2025 Mid-Year Review: US State Privacy Law Updates (Part 2)

State privacy lawmaking in the United States accelerated in the first half of 2025 and shows no sign of slowing. In the continued absence of a comprehensive federal statute, states are advancing their own approaches to govern the collection and use of consumer personal data. The result is a growing patchwork of requirements that vary in scope, enforcement, and legal standard.

This Legal Update highlights three of this year’s most prominent legislative trends, including: (1) new and expanded protections for children’s privacy; (2) emerging state regulation of artificial intelligence and automated decision-making; and (3) the continued spread and refinement of comprehensive state privacy laws.

Children’s Privacy Laws and Online Safety

Protecting minors online has become a bipartisan priority in many states, producing a surge in child-focused privacy legislation. These efforts generally take one of two forms: “age-appropriate design” rules that impose privacy-by-design obligations on online services likely to be used by and/or attract minors; and age verification or parental consent legislation that restrict minors’ access to certain online platforms or features.

Age-Appropriate Design Code Laws

A growing number of states have introduced legislation modeled after California’s Age-Appropriate Design Code Act (AADC). These statutes generally require digital services likely to be accessed by users under 18 to proactively consider children’s privacy and well-being in their design, including by adopting privacy-protective defaults, performing risk assessments, limiting unnecessary data collection, and curbing product features that encourage addictive use.

Although California’s AADC has faced a temporary injunction on First Amendment grounds and is on appeal, several other states—Connecticut, Maryland (also facing a legal challenge), Nebraska, and Vermont—have passed similar legislation. Some of these “AADC” laws, such as Nebraska’s statute, emphasize protective product design, rather than content censorship, while others, including Vermont’s law, require age assurance measures so that online services can identify minors and tailor protections accordingly. Lawmakers in Minnesota, New Mexico, and New York have also explored comparable “AADC” bills to strengthen kids’ privacy online in their respective states.

Companies offering online services should anticipate that child-centric privacy-by-design requirements will become more common across jurisdictions.

Age Verification and Parental Consent Laws

A parallel trend places parents in the role of gatekeeper for minors’ online activity. At least nine states—Arkansas, California, Texas, Florida, Georgia, Louisiana, Mississippi, Tennessee, and Utah—recently enacted laws restricting minors from using certain social media platforms or features (though four—Arkansas, Florida, Georgia, and Utah—have been at least partially or temporarily blocked by courts on First Amendment grounds). These laws require verified parental permission before a minor can create an account or interact on major social media services. They also typically mandate robust age-verification processes to enforce these restrictions.

Some states are more interventionist. Utah’s law adds nightly curfews on teen social media use and a private right of action allowing parents or minors to sue social media companies for harms tied to “addictive” features. Florida’s law bars tech companies from profiling or serving personalized content to minors where it poses a substantial privacy risk to children. Florida’s law also includes aggressive enforcement measures, including civil fines up to $50,000 per violation, which may be tripled if a company has actual knowledge that a user was under 18.

Expanding the Definition of “Child”

Many of these emerging laws expand the protected age cohort beyond the Children’s Online Privacy Protection Act’s (COPPA) under-13 rule, defining a “child” or “minor” as any individual under 16, and in some statutes, under 18. As a result, companies that historically calibrated their programs to COPPA’s under-13 threshold must now reassess their age screening and parental consent processes when designing data practices, user experiences, and safety controls.

A common trigger for obligations under these laws is whether a business knows or willfully disregards that a user is a minor. To reduce claims of ignorance by companies providing services to minors, states are taking innovative approaches like incorporating “age signal” requirements into the statutes. Laws in Louisiana, Utah, and Texas, for example, now obligate app stores to estimate or disclose the age range of users downloading apps, thereby putting app publishers on notice, requiring them to adjust content and data practices for those younger users and even revisit COPPA obligations.

Key Takeaways for Businesses

For businesses, the rise of children’s privacy laws means it may be time to build in child-centric data protections. Companies providing online services, social media, or apps that may be used by minors may want to implement age screening mechanisms and parental consent workflows now, rather than waiting for a specific state mandate. For example, design teams may want to review features like endless scroll, autoplay, notifications, and similar features that have been the focus of recent scrutiny. Privacy teams may also need to conduct impact assessments for any product or service likely to attract users under 18, documenting how they mitigate risks to children as required by California’s and other design code laws.

Additionally, businesses should keep abreast of the outcome of legal challenges to these laws but should not assume that these laws will disappear. The overall regulatory direction is toward greater protection for children’s data. By prioritizing kids’ privacy and safety by design now, organizations not only reduce compliance risk but also demonstrate corporate responsibility related to an issue on which regulators and the public are intensely focused.

Stay tuned for our upcoming Legal Update, “Little Users, Big Rules: Tracking 2025’s Children’s Privacy Legislation,” which will provide an in-depth look at this year’s introduced bills, pending legislation, and enacted statutes regulating child-focused services and platforms.

Artificial Intelligence and Privacy

Artificial Intelligence governance is increasingly a state-level priority. In lieu of a single federal framework, states are experimenting with complementary regulatory approaches that combine sector-specific AI rules and AI-specific provisions embedded in privacy statutes.

State AI Governance Laws

Colorado broke ground in 2024 by passing the first comprehensive state AI law, which goes into effect June 30, 2026. In 2025, several other states considered similar frameworks with mixed results. Virginia’s legislature passed a similar AI bill that was ultimately vetoed by the governor, and Connecticut’s broader proposals stalled after passing the state senate.

Nonetheless, there are a few states that have succeeded in their efforts. For example, Texas recently enacted the Texas Responsible AI Governance Act, effective January 1, 2026. This law takes a cross-sector approach, prohibiting certain AI use cases (for example, systems that encourage self-harm, criminal activity, or unlawful discrimination), and requiring companies to maintain internal AI risk governance documentation available to the Texas Attorney General on request. These divergent outcomes reflect both strong interest in regulating issues related to AI and difficulty achieving consensus on the appropriate regulatory balance.

We can likely expect reintroduced bills in these and other states as policymakers refine their approach. State legislatures introduced dozens of AI-related bills in 2025, and interest remains at an all-time high going into 2026 as AI becomes even more intertwined in business. The push-and-pull between innovation and regulation has also caught Congress’s attention. The effort to include a moratorium on State AI laws in the recently passed One Big Beautiful Big Act, though ultimately unsuccessful, demonstrated the contentious debate over whether states should be permitted to press forward with AI rules.

AI Provisions Embedded in State Privacy Laws

In addition to standalone AI bills, state privacy laws themselves increasingly incorporate AI-related obligations, such as rights to opt out of profiling or automated decision-making, disclosure requirements for AI-driven processing, and mandated risk assessments for high-risk use cases.

For example, Minnesota’s law grants consumers the right to question and receive an explanation for consequential decisions made by automated profiling algorithms. Connecticut updated its comprehensive privacy law to require risk assessments for processing in certain instances, including where processing children’s data, other “sensitive data” (as defined under the law), or for the purposes of profiling, where such profiling presents a reasonably foreseeable risk. Finally, California’s amended regulations will require businesses, as of January 1, 2027, to assess and mitigate risks of AI systems and give consumers notice and choices regarding AI-driven decisions. Collectively, these measures create layered obligations for organizations that deploy AI using personal data.

Key Takeaways for Business

Given these developments, companies leveraging AI may want to take a privacy-by-design approach and adopt robust data governance practices, including mapping what personal data feeds models and evaluating models for privacy, fairness, and safety risks. Where state laws require disclosures or opt-outs for AI use, those capabilities should be integrated into user interfaces and workflows. Firms training AI on user data may want to confirm lawful data collection and applicable consents. Staying engaged with state policy developments and cross-jurisdictional standards is essential, as voluntary ethical frameworks increasingly inform—and sometimes become—the basis for binding rules.

Comprehensive State Privacy Laws

Beyond children’s privacy legislation and AI governance, the broader trend remains the steady expansion and refinement of state comprehensive privacy frameworks. Although no new states have enacted wholly new comprehensive privacy laws this year, numerous legislatures focused on amending and strengthening the existing laws.

Amendments and Effective Dates

In 2025, roughly half of states with existing privacy statutes—including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and Kentucky—approved significant amendments that either expanded coverage to more businesses, refined key definitions, or enhanced regulator authority and enforcement tools.

Meanwhile, several comprehensive laws reached enforceability. In 2025 alone, comprehensive laws became enforceable in Delaware, Iowa, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee, and Maryland. Additional states with recently enacted laws, including Indiana, Kentucky, and Rhode Island, set effective dates in 2026, creating staggered implementation windows that companies should track carefully.

Federal Landscape

At the federal level, a single uniform privacy law has not been adopted, though House Energy & Commerce Committee Chairman Brett Guthrie has convened a Privacy Working Group that has solicited comment from and met with dozens of stakeholders on a comprehensive framework. These efforts are expected to continue in 2026.

Conclusion

For now, the state-by-state approach prevails, and businesses should expect continued state legislative activity rather than federal preemption. State privacy laws are becoming more detailed and more enforceable.

Businesses should view compliance as an ongoing process, not a destination. Continuous monitoring of legislative developments, regular reassessment of data practices, and clear documentation of privacy risk management is essential. By institutionalizing these habits, organizations can manage the complexity of the state-by-state landscape while positioning themselves to respond quickly as new obligations take shape.