, or feature.

Health data

Maryland and Connecticut have introduced geofencing restrictions to prevent tracking individuals near sensitive locations like reproductive health clinics.

Biometric data

Colorado and Illinois impose stricter rules for biometric data collection, including explicit consent requirements.

Neural Data

Colorado is the only state that includes biological data, including neuronal data, in its definition of sensitive data if it is intended for identification purposes. California has a broader definition of neuronal data in its sensitive data definition, which is not limited to its intended purpose. Connecticut includes neural data, not limited to its intended purpose, in the definition of sensitive data.

Regulatory crackdowns: Key enforcement actions and lessons learned

Recent enforcement actions provide insight into how regulators interpret and enforce these laws. California’s Attorney General and Privacy Protection Agency (CPPA) have been actively pursuing violations related to non-compliance with consumer opt-out rights, dark patterns, and inadequate disclosures. Meanwhile, Texas has focused on consent violations for sensitive data processing including lack of consent and without any notice, and collection of location data, signaling a growing regulatory crackdown beyond just California.

For example, in 2025, four major CCPA enforcement actions sent a clear signal that California’s privacy regulator will hold companies fully accountable for any barriers, technical or procedural, that impede consumers from exercising their statutory rights. Businesses can no longer rely on the mere existence of a consent or opt‑out tool, and they must continuously monitor and test these mechanisms to ensure they function correctly in practice.

Similarly, in Texas, organizations have faced enforcement for failing to provide privacy notices to consumers explaining their right to opt out and the method to cease certain processing, processing sensitive personal information without consent, and failing to notify consumers that their data was being sold.

These enforcement actions underscore that organizations must be embedding privacy compliance into everyday operations, including:

• training staff;
• honoring opt-out signals like Global Privacy Control (GPC) automatically and consistently across all platforms;
• auditing user interfaces; and
• maintaining up‑to‑date, compliant contracts with all service providers/vendors.

Robust, user‑centered privacy workflows are not just best practices; they are essential to avoiding disruptive enforcement actions and reputational harm.

Additionally, enforcement authorities from California, Colorado, and Connecticut are actively examining company website tracking/cookie banners as part of their 2025 enforcement initiatives, to investigate potential noncompliance with the GPC, an easy-to-use browser setting or extension that automatically signals to businesses a consumer’s request to stop selling or sharing their personal information to third parties.

Practical strategies for multi-state compliance in 2025

Sector-Specific Privacy Considerations

Specific industries face additional regulatory scrutiny due to sector-specific privacy laws. For example:

• Healthcare: Organizations handling health data must comply with both state privacy laws and HIPAA, which imposes stringent requirements on how protected health information (PHI) is collected, stored, and shared.
• Financial services: Under GLBA (Gramm-Leach-Bliley Act), financial institutions must provide clear disclosures and safeguard sensitive consumer financial data, which may exempt them from some state privacy laws but still requires compliance with strict federal requirements.
• AdTech and data brokers: States like California and Vermont impose additional restrictions on data brokers, requiring registration and transparency in data sales.

Ensuring compliance in these sectors requires businesses to harmonize state privacy laws with existing federal mandates, often necessitating layered compliance strategies.

1. Standardize where possible, differentiate where needed

• Implement a baseline compliance framework that meets the highest common denominator across all states.
• Where laws diverge (e.g., Maryland’s strict data minimization rule), tailor compliance approaches accordingly.

2. Future-proof your compliance program

• Monitor ongoing rulemaking and legislative amendments—laws evolve quickly.
• Keep an eye on enforcement trends—California and Texas have aggressively pursued privacy violations.
• Prepare for new biometric, AI, and children’s privacy laws emerging as key regulatory priorities.

3. Automate and streamline consumer rights requests

With the rise of automated third-party bots submitting mass deletion requests, businesses should leverage identity verification tools and web-based request intake systems to reduce fraud risks.

4. Prioritize privacy by design

• Integrate Privacy Impact Assessments (PIAs) into product development cycles.
• Adopt data minimization techniques and default privacy settings to ensure compliance from the ground up.

Compliance as a strategic business imperative

Yes, the U.S. consumer privacy landscape is complex, but businesses that proactively adapt can turn compliance into a competitive advantage. By investing in robust privacy management frameworks, automation, and privacy-first product design, organizations can build consumer trust while staying ahead of regulatory changes.

With new laws on the horizon and enforcement ramping up, now is the time for businesses to solidify their privacy strategies. Because in 2025, managing compliance isn’t just about avoiding fines—it’s about future-proofing your business in a privacy-first world.