The continued absence of a comprehensive federal privacy law once again positioned state legislatures as the primary forces behind data privacy developments in the U.S. this year. In 2025, eight new comprehensive state privacy laws took effect, adding to a growing patchwork of regulations that now spans 20 states. These laws generally reinforce established standards but introduce some important differences in applicability, exemptions, and sensitive data protections, making multi-state compliance increasingly complex.
States also continued to refine their data breach notification requirements, with notable amendments in New York, California, and Oklahoma aimed at strengthening consumer protections and reporting standards. Meanwhile, the rapid proliferation of state-level AI legislation—alongside a controversial new executive order directing federal agencies to challenge such laws—added a new layer of considerations for businesses leveraging artificial intelligence. With additional privacy laws set to take effect in 2026 and even stricter proposals on the horizon, organizations should remain proactive in adapting to this dynamic and increasingly fragmented regulatory environment.
The State of Consumer Data Privacy Laws
In 2018, California became the first state to enact a comprehensive privacy law, setting a precedent that has since prompted numerous other states to develop and implement their own data privacy legislation. That momentum has continued. As of the end of 2025, 20 states have enacted comprehensive consumer data privacy laws, with eight new statutes taking effect this year alone and several states simultaneously amending existing regimes. Companies should expect the state privacy footprint to continue to grow next year, with new statutes, staggered effective dates, and supplemental obligations from earlier laws becoming operative.
Eight Comprehensive State Privacy Laws Took Effect in 2025
This year, eightstates—Delaware, Iowa, Maryland, Minnesota, Nebraska, New Jersey, New Hampshire, and Tennessee—enacted comprehensive data privacy laws, further expanding the statutory landscape and underscoring the importance for businesses to monitor and adapt to evolving requirements. While these new laws largely extend established obligations around transparency, consumer rights, and risk assessments, they also introduce some key differences that can complicate multi-state compliance.
Who’s in Scope: Applicability and Exemptions
Most consumer privacy laws that took effect in 2025 are consistent with existing frameworks and apply to organizations that conduct business in the particular state or target its residents, provided those entities meet defined thresholds concerning consumer numbers, revenue, or the sale of personal data. Nebraska stands out by joining Texas in omitting from its privacy law both a minimum consumer count and revenue threshold. Laws in New Jersey and Maryland notably do not provide entity-level exemptions for HIPAA-covered entities or nonprofits. Meanwhile, Delaware’s privacy law, the Delaware Personal Data Privacy Act (DPDA), departs from many states by not providing broad entity-level exemptions for most nonprofits and higher education institutions. (For more information on the DPDA, our previous post covering this law can be found here).
Stakeholders should continue to pay close attention to each state’s definitions of “controller,” “processor,” and “consumer” as well as the applicability of entity-level exemptions, as compliance gaps can emerge for multi-state programs that rely on a one-size-fits-all exemption analysis.
Consumer Rights and Business Obligations
Across the set of privacy laws that took effect in 2025, consumers are generally afforded a familiar suite of rights, including the right to know, access, correct, delete, and obtain portable copies of personal data, as well as the right to opt out of targeted advertising, sale of personal data, and certain forms of automated profiling. Businesses still must authenticate and respond to consumer requests within response windows and maintain internal appeal mechanisms.
Sensitive data continues to be a focal point across the board, as most states require express consent for sensitive data processing. The Maryland Online Data Privacy Act (MODPA) is among the strictest state laws in this sense, categorically prohibiting the sale of sensitive personal information and adopting a necessity-based minimization standard. MODPA also expanded youth protections by covering all minors under 18, and applying a strict “knew or should have known” standard to age-based obligations, which is more rigorous than the “actual knowledge” standard used by most states.
Minnesota and Delaware join Oregon in requiring covered businesses to disclose the list of specific third parties to whom a consumer’s personal data have been disclosed in response to an access request. Minnesota also became the first state to codify an affirmative “right to question” when consumers’ personal data is used for profiling in furtherance of decisions with legal or similarly significant effects. Minnesota residents can seek explanations and request re-evaluations, going beyond the typical opt-out rights or narrow appeal processes offered by most other states.
In contrast to more consumer-focused frameworks (a trend Massachusetts will likely follow, as detailed further below), Iowa takes a more business-friendly approach in several respects. Iowa’s Consumer Data Privacy Act (ICDPA) allows sensitive data processing based on pre-use notice with an opt-out rather than opt-in consent (as required by most states). Iowa also joins only Utah in not mandating data protection assessments and omits opt-out rights for targeted advertising and profiling.
With the notable exception of the ICDPA, opt-out requirements for targeted advertising in other state regimes continue to expand and data protection assessments are widely mandated for higher-risk processing, including sensitive data processing, and targeting and profiling activities. Stakeholders should take care to validate their practices to align with applicable state-specific requirements.
Enforcement
Expectedly, enforcement authority under new consumer privacy laws is vested in state attorneys general, who are responsible for investigating and prosecuting violations. Unlike the amended California Consumer Privacy Act, no newly-enacted state law establishes a private right of action for individuals to sue over general violations. Most states provide businesses with a cure period—typically 30 days, though some allow up to 60 days—to address and rectify alleged violations before formal enforcement actions are initiated.
Amendments to Existing Comprehensive State Privacy Laws
In 2025, states with established data privacy frameworks continued to refine and update their laws. Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, and Kentucky each enacted new amendments to their comprehensive privacy statutes, reflecting state legislatures’ ongoing commitment to adapting their regulatory approaches in response to evolving privacy concerns and technological developments. The amendments enacted this year reflect two trends: heightened emphasis on strengthening protections for minors’ personal data, and an expansion of the scope of existing laws to encompass a broader array of entities and data processing activities.
Enhanced Protection for Minors
Limitations on the collection and processing of minors’ data have been broadly adopted, with states establishing varying standards for when such data may be processed. Depending on the jurisdiction and the type of data involved, some states permit processing of minors’ data only when it is “reasonably necessary,” while others require that processing be “strictly necessary.” Additionally, several states, including Virginia and Connecticut, imposed more rigorous requirements on social media platforms and website operators aimed at protecting youth mental health. Montana and Colorado joined Connecticut in creating a statutory duty of reasonable care for companies offering online services to minors to avoid a “heightened risk of harm.”
Expanded Applicability
This year, several states—including Montana and Connecticut—lowered the thresholds for coverage under their privacy laws, thereby bringing more organizations within the scope of regulation. Montana and Connecticut further extended applicability by eliminating certain entity-level exemptions, including those previously granted to financial institutions and nonprofits. These changes reflect a trend toward broader applicability and reduced carve-outs in state privacy frameworks.
The reach of state privacy regimes has also expanded through the adoption of broader definitions of “sensitive data.” For example, amendments to state laws expanded the definition of “sensitive data” to include, depending on the jurisdiction: disability status, gender identification, neural data, precise geolocation data, consumer financial account numbers and login information, as well as government-issued identification numbers.
Three More Privacy Laws Take Effect in 2026
Three additional comprehensive state laws will take effect on January 1, 2026: Indiana’s Consumer Data Protection Act (ICDPA), Kentucky’s Consumer Data Protection Act (KCDPA), and Rhode Island’s Data Transparency and Privacy Protection Act (RIDTPPA).
- Indiana: The ICDPA takes a business-friendly approach, providing a permanent right to cure for 30 days, as well as higher applicability thresholds and a narrower definition of sensitive data than most other state laws.
- Rhode Island: The RIDTPPA stands out by omitting a cure period entirely, treating violations as deceptive trade practices, and requiring businesses that sell personal data to disclose the identity of all third parties to whom they sell, even absent a consumer request. Rhode Island has also imposed a standalone website notice obligation on commercial websites and internet service providers even below the law’s general thresholds.
- Kentucky, on the other hand, takes a more business-friendly approach by not requiring businesses to allow consumers to opt out of targeted advertising via universal opt-out mechanisms, unlike many other states.
On the Horizon: The Massachusetts Data Privacy Act
In September, the long-anticipated Massachusetts Data Privacy Act (MDPA) advanced through the state senate and, if enacted, will place the Commonwealth among the states with the strictest data privacy laws and regulatory requirements in the nation. The MDPA would impose sweeping obligations on businesses handling personal data of Massachusetts residents, including rigorous data minimization requirements and expanded protections for sensitive information. The MDPA’s
robust consumer notice requirements for data processing with material implications for corporate transactions. The MDPA must pass through the Massachusetts House of Representatives and be voted on by Governor Healey before it can be enacted.
The State of Data Breach Notification Laws
In 2025, New York, California, and Oklahoma passed important amendments to state data breach notification laws as cybersecurity remain a key concern for state regulators.
- New York enacted two bills (A8872A and S2376B) that amended the state’s Data Breach Notification Law, creating new notification requirements data breaches affecting New York residents. Specifically, businesses must now disclose data breaches to New York residents within thirty days of discovering the breach, as well as notify the New York Department of Financial Services (NYDFS). Additionally, the amendments expanded the definition of “private information” to include medical and health insurance information. (Click here to read the full Ropes & Gray client alert).
- California signed SB 446 (effective Jan. 1, 2026), adding a 30-day deadline to notify California residents of a data breach, and further requiring notice to the Attorney General within 15 days if more than 500 residents require notification.
- Oklahoma signed SB 626 (effective Jan. 1, 2026) broadening the definition of “personal information” to include biometric data, requiring notice to the Attorney General when more than 500 residents require notification of a data breach, and expanding safe harbors for entities compliant with specified frameworks.
The State of AI Regulation
All 50 states and territories introduced AI-related legislation in their 2025 sessions, with 38 states enacting around 100 measures covering topics from deepfakes to algorithmic bias, though many are studies or focused on government use, leading to a complex state-by-state landscape.
For example, California passed a law requiring the largest AI models to test for safety and disclose the results. South Dakota banned the use of realistic AI-generated videos in political advertising. Many states passed laws creating restrictions on data collection, and a growing number of states have passed child-safety regulations and mental health safety regulations.
But the rapidly evolving state-AI landscape was shaken earlier this month when President Trump signed Executive Order 14179 (discussed at length in a recent Ropes & Gray client alert) that directs federal agencies to challenge state laws regulating AI, with the goals of establishing a “minimally burdensome national standard” for AI and preempting conflicting state regulations. While the legality of the Executive Order remains uncertain, it demonstrates a robust federal initiative to override state-level regulation and establish a unified national framework for AI regulation. Stakeholders should closely monitor ongoing developments and be prepared to adjust compliance strategies as the regulatory landscape continues to evolve.
Though the stated purpose of executive order aims to preempt conflicting state laws, it remains unlikely that this will hold weight in state courts. In the absence of congressional regulation, states are likely to dispute federal preemption lawsuits, arguing Congress did not intend to prevent states from regulating this space. For now, virtually all state AI laws in effect today are likely on solid legal ground. Accordingly, stakeholders should continue complying with applicable state AI laws but remain vigilant for forthcoming federal rulemaking as the federal-state battle over AI regulation rages on into 2026.
See the full Ropes & Gray post on Executive Order 14179 for more information on this recent development.
Looking Ahead: How to Stay Compliant in the New Year
To navigate the evolving patchwork of state privacy laws and maintain compliance in 2026, organizations should review and update privacy notices, consumer rights workflows—including authentication, appeals, and opt-out mechanisms—and protocols for handling sensitive data. Proactive adjustments in these areas will help ensure alignment with both new and amended state requirements. At the same time, privacy and security functions should align incident response protocols with evolving state breach standards, run regular tabletop exercises, and coordinate with governance teams to ensure responsible oversight of AI systems. Finally, leadership should establish clear lines of accountability, implement updated training programs, and maintain ongoing horizon scanning to ensure that program updates are proactive, repeatable, and visible to the board—rather than reactive to each new statute or amendment.
Ropes & Gray will continue to monitor state-level privacy developments closely. Subscribe to receive alerts about our latest updates and insights.