Maynard Nexsen State Privacy Law Update
The first few weeks of 2025 have proven to be busy for state legislatures addressing consumer and employee privacy. With respect to enacted state laws, many new laws have taken or will take effect, many exemptions and cure periods expire, and new requirements come into effect. Below we list all of the enacted state consumer privacy laws to date, and break down recent and upcoming new laws/requirements by date, by state, and by type of provision. Finally, we provide an overview of new bills that have been introduced in various state legislatures.
This document will provide a handy guide for monitoring upcoming compliance obligations as well as tracking relevant legislative activity.
As always, if you have specific questions, please do not hesitate to reach out to a member of Maynard Nexsen’s Cybersecurity and Privacy Team.
Full List of Enacted State Comprehensive Privacy Laws: CA, CO, CT, DE, IN, IA, KY, MD, MN, MT, NE, NH, NJ, OR, RI, TN, TX, UT, VA
New laws/requirements taking effect in 2025 (by key date):
January 1, 2025:
- Colorado mandatory notice of violation and right to cure period expires.
- Connecticut requirement to allow consumer to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- Texas requirement to allow consumer to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- Montana requirement to allow consumer to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- New Hampshire requirement to allow consumer to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
- Delaware privacy law goes into effect.
- Iowa privacy law goes into effect.
- Nebraska privacy law goes into effect.
- New Hampshire privacy law goes into effect.
- Montana data protection assessment requirements apply to processing activities created or generated after this date.
- Minnesota data protection assessment requirements apply to processing activities created or generated after this date.
- Texas authorized agent provisions go into effect.
- Virginia (HB707) amendments to VCDP, enhancing protections for children’s data, takes effect.
January 15, 2025:
- New Jersey privacy law goes into effect.
July 1, 2025:
- Colorado obligations regarding collection and processing biometric data go into effect.
- Delaware data protection assessment requirements apply to processing activities created or generated after this date.
- Oregon privacy law goes into effect for 501(c)(3) tax exempt organizations.
- Tennessee privacy law goes into effect.
July 31, 2025.
- Minnesota privacy law goes into effect.
October 1, 2025:
- Colorado obligations for data controllers that provide online services, products, or features to minors go into effect.
- Maryland privacy law goes into effect.
- Maryland data protection assessment requirements to apply to processing activities created or generated after this data.
- Maryland requirements to allow consumer to opt out of processing of purposes of targeted advertising or any sale through opt out preference signals goes into effect.
December 31, 2025:
- Delaware mandatory right to cure period expires; Attorney general has discretion to grant cure period.
- New Hampshire right to cure period expires; Attorney general has discretion to grant cure period.
- Indiana data protection assessment requirements apply to processing activities created or generated after this date.
January 1, 2026:
- Delaware requirement to honor universal opt out signals (e.g., Global Privacy Control) goes into effect.
- Indiana privacy law goes into effect.
- Kentucky privacy law goes into effect.
- Minnesota mandatory right to cure period expires.
- Oregon mandatory right to cure period expires.
- Oregon requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt out preference signals goes into effect.
- Rhode Island data protection assessment requirements apply to processing activities created or generated after this date.
April 1, 2026:
- Montana right to cure period expires.
June 1, 2026:
- Kentucky data protection assessment requirements apply to processing activities created or generated after this date.
April 1, 2027:
- Maryland optional 60-day right to cure period expires.
July 31, 2029:
- Minnesota privacy law goes into effect for postsecondary institutions regulated by the MN Office of Higher Education.
New Laws/Requirements Taking Effect in 2025 (by state):
State |
New Law Goes Into Effect |
Mandatory Notice of Violation/ Right to Cure Period Expires |
Opt-out for Targeted Ads/Sales Through Opt-out Pref Signals |
Data Protection Assessments |
Other |
Colorado |
1/1/2025 |
Obligations regarding biometric data go into effect (7/1/2025) |
|||
Connecticut |
1/1/2025 |
||||
Delaware |
1/1/2025 |
12/31/2025 |
7/1/2025 |
Obligation to honor universal opt-out signals (e.g., GPC): (1/1/2026) |
|
Kentucky |
1/1/2026 |
6/1/2026 |
|||
Iowa |
1/1/2025 |
||||
Indiana |
1/1/2026 |
|
12/31/2025 |
||
Maryland |
10/1/2025 |
4/1/2027 (optional 60-day right to cure) |
10/1/2025 |
10/1/2025 |
|
Minnesota |
7/31/2025 7/31/2029 (for MN post-secondary institutions) |
1/1/2026 |
1/1/2025 |
||
Montana |
4/1/2026 |
1/1/2025 |
1/1/2025 |
||
Nebraska |
1/1/2025 |
||||
New Hampshire |
1/1/2025 |
12/31/2025 |
1/1/2025 |
||
New Jersey |
1/15/2025 |
||||
Oregon |
7/1/2025 (for nonprofits) |
1/1/2026 |
1/1/2026 |
||
Rhode Island |
1/1/2026 |
||||
Tennessee |
7/1/2025 |
||||
Texas |
1/1/2025 |
Authorized Agent provisions (1/1/2025) |
New laws/requirements taking effect in 2025 (by requirement):
New law goes into effect:
1/1/2025 |
1/15/2025 |
7/1/2025 |
7/31/2025 |
10/1/2025 |
1/1/2026 |
Delaware, Iowa, Nebraska, New Hampshire, |
New Jersey |
Tennessee Oregon (for 501(c)(3) nonprofits) |
Minnesota (7/31/2029 for post-secondary institutions) |
Maryland |
Kentucky, Indiana |
Mandatory Notice of Violation/ Right to Cure Period Expires:
1/1/2025 |
12/31/2025 |
1/1/2026 |
4/1/2026 |
4/1/2027 |
Colorado |
Delaware, New Hampshire |
Minnesota, Oregon |
Montana |
Maryland (optional 60-day cure period) |
Right to Opt out of targeted advertising / Sales through Opt-out Preference Signals:
1/1/2025 |
10/1/2025 |
1/1/2026 |
Connecticut, Montana, New Hampshire, Texas |
Maryland |
Oregon |
Data Protection Assessments Required for Processing Going forward:
1/1/2025 |
7/1/2025 |
12/31/2025 |
1/1/2026 |
6/1/2026 |
Montana, Minnesota |
Delaware |
Indiana |
Rhode Island |
Kentucky |
Other/Miscellaneous:
1/1/2025 |
7/1/2025 |
1/1/2026 |
Texas (authorized agent provisions) |
Colorado (obligations re: biometric data) |
Delaware (obligation to honor universal opt out signals) |
State Privacy Bills Proposed in 2025 (as of Jan 20, 2025):
Arkansas:
- HB1082 (Arkansas Children and Teen’s Online Privacy Protection Act)
- HB1083 (Arkansas Kids Online Safety Act)
California:
- AB302 (Confidentiality of Medical Information Act)
Delaware:
- HB15 (amending DE constitution related to right of privacy)
Hawaii:
- SB1037 (consumer data privacy bill)
- SB1163 (prohibits sale of geolocation and internet browser information without consent; prohibits sale of data collected through electronic device eavesdropping)
- SB170 (amends state constitution to create “right to own one’s data”)
- HB566 (social media bill protecting minors)
Illinois:
- SB52 (Illinois Privacy Rights Act) (note last year’s version SB3517 failed)
- SB47 (Data broker registration bill)
- SB50 (Age Appropriate Design Code Act)
- SB51 (Age-Appropriate Design Code Act)
Massachusetts:
- SD495/SD267 (Massachusetts Data Privacy Act)
- HD2110 (Massachusetts Data Privacy Act)
- HD1679 (Internet Bill of Rights)
- SD2355 (Massachusetts Information Privacy and Security Act)
- HD2135 (Massachusetts Consumer Data Privacy Act)
- HD3523/1455 (regulating process of biometric data)
- HD715/SD1696 (health data privacy bill)
- SD501/HD2965 (regulating processing of location data)
- HD715 (consumer health data privacy)
Mississippi
- SB2500 (MS Consumer Data Protection Act)
Missouri:
- SB554 (Biometric Data Privacy Act)
Nebraska:
- LB204 (Biometric Autonomy Liberty Law)
- LB383 (social media bill)
New Jersey:
- S3181 /A1488 (biometric data privacy bills)
- S1959/A1879 (regulating social media companies)
- S2349/A2184 (data broker registration bills)
New York:
- A2141/ S929 (regulating consumer health data)
- A2107 (employee data privacy)
Oklahoma:
- SB546 (consumer data privacy bill) (modeled after Washington Privacy Act)
- HB1388/HB1762 (age appropriate design code bills)
- HB1275/SB931 / SB885 (social media bills)
South Carolina:
- H3732 (employee data privacy)
- SB3401 (consumer privacy protection=_)
Texas:
- HB186 (social media bill – adding to Texas Securing Children Online Through Parental Empowerment (SCOPE) Act)
Virginia:
- SB1023 (amends VCDPA to prohibit sale of geolocation data)
- HB2268 (establishes “Division of Emerging Technologies, Cybersecurity, and Data Privacy” to oversee/enforce laws governing cybersecurity, data privacy, and use of AI and other emerging technologies).
About Maynard Nexsen
Maynard Nexsen is a full-service law firm with more than 550 attorneys in 24 offices from coast to coast across the United States. Maynard Nexsen formed in 2023 when two successful, client-centered firms combined to form a powerful national team. Maynard Nexsen’s list of clients spans a wide range of industry sectors and includes both public and private companies.