septembre 02 2025

2025 Mid-Year Review: US State Comprehensive Data Privacy Law Updates (Part 1)

Share

Although 2025 has not seen the introduction of comprehensive federal privacy reform, state legislatures have enacted a series of focused amendments that significantly heighten compliance obligations for organizations processing personal data in the United States. In the absence of comprehensive federal privacy legislation, this proliferation of state-specific requirements highlights the importance of developing multi-faceted compliance programs to address the patchwork of requirements across the United States.

Connecticut, Colorado, Oregon, Montana, Virginia, and Kentucky have each expanded the scope of their privacy frameworks. Specifically, these changes include:

  • Broadening applicability thresholds;
  • Expanding the definition of “sensitive data;”
  • Establishing heightened obligations for social media platforms;
  • Bringing nonprofit organizations within the scope of privacy laws;
  • Removing or narrowing exemptions for certain financial institutions; and
  • Enhancing protections for minors, including stricter requirements for parental consent and limitations on targeted advertising.

These developments signal an increasingly complex regulatory environment requiring organizations to closely monitor and adapt to evolving privacy requirements that lack uniformity in the United States. In this Legal Update, we summarize key updates to enacted comprehensive data privacy laws.

Final Thoughts

Recent 2025 amendments across Connecticut, Oregon, Colorado, Montana, Virginia, and Kentucky further complicate the United States privacy landscape by imposing stringent, state-specific obligations that now envelop entities previously insulated by broad financial-services and nonprofit exemptions. The new statutes markedly expand protections for minors—ranging from outright prohibitions on targeted advertising and geolocation tracking to mandatory parental controls and age-verification protocols—while simultaneously narrowing GLBA and nonprofit carve-outs, thereby sweeping a wider array of organizations into the regulatory fold. Collectively, these measures intensify the patchwork of state-by-state requirements, underscoring the urgent need for businesses to adopt comprehensive, jurisdiction-aware compliance programs.

Stay tuned for Part 2 to our mid-year data privacy Legal Updates, which will provide insights on emerging legislative trends and practical guidance to help you navigate the evolving privacy landscape.

Compétences et Secteurs liés

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe