Scope of US state-level privateness legal guidelines expands quickly in 2025
The variety of particular person US states with native knowledge privateness laws on their statute books has expanded quickly in 2025, with 9 extra state legal guidelines coming into impact this yr and three extra states – Indiana, Kentucky and Rhode Island – slated to start out implementing their very own guidelines on 1 January 2026, in accordance with a report compiled by the Worldwide Affiliation of Privateness Professionals (IAPP).
Because the introduction of the landmark California Shopper Privateness Act in 2020, politicians in state capitals throughout the US have eagerly taken up the information safety baton, with Colorado, Connecticut, Utah and Virginia all introducing complete privateness legal guidelines in 2023; Montana, Oregon and Texas in 2024; and Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey and Tennessee this yr.
An additional 16 states are at present deliberating complete privateness payments, together with financial powerhouse states equivalent to Massachusetts and New York.
The ensuing report captures an in-depth image of every of the separate state privateness legal guidelines, with the general aim being to stipulate the contours of every state to supply extra significant steerage to organisations. The IAPP has been actively monitoring amendments to state privateness legal guidelines – Connecticut, Montana and Oregon all made adjustments his yr to broaden the scope of applicability, improve client rights and put in place extra enterprise obligations round management and processing of private knowledge, for instance.
The place to start out?
Müge Fazlioglu, IAPP principal researcher, privateness regulation and coverage, has been monitoring these developments. She described an more and more advanced patchwork of compliance for organisations working within the US.
“The applicability of every US state privateness regulation could be assessed via a multistep course of as every state regulation has a singular scope based mostly on number of thresholds,” she instructed Laptop Weekly. “These thresholds are associated to entity’s jurisdiction, income, quantity of private knowledge processing and income derived from the sale of private knowledge.”
To dig deeper into the extent to which the legal guidelines differ, 5 completely different thresholds within the US now exist for processing resident’s private knowledge. These embrace no threshold in Nebraska and Texas; 25,000 or extra distinctive customers in Montana; 35,000 in Connecticut, Delaware, Maryland, New Hampshire and Rhode Island; 100,000 in California, Colorado, Indiana, Iowa, Kentucky, Minnesota, New Jersey, Oregan, Utah and Virginia; and 175,000 in Tennessee. So, any organisation holding knowledge on any Texas residents turns into topic to applicability, however they need to maintain knowledge on 0.6% of the inhabitants of Maryland, or 3.3% of the inhabitants of tiny Delaware.
Then there are thresholds for the sale of private knowledge. Right here, once more, Nebraska and Texas are strictest, ruling that the management, processing or sale of any private knowledge is topic to state privateness legal guidelines, albeit with exemptions for small companies. In the meantime in California, organisations fall in scope in the event that they management or course of any private knowledge and derive 50% or extra of their revenues from the sale of knowledge. Colorado and New Jersey each embrace inhabitants thresholds once more – 25,000 distinctive customers or extra, and in-scope organisations derive any income or low cost on the value of any items or companies from the sale of private knowledge.
With regards to exemptions, every of the 19 state legal guidelines excludes varied entities and kinds of knowledge held by them – mostly, authorities companies, non-profits and better schooling establishments; and organisations already topic to nationwide, sectoral laws, such because the Well being Insurance coverage Portability and Accountability Act (HIPAA).
Variations once more abound. For instance, the legal guidelines of Colorado, Delaware, Minnesota, Montana, New Jersey and Oregon don’t exempt non-profits. California and Maryland do exempt non-profits however don’t exempt larger schooling establishments, and so forth. Nuances exist even right here – Delaware, for instance, exempts just some non-profits and its legal guidelines don’t apply to these than deal with knowledge held by non-profits working with victims of kid abuse, home violence, human trafficking or sexual assault. Neighbouring Maryland exempts people who course of or share private knowledge to help first responders in emergency conditions, or regulation enforcement investigating fraud or insurance-related crime.
With regards to enterprise obligations underneath state privateness legal guidelines, all states require regulated entities to offer customers with privateness observe disclosure notices – California asks for this on the level of assortment, and all bar Rhode Island and Utah impose minimisation and objective limitations on the gathering or processing of knowledge. This sometimes restricts the gathering, use, retention and sharing of client knowledge to what’s satisfactory, related and fairly vital. Most states – bar Iowa and Utah – require knowledge safety impression assessments (DPIAs), however in Delaware, Indiana and Virginia, DPIAs are particularly required for focused promoting, the sale of private knowledge or particular person profiling.
Naturally, all states require consent for processing of delicate knowledge, however once more they outline various classes of knowledge as delicate. Most state legal guidelines cowl an ordinary dataset that will likely be acquainted to most, classing youngsters’s knowledge, knowledge on ethnic background, faith, and sexual orientation as delicate. Nonetheless, some states go additional, with Maryland and Oregon additionally recognising data on nationwide origin as delicate, whereas 5 states – Connecticut, Delaware, Maryland, New Jersey and Oregon – embrace knowledge which may reveal a person’s standing as non-binary or transgender.
Maryland, in the meantime, has the one state stage regulation that doesn’t classify psychological or bodily well being knowledge as delicate, whereas California ploughs a singular furrow and lessons philosophical beliefs as a protected class, defending existentialists, logical positivists, nihilists and stoics alike.
Lastly, turning to client rights to entry, right and delete knowledge held on them, issues are a little bit easier however there are nonetheless variations to account for. In all states customers can entry, right and delete knowledge – bar Iowa, the place they can not right it; and Indiana, the place they’ll right it provided that they’ve offered it within the first place.
Similarities to GDPR
Organisations working out of the UK or European Union (EU), could also be tempted to look to the practices and ideas already established underneath the Basic Knowledge Safety Regulation (GDPR) as a useful information to the rising labyrinth of guidelines, clauses and exceptions within the US.
Nonetheless, Fazlioglu mentioned that whereas the necessities of the assorted US regimes regarding client rights, knowledge minimisation, objective limitation of knowledge assortment and processing, and so forth, may really feel acquainted to organisations which can be already GDPR compliant at first look, knowledge privateness professionals must be cautious of inferring an excessive amount of from this, and it could be a grave error to rely too closely on them.
“As we all know on the earth of privateness and digital governance, compliance work requires repeatedly mapping the present panorama, monitoring the adjustments, and making vital updates and changes,” she mentioned. “With regards to the overlap of GDPR and the US state privateness legal guidelines, there’s lots to establish, assess, translate and contemplate. There’s no easy guidelines or system to verify alignment … Organisations want to look at the extent of every state privateness regulation and consider whether or not their current practices are ample.”
Fazlioglu mentioned that understanding the scope and specificity of every regulation, together with the classes of delicate knowledge or how varied phrases equivalent to “sale” are outlined, is essential.
She mentioned that whereas this may increasingly really feel advanced and daunting, the interplay between the assorted legal guidelines and domains and the GDPR could in the end profit customers. “It encourages deeper consideration to the crossroads of client safety and rising applied sciences,” she mentioned.
Federal legal guidelines a topic of debate
In parallel to the enacting of state-level laws within the US, calls proceed for Washington DC to introduce a federal privateness regulation. Whereas British and European observers not steeped in US political custom could naturally really feel inclined to choose a nationwide knowledge safety commonplace, this isn’t such a easy ask for the US federal system.
“It’s preferable for some and never preferable for others,” mentioned Fazlioglu. “For instance, throughout discussions across the American Privateness Rights Act of 2024 and the American Knowledge Privateness and Safety Act of 2023, we noticed completely different reactions from varied teams – some supported these payments to simplify the panorama, whereas others emphasised the danger of weakening the protections at present supplied by state legislatures.”
The IAPP tracks developments on this regard, inspecting contentious points equivalent to bipartisanship, personal proper of motion and preemption. Fazlioglu mentioned it was tough to foretell whether or not or not a federal regulation may advance via US Congress, however by analysing prior makes an attempt, it’s potential to see that legal guidelines which embrace personal proper of motion and preemption clauses can affect a invoice’s capacity to draw each Democrat and Republican assist.
Fazlioglu added: “The query shouldn’t be solely whether or not federal privateness laws is preferable, but in addition whether or not such a regulation ought to perform as a ceiling or a ground. Proponents of preemption argue {that a} federal regulation ought to function a ceiling – setting a uniform commonplace that overrides state legal guidelines. In distinction, supporters of preserving state privateness legal guidelines imagine a federal regulation ought to act as a ground – a minimal commonplace that states can construct upon.”
Because of this, Fazlioglu mentioned, it’s essential to think about each state and federal privateness regulation developments with a view to see the total image. “I imagine the state-federal dynamics affect one another. So, whereas it’s unsure whether or not we’ll see a federal privateness regulation enacted, I anticipate continued discussions at each the intra-state stage and between state and federal frameworks. Collectively, these conversations will proceed to form the US method to privateness regulation and coverage within the coming years,” she mentioned.
