2025 Mid-Year Review: US State Comprehensive Data Privacy Law Updates (Part 1)
Although 2025 has not seen the introduction of comprehensive federal privacy reform, state legislatures have enacted a series of focused amendments that significantly heighten compliance obligations for organizations processing personal data in the United States. In the absence of comprehensive federal privacy legislation, this proliferation of state-specific requirements highlights the importance of developing multi-faceted compliance programs to address the patchwork of requirements across the United States.
Connecticut, Colorado, Oregon, Montana, Virginia, and Kentucky have each expanded the scope of their privacy frameworks. Specifically, these changes include:
- Broadening applicability thresholds;
- Expanding the definition of “sensitive data;”
- Establishing heightened obligations for social media platforms;
- Bringing nonprofit organizations within the scope of privacy laws;
- Removing or narrowing exemptions for certain financial institutions; and
- Enhancing protections for minors, including stricter requirements for parental consent and limitations on targeted advertising.
These developments signal an increasingly complex regulatory environment requiring organizations to closely monitor and adapt to evolving privacy requirements that lack uniformity in the United States. In this Legal Update, we summarize key updates to enacted comprehensive data privacy laws.
In June 2025, Connecticut enacted SB 1295 as part of a broader omnibus bill addressing online safety, consumer protection, and data privacy. Set to take effect July 1, 2026, the law introduces significant privacy reforms alongside broader measures targeting online safety for minors, including mandatory online safety centers, anti-cyberbullying policies, and changes to default settings to prevent unsolicited adult communications.
Key amendments to the Connecticut Data Privacy Act (CTDPA) include:
- Three Applicability Threshold Amendments
- The law reduces the minimum threshold for persons who control or process the personal data of Connecticut consumers from 100,000 to 35,000 consumers (excluding personal data processed solely for payment transactions).
- The bill removes the provision that extends the law’s applicability to persons who control or process the personal data of at least 25,000 Connecticut consumers and derive more than 25% of their revenue from selling that data.
- The law now applies to persons that control or process sensitive data of Connecticut consumers (excluding personal data processed solely for payment transactions) or offer personal data for sale in trade or commerce, thereby covering certain businesses—regardless of the minimum applicability threshold or revenue from data sales.
- Expanded Definition of Sensitive Data: The law broadens the definition of “sensitive data” to include information related to mental or physical disability or treatment, nonbinary or transgender status, and data collected from individuals the controller has “actual knowledge” of, or “willfully disregards,” is a child. It also adds neural data to the definition, making Connecticut—alongside California and Colorado—one of the few states to explicitly regulate this category under comprehensive privacy laws.
- New Limits on Processing and Sale of Sensitive Data: The amendment adds that controllers may not process sensitive data about a consumer unless such processing is “reasonably necessary” for the disclosed purposes. Currently, the law only requires consumer consent. Once the amendment becomes effective in July 2026, it will mandate that businesses meet both conditions. It also prohibits the sale of sensitive data without the consumer’s consent.
- New Protections for Minors: Connecticut’s SB 1295 introduces several significant updates intended to safeguard minors’ data and online experiences. The following reflect select key provisions:
- Stricter Data Processing and Consent Requirements: Under the current law, controllers offering online services, products, or features may process a minor’s personal data for targeted advertising, data sales, profiling, or to collect precise geolocation data only with the consent of the minor (under 18 years old) or their parent (for children under 13). The amended law eliminates the consent option. Such processing is generally prohibited, regardless of consent.
- Limited Exceptions Based on Necessity:
- For targeted advertising, data sales, and profiling, processing may still occur only if it is reasonably necessary to provide the online service. This standard already existed in the current law and remains unchanged
- For precise geolocation data, however, the amendment imposes a stricter threshold: businesses may process the data only when it is “strictly necessary,” raising the bar above the current applicable “reasonably necessary” standard.
In general, the current law prohibits controllers from processing the personal data of consumers aged 13 to 15 for targeted advertising or selling the data without these consumers’ consent, regardless of whether the consumer is using an online service, product, or feature. The bill eliminates a minor’s ability to consent to targeted advertising or the sale of their personal data by raising the protected age range from 16 to 18 years old.
- Impact Assessments: The bill expands the definition of “heightened risk of harm to minors” to include the reasonably foreseeable risk of:
- Any physical violence against minors;
- Any material harassment of minors on any online service, product, or feature, where such harassment is severe, pervasive, or objectively offensive to a reasonable person; and
- Any sexual abuse or sexual exploitation of minors.
The bill also specifies that the injury or intrusion recognized under the current law must be material. As a result, the bill requires controllers to conduct additional data protection assessments addressing these expanded risk factors and to implement plans to mitigate or eliminate such risks.
- Restrictions on System Design Features: The amendment also removes the ability for anyone to consent to system design features that significantly increase, sustain, or extend a minor’s use of an online service, product, or feature, except in educational contexts.
- Automated Decision Making: The amendment prohibits controllers offering online services, products, or features to minors from using profiling to support automated decisions that produce legal or similarly significant effects concerning the minor, regardless of whether the decision is fully automated. This marks a shift from current law, which limits the restriction to fully automated decisions only.
- Expanding Child Protection Standard—Willful Disregard: The amendment expands child privacy protections by requiring controllers to apply child-specific standards when they have “actual knowledge” or “willfully disregard” that a consumer is a child. This change broadens the current standard, which is limited to actual knowledge. Under the CTDPA, a child is defined as an individual under 13 years of age, consistent with COPPA.
- Profiling—Consumer Rights and Impact Assessments:
- Controllers must conduct impact assessments for profiling activities that result in significant legal or consumer-related effects. The amendment requires businesses’ impact assessments to address the purpose of profiling, known or reasonably foreseeable heightened risks of harm, data categories used, performance metrics, transparency measures taken concerning the profiling, and post-deployment monitoring. These requirements will apply to profiling activities beginning August 1, 2026, and are not retroactive.
- Consumer Rights:
- Opt-Out Right: Consumers will have the right to opt out of the use of their personal data for profiling if the data was used in furtherance of any automated decision that produced any legal or similarly significant effect. Where feasible, consumers will also have the right to:
- Question and Review Results: Consumers can question profiling results, understand the reasons behind profiling decisions, and review the data used in the profiling process.
- Correct Data: Consumers can correct inaccurate profiling data used in housing-related decisions.
- Request Third-Party Information: Consumers can request a list of third parties to whom their personal data has been sold, subject to certain limitations regarding trade secrets.
- Limits the Right to Access Sensitive Information: Similar to Montana, Connecticut’s SB 1295 prohibits controllers from disclosing certain sensitive data in response to consumer access requests but also requires controllers to inform the consumer, with “sufficient particularity,” if such data has been collected.
- Narrowed Exemptions: While the law retains its exemption for nonprofit organizations, it removes previous exemptions for certain financial institutions. Before, both GLBA-regulated entities and their GLBA-data were exempt from the CTDPA, but now only the data covered by the GLBA is still exempt. This means GLBA-regulated entities must follow the CTDPA for any data not processed in accordance with the GLBA.
On May 23, 2025, Colorado enacted SB 276 into law, introducing significant amendments to the Colorado Privacy Act (CPA). Notable amendments to the CPA include:
- Expanded Definition of Sensitive Data: SB 276 expands the definition of “sensitive data” to include precise geolocation information, now defined as GPS coordinates or similar data that can identify a consumer’s location within an 1,850-foot radius.
- Exclusions: The bill excludes from this definition the content of communications or personal data generated by or connected to certain systems or equipment used by utilities.
- Enhanced Consent Requirements for Sale of Sensitive Data: The amendments also strengthen the CPA’s consent framework by prohibiting the sale of sensitive data without a consumer’s prior explicit consent. This represents a meaningful change from the previous version of the CPA, which required opt-in consent for processing sensitive data but only offered a right to opt-out of sale.
Building on these recent changes, organizations should prepare for several additional amendments to the CPA, some of which are already in effect and others that will take effect later this year:
- Enhanced Protections for Consumer and Employee Biometric Data.
- As of July 1, 2025, data controllers collecting information from consumers are required to implement enhanced protections for biometric data by providing clear, reasonably accessible notices before collecting biometric identifiers. These notices must disclose the purpose of collection, the retention period, and whether the data will be shared. The notice may be standalone or incorporated into a broader privacy policy but must be clearly labeled and requires written or electronic, affirmative, informed consent.
- While the CPA previously provided an exemption for employee data, employers must now obtain affirmative, informed consent from employees—including full-time, part-time, on-call workers, contractors, subcontractors, interns, or fellows—prior to collecting certain biometric data related to their employment. The employer must secure renewed consent if the data is used for a new purpose or involves additional biometric types. Importantly, employers may condition employment on consent to biometric data collection in four limited situations:
- Permitting access to secure physical locations or electronic systems (excluding consent for tracking employee location or time spent using systems);
- Recording the start and end of a full workday;
- Ensuring or improving workspace safety or security; and
- Monitoring or improving public safety in case of an emergency.
For any other use, employees must provide consent voluntarily, and employers cannot retaliate against those who refuse to provide it.
- Consent to Process Minor’s Data. Starting October 1, 2025, if a business offering online services, products, or features to minors (under 18) knows or willfully disregards that a user is a minor, the business must obtain consent before processing a minor’s personal data. If the minor is under 13, the parent or guardian must provide consent. Such businesses must also conduct data protection assessments for features designed to increase minor engagement and ensure data retention is limited while avoiding manipulative system designs intended to prolong use.
These changes reflect Colorado’s growing emphasis on children’s privacy, algorithmic transparency, and consumer autonomy, and underscore the need for organizations to review and update their privacy practices to remain compliant with the evolving regulatory landscape.
Oregon has notably broadened its privacy framework through two key legislative amendments in 2025:
- House Bill 3875 extends the Oregon Consumer Privacy Act (OCPA) to apply to motor vehicle manufacturers and their affiliates—regardless of whether they meet the standard applicability thresholds (i.e., processing data of 100,000 or more Oregonians, or 25,000 or more consumers with at least 25% of revenue derived from the sale of personal data).
- Effective Date: HB 3875 will take effect on September 26, 2025.
- House Bill 2008 introduces enhanced privacy protections, particularly for minors and individuals whose precise geolocation data is collected.
- Enhanced Protections for Minors: Under the amended law, data controllers are prohibited from processing the personal data of individuals under 16 for targeted advertising, the sale of personal data, or profiling whenever the controller has actual knowledge of the individual’s age or willfully disregards it. Notably, the amendment removes the prior exception that allowed these activities with the minor’s consent, thereby imposing a strict prohibition regardless of consent for consumers under 16.
- Ban on Sale of Identifiable Precise Geolocation: The law also bans the sale of precise geolocation data that can identify a consumer’s or device’s location within a 1,750-foot radius, with a narrow exception. The content of communications or personal data generated by or connected to use by a utility is exempt from the sales prohibition.
- Effective Date: HB 2008 will take effect on January 1, 2026.
- Nonprofits. Nonprofit organizations should also be aware of a major shift that took effect on July 1, 2025: OCPA now applies to nonprofits. Unlike many other comprehensive state privacy laws, Oregon’s law—with limited exceptions—no longer provides a blanket exemption for all nonprofit organizations, marking a significant expansion in compliance obligations.
Montana has also significantly expanded its consumer privacy protections with the enactment of SB 297, signed into law on May 8, 2025. The amendments take effect on October 1, 2025.
Key amendments to the Montana Consumer Data Privacy Act (MCDPA) include:
- Lowered Applicability Thresholds: The amendments lower the applicability thresholds of the MCDPA to include businesses that control or process the personal data of at least 25,000 consumers (previously 50,000), or 15,000 consumers (previously 25,000) if 25% or more of gross revenue is derived from the sale of personal data. As a result, Montana now has one of the broadest scopes of applicability among state privacy laws, extending coverage to a wider array of businesses.
- Removal of Cure Period: SB 297 eliminates the MCDPA’s 60-day cure period for alleged violations, which was originally set to expire April 1, 2026. Beginning October 1, 2025, the Attorney General may:
- Initiate enforcement actions without first providing an opportunity to cure;
- Exercise enforcement powers under Montana’s Consumer Protection Act and Unfair Trade Practices statutes; and
- Request that a controller disclose any data protection assessments relevant to an investigation.
- Narrowed Exemptions for Financial and Nonprofit Entities: SB 297 also narrows available exemptions, particularly for financial institutions. The previous entity-level exemption for institutions governed by the Gramm-Leach-Bliley Act (GLBA) has been replaced with a data-level exemption. Now, only data processed in accordance with GLBA is exempt, rather than the entire entity.
- Enhanced Transparency and Opt-Out Requirements: The amendments impose new obligations for controllers to strengthen consumer rights and improve transparency around data practices. As a result, controllers must:
- Provide a separate, clear, and conspicuous opt-out mechanism for the sale of personal data and targeted advertising, accessible through the privacy notice.
- Make privacy notices available in all languages used to offer products or services, and ensure they are accessible to individuals with disabilities.
- Notify affected consumers of any material changes to the privacy notice or practices and give them a reasonable opportunity to withdraw consent to any materially different collection, processing, or transfer of previously collected personal data.
- Post privacy notices online through a conspicuous hyperlink labeled “Privacy” on the homepage of a controller’s website. For mobile applications, include a similar link in the app store listing or within the app itself. If no website exists, provide the notice through another regular communication channel, such as by mail.
- Include the date of the last update and an explanation of rights under the MCDPA.
- New Protections for Minors: SB 297 introduces robust safeguards for minors imposing heightened obligations on any controller—regardless of the applicability thresholds—that offers online services, products, or features to Montana consumers whom they actually know or willfully disregard, are minors. Key additions and protections introduced by SB 297 include:
- Definitions: The amendment introduces new definitions aimed at protecting minors. “Minors” are defined as individuals under the age of 18. Similar to Colorado, the amendment also defines “heightened risk of harm,” specifically for minors. This term refers to the processing of a minor’s personal data in a way that presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of—or an unlawful disparate impact on—a minor;
- Financial, physical, or reputational injury;
- Unauthorized disclosure of personal data resulting from a security breach (pursuant to Montana’s data breach statute); or
- Physical or other intrusion into a minor’s solitude, seclusion, or private affairs or concerns of a minor, where such intrusion would be offensive to a reasonable person.
- Duty of Care and Processing Restrictions: Controllers who offer online services, products, and features must exercise reasonable care to avoid processing a minor’s personal data in ways that could result in a heightened risk of harm.
- Consent Requirements for Data Processing: These controllers are also prohibited from processing a minor’s personal data or deploying certain design features without proper consent from the minor or, for children under 13, their parent or guardian. Notably, compliance with the verifiable parental consent provision under the Children’s Online Privacy Protection Act (COPPA), is sufficient to satisfy the MCDPA’s consent obligations for children under 13. Specifically, without proper consent, controllers may not:
- Process personal data for sale, certain automated profiling, targeted advertising, purposes beyond those originally disclosed, or for longer than is reasonably necessary to provide the online service.
- Use a system design feature that significantly increases, sustains, or extends a minor’s use of the online service, product, or feature.
- Collect precise geolocation data from minors, except:
- When the collection is reasonably necessary for the controller to provide the online service, product, or feature, or retained only for the time necessary to provide that service, product, or feature; and
- When there is clear, continuous notification during collection of the precise geolocation data (with a limited exception for services or applications used by ski-area operators).
- Implement consent mechanisms that undermine user autonomy.
- Direct Messaging Safeguards: Controllers are prohibited from offering direct messaging features to minors unless safeguards are in place to prevent adults from sending unsolicited messages to minors with whom they have no connection.
- This requirement does not apply where the primary function of the service is for email or private messaging (e.g., text, photos, or videos shared directly between users). Platforms used under the direction of an educational entity are also exempt.
- Rebuttable Presumption and Safe Harbor: The amendment further clarifies that the MCDPA does not require controllers or processors to use age-verification tools. However, it establishes a safe harbor from liability for inaccurate age estimation when controllers use commercially reasonable age verification tools.
- Processor Responsibilities: Processors must follow the controller’s instructions and assist the controller in fulfilling their duty of care toward minors, including by supporting data protection assessments. A processor that independently determines the purposes or means of processing—or fails to follow the controller’s instructions—will be treated as a controller and may be subject to enforcement actions by the Attorney General.
- Data Protection Assessments: Currently, the MCDPA requires controllers to conduct data protection assessments for any processing activity that presents a heightened risk of harm to consumers. SB 297 extends that obligation to controllers offering online services, products, or features to minors. If a controller actually knows, or willfully disregards, that a user is a minor and a heightened risk of harm is reasonably foreseeable, it must conduct a data protection assessment addressing:
- The purpose of the service, product, or feature;
- The categories and processing purposes of the minor’s personal data processed; and
- The nature of any foreseeable heightened risk to minors resulting from the online service.
Controllers must also:
- Review and update assessments as needed after making any material changes to processing activities for the online service covered by the assessment.
- Retain assessment documentation for at least three years after processing ends or the service is discontinued, whichever is longer.
- Implement a mitigation plan if the controller identifies heightened risks to minors.
These requirements supplement, rather than replace, existing data protection assessment obligations, and require controllers to specifically address risks unique to minors.
- Definitions: The amendment introduces new definitions aimed at protecting minors. “Minors” are defined as individuals under the age of 18. Similar to Colorado, the amendment also defines “heightened risk of harm,” specifically for minors. This term refers to the processing of a minor’s personal data in a way that presents a reasonably foreseeable risk of:
On May 3, 2025, Virginia enacted several targeted amendments to the Virginia Consumer Data Protection Act (VCDPA). These amendments impose heightened obligations on businesses handling sensitive personal information, particularly data related to minors’ online activity.
- Expanded Obligations for Social Media Platforms: SB 854. Under SB 854, social media platforms, including both controllers and processors, especially those processing the personal data of users under 16 years of age (minors), must now comply with several significant requirements:
- Mandatory Age Verification and Parental Controls: Platforms are required to implement commercially reasonable age verification protocols, such as neutral age screening mechanisms, to identify users’ ages. Platforms must also offer robust parental controls to manage and monitor minors’ usage.
- Usage Limits for Minors: A minor’s use of a social media platform is limited to one hour per day per platform unless a parent provides verifiable consent to adjust the time limit.
- Purpose Limitation for Age-Determination Data: The law also mandates that data collected for age verification be used solely to determine age and provide age-appropriate experiences.
- Exclusions from Social Media Platform Definition: The amendment’s requirements do not apply to internet-based services or applications that primarily deliver email, messaging, news, entertainment, ecommerce, or gaming, provided that any social features—such as chats or comments—are only incidental or secondary to the main function, and the content is selected by the provider rather than generated by users.
- The amended law is set to take effect on January 1, 2026.
These requirements significantly increase compliance complexity for social media companies, which may need to review—and in some cases, reengineer—onboarding flows, consent mechanisms, and backend systems to meet the law’s technical and operational standards.
- Heightened Protections for Reproductive Health Information and Private Right of Action: SB 754. Effective as of July 1, 2025, SB 754 broadly prohibits “suppliers” of any size from disclosing, selling, or disseminating personally identifiable reproductive or sexual health information (RHSI) of Virginia residents without their consent. The law introduces a private right of action, allowing individuals to recover the greater of actual damages or $500 per violation, increasing up to the greater of three times actual damages or $1,000 per willful violation. Organizations should pay close attention, as the law’s broad applicability and private right of action create heightened compliance and litigation risks for any entity processing RHSI in Virginia.
Together, these amendments signal Virginia’s growing emphasis on safeguarding sensitive personal data—particularly children’s and reproductive health data—by imposing stricter compliance demands across a broad range of businesses.
Contrary to Oregon and Montana’s amendments, Kentucky further narrowed its law’s applicability to certain health data and updated its data protection impact assessment (DPIA) requirements through HB 473, which amends the Kentucky Consumer Data Protection Act (KCDPA). Signed into law on March 15, 2025, the amendments introduce key updates:
- New Exemptions for HIPAA-Related Information: HB 473 provides that KCDPA does not apply to (1) information collected by HIPAA-covered health care providers, provided it is maintained in accordance with HIPAA regulations, and (2) data included in HIPAA-defined limited data sets, as described in 45 C.F.R. § 164.514(e). This exemption ensures that entities already subject to federal health privacy standards are not burdened with overlapping state requirements.
- Narrowed DPIA Requirement for Profiling: HB 473 narrows the scope of profiling activities that automatically trigger a DPIA. Previously, Kentucky’s law required a DPIA whenever profiling posed a reasonably foreseeable risk of any disparate impact—whether or not such impact rose to the level of a legal violation; the amended language now confines the obligation to situations in which the disparate impact would also be unlawful. This change means that businesses will need to consider whether a contemplated disparate outcome is likely to be deemed unlawful under relevant federal, state, or sector-specific provisions. While this change may reduce the number of processing activities formally subject to DPIAs, it simultaneously raises the bar on legal due diligence. An incorrect conclusion that a projected disparate impact is lawful could expose a company to both enforcement actions for non-compliance with the DPIA requirement and substantive liability for discriminatory practices.
The amended law is set to take effect on January 1, 2026.
Final Thoughts
Recent 2025 amendments across Connecticut, Oregon, Colorado, Montana, Virginia, and Kentucky further complicate the United States privacy landscape by imposing stringent, state-specific obligations that now envelop entities previously insulated by broad financial-services and nonprofit exemptions. The new statutes markedly expand protections for minors—ranging from outright prohibitions on targeted advertising and geolocation tracking to mandatory parental controls and age-verification protocols—while simultaneously narrowing GLBA and nonprofit carve-outs, thereby sweeping a wider array of organizations into the regulatory fold. Collectively, these measures intensify the patchwork of state-by-state requirements, underscoring the urgent need for businesses to adopt comprehensive, jurisdiction-aware compliance programs.
Stay tuned for Part 2 to our mid-year data privacy Legal Updates, which will provide insights on emerging legislative trends and practical guidance to help you navigate the evolving privacy landscape.
Autores
Servicios e Industrias Relacionadas
