For those keeping track of the growing list of US state “comprehensive” privacy laws, you know that the Maryland law (the Maryland Online Data Privacy Act or MODPA) went into effect on October 1st. This rounds us out for US state privacy laws in 2025, bringing the total to 17 (or 16, if you discount Florida). Next up will be Indiana, Kentucky, and Rhode Island (all on January 1, 2026).Continue Reading 2025 Brought Us Eight US “Comprehensive” Privacy Laws, What’s Next?
Can we take any insights from Connecticut’s first settlement under the state’s Data Privacy Act, reached with TicketNetwork, an online ticket marketplace? The AG concerns mirrored priorities outlined in Connecticut’s 2025 CTDPA Enforcement Report. This suggests that future cases may also draw from that report.Continue Reading Privacy Compliance Insights from Connecticut’s First Privacy Law Settlement
Connecticut has revised its privacy law for the third time since it was passed in 2022. With SB 1295, the state has mirrored others (like Colorado and Montana) in making ongoing changes to its law. Many of the changes incorporate either in concept, or wholesale, provisions that exist in other states. Connecticut makes these changes following 2024 and 2025 AG reports, which reports included recommendations to lawmakers, some of which ended up in SB 1295. Continue Reading Connecticut, the Provisions State, Adds New Provisions to its Privacy Law
The US “comprehensive” law landscape continues to expand, with two more states—Tennessee (July 1) and Minnesota (July 31) —joining the “comprehensive” privacy law club. Five of these -Delaware, Iowa, Nebraska, New Hampshire, and New Jersey- took effect in January. As the patchwork of state-level “comprehensive” privacy laws expands, what should business keep in mind? As outlined below, perhaps the biggest takeaway is that the laws add to a patchwork, one which consists of many overlapping requirements. Here are a few highlights from these two latest laws:Continue Reading US Privacy Footprint Continues to Expand: Tennessee and Minnesota Join the State Law Club
Montana’s privacy law has received a refresh and updates will go into effect October 1, 2025 – exactly one year since the law took effect. The law was modified with SB 297, and changes include coverage, approach with minors, and more:Continue Reading Big Sky State Makes Big Privacy Updates
In ongoing tweaks to state privacy laws, Oregon has amended its state privacy law to cover auto manufacturers. Specifically, those that process or control personal information that they get from a person’s use of a car. As most are aware, the law requires disclosures when collecting personal information, provision of rights to consumers (including the ability to delete and port personal information), and limits on profiling among other things. While the Oregon law, like most state “comprehensive” laws, includes applicability thresholds, there are no thresholds for this new applicability to car manufacturers. The law is slated to go into effect in September of this year.Continue Reading Oregon Extends Privacy Law to Specifically List Auto Makers
California appears to be changing its approach to how it regulates artificial intelligence, likely reflecting its reaction to challenges seen recently in other states. Namely, the California Privacy Protection Agency recently released an update to its draft regulations which change how the Agency plans to regulate Automated Decisionmaking Technology, or ADMT. This comes after the Agency’s original proposal faced intense opposition from industry groups, state lawmakers and Governor Newsom.Continue Reading California Regulator Releases Updated Draft Regulations, Scales Back Proposed AI Privacy Rules
Virginia’s governor recently signed into law a bill that amends the Virginia Consumer Data Protection Act. As revised, the law will include specific provisions impacting children’s use of social media. Unless contested, the changes will take effect January 1, 2026. Courts have struck down similar laws in other states (see our posts about those in Arkansas, California, and Utah) and thus opposition seems likely here as well. Of note, the social media laws that have been struck down in other states attempted to require parental consent before minors could use social media platforms. This law is different, as it allows account creation without parental consent. Instead, it places restrictions on account use for both minors and social media platforms.Continue Reading Virginia Will Add to Patchwork of Laws Governing Social Media and Children (For Now?)
The California Privacy Protection Agency announced this month that it, along with six other states, will be forming a new group called the “Consortium of Privacy Regulators.” (The other states are Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.) Members include the Attorneys General from these states, as well as California’s privacy regulator (the CPPA).Continue Reading New Era of Collaboration? States Team Up to Coordinate on Privacy Laws
The Colorado AG’s office adopted draft amendments to the Colorado Privacy Act rules last month. The adopted draft reflected input from the public to AG’s September 2024 version and addresses three key issues. First, on opinion letters and interpretive guidance from the AG. Second, changes resulting from the passage of a bill related to biometric (HB 24-1130) data. And third, a bill related to children’s (SB 24-041) privacy. (Both of which amend Colorado’s privacy law.)Continue Reading Colorado Rolls Out Updated Privacy Rules Ahead of 2025 CPA Amendments
Are you ready for the next set of US state privacy laws going into effect? Delaware, Iowa, Nebraska, and New Hampshire are effective January 1, and New Jersey’s law go into effect two weeks later (January 15).Continue Reading Coming to a State Near You: 5 State Privacy Laws Take Effect in January 2025