Just because no state passed a new comprehensive privacy law in 2025 does not mean that there was no data protection legislative activity. Indeed, this is likely one of our longest yearly updates.
Many states that previously passed comprehensive privacy laws decided to update them with innovative requirements found in other states’ privacy laws. States also honed in on targeted privacy laws geared toward children, social media, and data brokers. Additionally, states wrestled with a broader question: did their laws sufficiently address artificial intelligence (AI) or were new laws needed to address specific uses of AI?
In This Update
Revised Comprehensive Privacy Laws
Covered in this section: Connecticut • Kentucky• Montana • Oregon • Utah • Virginia
Connecticut
As part of a large bill spanning topics from broadband internet access to the lottery to consumer contracts, Connecticut overhauled the Connecticut Data Privacy Act, with revisions going into effect on July 1, 2026. Highlights of the revisions include:
- Revamping the definition of “sensitive data” to include new data points, such as neural data.
- Significantly reducing the threshold for applicability to
- 35,000 Connecticut consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction;
- any processing of Connecticut consumers’ sensitive data, unless that data is solely used to complete a payment transaction; or
- any offer for sale of Connecticut consumers’ personal data.
- Adding exempted entities.
- Adding rights requests to include, in part, access to inferences and disclosure of a list of third parties to whom the entity sold personal data, and clarifying how a business should respond to a rights request (e.g., tell consumers you collected their SSN but do not disclose the SSN).
- Requiring additional information in website privacy notices, including whether personal data will be used to train large language models (AI).
- Amending online businesses’ responsibilities to avoid heightened risk of harm to minors under 18 years old, including through safeguards to prevent unsolicited communications by unknown adults and prohibiting addictive design features.
Separately, SB 1295 establishes a process for domestic abuse survivors to terminate their abuser’s access to a connected vehicle.
Effective July 1, 2026.
Kentucky
Kentucky amended its Consumer Data Protection Act to exempt information collected by health care providers that maintain protected health information in compliance with HIPAA. The amendments also include a technical change, specifying that data protection impact assessments are required for profiling activities that present a reasonably foreseeable risk of unlawful disparate impact on Kentucky consumers.
Effective January 1, 2026 – with requirements for data protection assessments applying to processing activities on or after June 1, 2026.
Montana
Montana’s revisions to the Montana Consumer Data Privacy Act are substantial and many were novel at the time of passage.
First, Montana and Delaware are in a Limbo battle for how low to go in those states that use numbers of individual state residents for the applicability threshold of their privacy law. Montana dropped to 25,000 Montanans, excluding personal data controlled or processed solely for the purposes of completing a payment transaction, or 15,000 Montanans when the business derives more than 25% of gross revenue from the sale of personal data. Other provisions relating to minors apply to all businesses.
Second, the revisions include tweaks to exempted entities, clarifying how a business should respond to a rights request (e.g., tell consumers you collected their SSN but do not disclose the SSN), and additional information that must be included in a website privacy notice.
Third, online businesses need to use reasonable care to avoid heightened risk of harm to minors under 18 years old. (NB: “minor” is defined differently than a “child” under 13 years old.) What is considered to be reasonable care is set out and includes consent requirements, purpose limitation, contractual requirements for processors, and data protection assessments. There is a safe harbor for businesses that choose to conduct age verification or age-gating of minors. Fourth, the Attorney General must indefinitely provide notice and a 60-day cure period.
Effective October 1, 2025.
Oregon
Oregon revised the Oregon Consumer Protection Act (OCPA) in three different bills.
HB 2008
Oregon HB 2008 prohibits entities that fall under the OCPA from processing data of Oregon children under 16 years old for targeted advertising or certain profiling, regardless of consent. HB 2008 also prohibits selling the data of Oregonians under 16 years of age, where the controller has actual knowledge the consumer is under 16, and of all Oregonians’ precise geolocation data.
Effective January 1, 2026
HB 3875
Additionally, Oregon’s HB 3875 amends the OCPA as of September 26, 2025 to change requirements related to personal data obtained from an Oregonian’s use of a motor vehicle. In particular, HB 3875 removes the threshold requirements regarding total consumer numbers for motor vehicle manufacturers and their affiliates, making the requirements of the OCPA apply to motor vehicle manufacturers and their affiliates who control or process personal data obtained from an Oregon consumer’s use of a motor vehicle, regardless of the number of consumers the manufacturer or affiliate serves.
Effective September 26, 2025
SB 1121
Finally, Oregon’s SB 1121 extends the 30-day cure period under the OCPA for Oregon Public Broadcasting until June 30, 2026.
Utah
Utah played catch-up on permissible rights requests. Utah amended its Consumer Privacy Act to give users the right to correct inaccuracies in their personal data. Additionally, it enacted the Utah Digital Choice Act, mandating data portability and interoperability. More specifically, the Act requires social media companies to enable users to transfer personal data between controllers without impediment, and it further requires that social media companies implement interoperability interfaces with open protocol such that a user’s connections, content, and history are not lost when a user chooses to transfer data to another social media company.
Effective July 1, 2026 (both acts)
Virginia
Virginia’s Consumer Protection Act has been revised to cover certain reproductive or sexual health information. In particular, the revisions prohibit obtaining, disclosing, selling, or disseminating personally identifiable reproductive or sexual health information without the consent of the consumer. The revisions define “reproductive or sexual health information” to include a variety of categories of information, including but not limited to statuses and diagnoses related to pregnancy, menstruation, ovulation, and the ability to conceive a pregnancy, as well as the use or purchase of contraceptives, birth control, or other medications related to reproductive health.
Effective July 1, 2025
Age verification laws and age-appropriate design code acts
Covered in this section: Arkansas • Mississippi • Nebraska • Texas • Utah • Vermont • Virginia
Arkansas
Arkansas passed its Children and Teens' Online Privacy Protection Act, expanding particular federal children’s privacy protections to cover teens. Although the Act does not specifically require age verification, it prohibits targeted advertising using minors’ personal information and limits the collection of minors’ personal information to what is necessary for a particular transaction or service. Additionally, Arkansas’s Act implements two categories of consent required for collecting personal information. A parent must consent to collecting personal information from children, while either a parent or a teen aged 13-16 may consent to collecting the teen’s personal information. The Act also requires clear and conspicuous notice of particular rights, such as deletion, correction and access rights.
Effective July 1, 2026.
Mississippi
The U.S. Supreme Court recently allowed Mississippi to enforce its age verification law while lawsuits challenging the law on free-speech grounds proceed. The Mississippi law requires that social media sites verify the ages of users and that minors obtain express parental consent to create social media accounts, and it further requires that social media companies make reasonable efforts to ensure minors are not exposed to harmful content. Several other states have passed similar laws in recent years, and some have been enjoined from being enforced. It remains to be determined whether age verification laws like Mississippi’s ultimately infringe on First Amendment rights.
Nebraska and Vermont
Nebraska and Vermont each passed their own versions of Age-Appropriate Design Codes, despite ongoing legal challenges to similar laws in California and Maryland.
Nebraska
The Nebraska Age-Appropriate Design Code requires that covered online services must provide minors with accessible and easy-to-use tools that limit other users’ ability to communicate with the minor, prevent others from viewing the minors’ personal data, limit the amount of time the minor spends using the service, and controlling other features of the service like personal recommendation systems, in-app purchases, and features that would contribute to infinite scrolling or otherwise reward frequent visits. Nebraska’s law also implements data minimization requirements, permitting only the minimum amount of collection and use of a minor’s personal data necessary to provide elements of the service the minor is knowingly engaged with, with retention only as long as necessary to provide the service.
Effective July 1, 2026.
Vermont
The Vermont Age-Appropriate Design Code implements similar substantive requirements as Nebraska’s, but Vermont also established that covered businesses owe minors a “minimum duty of care.” Specifically, Vermont’s law establishes a duty to ensure that the use of a minor’s personal data and the design of an online service will not result in reasonably foreseeable emotional distress, reasonably foreseeable compulsive use of the online service, or discrimination based on various protected classes.
Effective January 1, 2027.— timed to allow for providing clarity and making changes as necessary based on lawsuits in other states.
Texas
Texas passed a similar App Store Accountability Act requiring that app store providers verify an individual’s age category, and that app store providers obtain parent consent before allowing minor users to download apps, purchase apps, or make in-app purchases. The Texas Act also requires that minors’ accounts be affiliated with parents’ accounts.
Effective January 1, 2026.
Utah
Utah’s App Store Accountability Act requires that app store providers like Apple and Google verify an individual’s age category (e.g., child, younger teenager, older teenager, or adult). App store providers must also obtain parental consent before allowing minor users to download apps, purchase apps, or make in-app purchases.
Effective May 6, 2026. Enforcement of the Act is set to begin on December 31, 2026.
Virginia
Virginia revised its Consumer Data Protection Act to require that any controller or processor operating a social media platform use commercially reasonable methods to determine whether a user is a minor. The revisions further limit minors’ use of social media platforms to one hour per day, with parental consent available to either increase or decrease the daily limit.
Effective January 1, 2026.
Additional Privacy & Tech Laws
States passed a number of other bills in 2025 that impact technology, privacy, data protection, and data security. A few are highlighted below to show the range of variety coming out of state legislatures.
Disclosure Requirements (New York, Minnesota, Texas)
These bills include disclosure requirements for social media companies, including required disclosures in terms of service in New York, effective as of June 19, 2025, and a mental health warning label in Minnesota, effective July 1, 2026. They also include website disclosure requirements for data brokers in Texas, which went into effect September 1, 2025.
Algorithmic Pricing (New York)
An algorithmic pricing law in New York requires a specific disclosure statement if personal data is used to determine a personalized offering price. The law was immediately challenged, and the Attorney General has agreed to not enforce the law for 30 days after the court’s ruling on whether to enjoin the law during the pendency of court proceedings. The law also prohibits protected class data from being used to set discriminatory pricing.
Disclosure of Private Information (Oregon)
In addition to the amendments to the OCPA, Oregon’s SB 1121 creates the crime of unlawful disclosure of private information.
The crime requires that:
- The person knowingly causes another’s personal information to be disclosed.
- The person has the intent to stalk or injure another person, or to cause damage to another person’s property
- The person knows the disclosure was made without consent
- The other person is stalked or injured, or their property is damaged, as a result of the disclosure.
For the purposes of this crime, personal information is defined to include a person’s home address, e-mail address, phone number, social security number, contact information for their employer, contact information for a family member, photographs of the person’s child, or identification of the school the person’s child attends.
Effective January 1, 2026.
Safe Harbor from Data Breach Lawsuits (Texas)
Texas created a safe harbor from data breach lawsuits for businesses with fewer than 250 employees that hold sensitive personal information. Under the law, which went into effect on September 1, 2025, a person injured by a data breach cannot obtain punitive damages if the business can show that it implemented a cybersecurity program that conformed to an industry-recognized cybersecurity framework, as appropriate based on the size of the business.
Artificial Intelligence
Some AI laws are broad and reminiscent of the comprehensive privacy laws, with disclosure and impact assessment requirements, such as Colorado’s Artificial Intelligence Act. Others target specific conduct, such as the use of AI tools in by medical professionals or generative AI platforms responding to health care-related inquiries. We will cover the specifics of these state laws in a future article.
Next Steps & Contact
Please note that the updates provided here are high level summaries, and there may be exceptions or additional details regarding applicability. For more specific information about how these laws may apply to your organization, consult an attorney. If you need assistance reviewing your company’s or non-profit organization’s compliance with privacy obligations, please contact our privacy & data security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.
