Introduction
As of October 2025, US state privacy laws have become a cornerstone of consumer protection, shaping how businesses collect, use, and safeguard personal data. Starting with the California Consumer Privacy Act (CCPA) in 2020 and later enhanced by the California Privacy Rights Act (CPRA), the landscape has expanded to include seventeen states currently enforcing comprehensive privacy laws, with three additional states set to take effect in 2026.
These laws regulate a broad spectrum of consumer data, including sensitive personal data, biometric data, consumer health data, and location data. For companies operating across state lines, the patchwork of laws requires a keen understanding of varying compliance obligations, enforcement risk, and regulatory expectations. States like Connecticut, Texas, and Maryland impose additional protections for children’s data, while Florida and Montana emphasize consumer rights such as opt-out mechanisms and access requests.
Businesses today must navigate evolving requirements related to:
- Transparency in privacy notices and privacy policies
- Data minimization and limiting data collection to disclosed purposes
- Implementation of opt-out mechanisms, including Global Privacy Control signals
- Protecting sensitive personal data, including health insurance information and neural data
- Ensuring accountability through a documented privacy compliance program
The stakes are high: failure to comply with state privacy laws can trigger enforcement actions from attorneys general, the California Privacy Protection Agency, and other state regulators, as well as private litigation in select jurisdictions. Companies must integrate privacy compliance measures into their operational practices to mitigate enforcement risk and safeguard consumer trust.
The California Consumer Privacy Act (CCPA) and Other US State Privacy Laws
The Consumer Privacy Act (CCPA) remains the most influential privacy law in the United States. Enforced by both the California Attorney General and the California Privacy Protection Agency, it sets the standard for compliance expectations across the country. The law’s scope now extends to businesses operating both within California and those companies operating outside the state that process significant amounts of consumer data from California residents.
In addition to granting consumers the right to submit privacy requests and opt-out requests, the CCPA provides a limited private right of action for alleged violations related to data breaches. This feature distinguishes it from most other state privacy laws, where only the attorney general can pursue enforcement. Businesses face litigation risk not just from regulators but also from consumers, particularly when security measures fail to protect personal information or sensitive personal data.
Other state privacy laws have also gained traction:
- The Connecticut Data Privacy Act (CTDPA) requires strict handling of sensitive personal data, including consumer health data and children’s data, while mandating accessible privacy policies and privacy notices.
- The Texas Data Privacy and Security Act (often referred to as the Texas Law) expands obligations around data minimization, privacy practices, and compliance efforts for businesses engaging in targeted advertising or handling sensitive data.
- Colorado, Virginia, Utah, Oregon, and other states have enacted similar laws, reinforcing the growing enforcement risk for businesses navigating compliance across multiple jurisdictions.
Together, these frameworks highlight how state privacy laws are no longer optional considerations—they are central to modern privacy and security act compliance strategies.
Regulatory Expectations and Compliance Obligations
Regulatory expectations in 2025 focus on accountability, transparency, and consumer rights. Businesses must ensure that privacy practices meet the high standards set by the growing body of US state privacy laws, including:
- Privacy policies and notices that clearly describe what personal data is collected, how it is used, and the disclosed purposes
- Accessible and effective opt-out mechanisms, including support for Global Privacy Control signals so that consumers can exercise their rights to opt-out of targeted advertising
- Strict adherence to data minimization principles, collecting only what is necessary to fulfill disclosed purposes
- Enhanced safeguards for sensitive personal data, such as biometric data, consumer health data, and children’s data
- Implementing a robust privacy compliance program that tracks vendor management, ensures timely responses to privacy requests, and demonstrates ongoing compliance efforts.
State regulators, including the California Privacy Protection Agency, Connecticut Department of Consumer Protection, and Texas Attorney General, are actively enforcing these obligations. Businesses are expected to maintain privacy compliance programs that go beyond mere documentation, showing proactive compliance measures to protect consumer data.
Key compliance measures include:
- Vendor oversight – monitoring third-party vendors and data processors to ensure they adhere to privacy obligations
- Timely response to privacy requests – addressing access, correction, deletion, and opt-out requests promptly
- Audit and accountability mechanisms – documenting and demonstrating ongoing compliance efforts
- Special handling for sensitive data – implementing encryption, access controls, and other safeguards for biometric data, health insurance information, and consumer health data
By aligning business practices with these regulatory expectations, companies can reduce enforcement risk, strengthen consumer trust, and navigate the complex patchwork of US state privacy laws effectively.
States with Comprehensive Privacy Laws Currently in Effect
As of October 2025, the following states have enacted comprehensive data privacy laws that are currently in effect:
State | Law Name | Effective Date |
|---|---|---|
California | California Consumer Privacy Act (CCPA) | January 1, 2020 |
Virginia | Virginia Consumer Data Protection Act (VCDPA) | January 1, 2023 |
Colorado | Colorado Privacy Act (CPA) | July 1, 2023 |
Connecticut | Connecticut Data Privacy Act (CTDPA) | July 1, 2023 |
Utah | Utah Consumer Privacy Act (UCPA) | December 31, 2023 |
Florida | Florida Digital Bill of Rights | July 1, 2024 |
Oregon | Oregon Consumer Privacy Act (OCPA) | July 1, 2024 |
Texas | Texas Data Privacy and Security Act | July 1, 2024 |
Montana | Montana Consumer Data Privacy Act | October 1, 2024 |
Delaware | Delaware Personal Data Privacy Act | January 1, 2025 |
Iowa | Iowa Consumer Data Protection Act | January 1, 2025 |
Nebraska | Nebraska Data Privacy Act | January 1, 2025 |
New Hampshire | New Hampshire Consumer Data Privacy Act | January 1, 2025 |
New Jersey | New Jersey Data Privacy Act | January 15, 2025 |
Tennessee | Tennessee Information Protection Act (TIPA) | July 1, 2025 |
Minnesota | Minnesota Consumer Data Privacy Act (MCDPA) | July 31, 2025 |
Maryland | Maryland Online Data Privacy Act (MODPA) | October 1, 2025 |
These 17 laws are currently enforced, and businesses must comply with their requirements, including consumer rights, privacy notices, data minimization, and opt-out mechanisms.
States with Signed Privacy Laws Not Yet in Effect
State | Law Name | Effective Date |
|---|---|---|
Indiana | Indiana Consumer Data Protection Act | January 1, 2026 |
Kentucky | Kentucky Consumer Data Protection Act | January 1, 2026 |
Rhode Island | Rhode Island Data Transparency and Privacy Protection Act | January 1, 2026 |
Businesses operating in these states should prepare their compliance programs in advance, as enforcement of these laws is scheduled to begin in 2026.
US State Privacy Laws and Enforcement in 2025
By October 2025, seventeen states have enacted comprehensive consumer data privacy laws that are now in effect, with three additional states having signed laws set to take effect in 2026. This rapidly evolving regulatory landscape presents a complex challenge for businesses operating across multiple states, particularly for those handling sensitive personal data, biometric data, consumer health data, and location data.
The scope of state privacy laws varies. Some laws include entity-level exemptions or data-level exemptions for small businesses, nonprofits, or financial institutions already subject to the Health Insurance Portability and Accountability Act (HIPAA) or other privacy and security acts. These exemptions can influence compliance obligations, but do not eliminate the need for a robust privacy compliance program.
Enforcement Priorities
Enforcement strategies differ by state. In California, the California Privacy Protection Agency and the Attorney General frequently file enforcement actions, while in Texas, Florida, and Connecticut, regulators are emphasizing priorities such as:
- Protecting consumer privacy and children’s data
- Safeguarding sensitive data, including consumer health data
- Ensuring transparency in privacy policies and privacy notices
The enforcement risk has increased due to:
- Some states offering no cure period, making businesses immediately liable for alleged violations
- Regulators prioritizing timely responses to privacy requests and opt-out requests
- Expanded scrutiny of artificial intelligence, neural data, and mobile apps, especially when used for targeted advertising
This patchwork of state privacy enforcement requires businesses to continuously track regulatory expectations, monitor press releases, and stay informed about upcoming laws.
State Privacy Enforcement and Actions
Enforcement activity in 2025 has surged as state regulators hold businesses accountable for compliance efforts. Regulators consistently highlight three primary enforcement priorities:
- Transparency – Businesses must maintain accurate and comprehensive privacy notices and privacy policies. Failure to clearly disclose data collection, disclosed purposes, and consumer rights can trigger enforcement actions.
- Vendor Oversight – Companies are responsible for monitoring third-party vendors and data processors. Liability for alleged violations often extends to businesses contracting these vendors.
- Timely Response to Privacy Requests – Delayed or ignored opt-out requests, global privacy control signals, or other consumer privacy requests are a major driver of enforcement actions.
Regulators are also paying close attention to emerging technologies, including artificial intelligence and neural data applications, particularly where sensitive personal data or consumer health data is processed. AI-driven targeted advertising and mobile apps have become top regulatory priorities.
Recent enforcement cases indicate that scrutiny is no longer limited to large technology companies. Streaming services, mobile apps, data brokers, and even small loyalty programs have faced actions for alleged violations, underscoring that no business is exempt from privacy enforcement.
Privacy Enforcement and Business Obligations
All companies, regardless of size or industry, must adopt proactive privacy compliance programs. Key insights for businesses in 2025 include:
- Historical compliance matters – Regulators may review past business practices to identify alleged violations.
- Vendor management – Businesses must actively monitor vendor privacy practices, going beyond contractual obligations.
- Opt-out mechanisms – Companies must honor consumer opt-out requests and Global Privacy Control signals. Ignoring these requests is among the most common causes of enforcement.
- Beyond check-the-box compliance – Regulators expect demonstrable accountability through actionable compliance measures.
Industries handling high volumes of consumer privacy inquiries, such as streaming services, mobile apps, healthcare, and loyalty programs, face unique challenges. Businesses collecting location data, biometric data, or other sensitive personal data are under particular scrutiny, with an emphasis on privacy and security safeguards.
Conclusion
The state privacy law landscape in 2025 continues to expand and evolve. With seventeen states currently enforcing laws and three additional states set to enforce in 2026, businesses must remain vigilant in tracking regulatory priorities, enforcement actions, and press releases from state regulators and attorneys general.
To successfully navigate this landscape, businesses should:
- Invest in comprehensive privacy compliance programs, emphasizing data minimization and security of personal data
- Stay informed about state privacy enforcement trends and enforcement risk
- Implement strong compliance measures, including timely responses to privacy requests, vendor oversight, and transparent privacy practices
- Pay particular attention to sensitive personal data, biometric data, consumer health data, and children’s data
- Ensure adherence to opt-out mechanisms and Global Privacy Control signals
Companies that prioritize consumer privacy and adopt transparent, accountable practices will be best positioned to mitigate enforcement risk and build consumer trust. In the United States, the future of data privacy and security will be shaped not only by the laws themselves but also by how businesses respond to state privacy enforcement and rising regulatory expectations.
