State Privacy Law in 2025—What to Expect

Written by Justin Yedor and Taylor Bloom

Things happen quickly in the world of data privacy. With new laws being enacted, regulations continuing to develop and enforcements an ongoing reality, it can be difficult to track all the recent developments in U.S. comprehensive privacy regulation. This article will provide an update on the laws that will be in effect as of January 2025 and summarize important trends to be aware of.

By April of 2024 nearly 20 percent of U.S. consumers had rights under their states’ privacy laws. And by October of 2024 that number had increased another 10 percent. By January 2025 it will be 40 percent, and nearly 50 percent by January 2026. Even in the absence of a federal privacy law, data privacy regulation is starting to become the norm across the country.

NEW STATE PRIVACY LAWS

Throughout 2024 we continued to see states passing similar but not identical privacy laws. In 2024, seven state legislatures (Nebraska, New Jersey, New Hampshire, Kentucky, Maryland, Minnesota, and Rhode Island) passed comprehensive privacy laws, which will take effect over the next couple of years. The good news for those working to comply is that a model does seem to be developing, at least in terms of the laws’ core requirements. For example, many of the laws passed to date are loosely based on the Virginia or Connecticut laws, with similar rights and requirements relating to notices, opt-outs, contracts, and the rights to access, delete and correct personal data. Nonetheless, it would be overly simplistic—and risky—to treat compliance with one of these laws as sufficient to cover all of the others. While all share common goals of consumer protection, transparency, increasing control over personal data, and limiting targeted advertising, there are significant differences among each of these laws related to the right to opt out of profiling, recognition of browser-based opt-out preference signals, and data protection impact assessments (DPIAs), among other topics. There are also significant differences in the thresholds under which companies may become subject to a state’s privacy law.

Among the new laws taking effect in January, Delaware and New Hampshire have much lower thresholds than what we typically see—processing the personal data of 35,000 consumers will be enough to bring a business in scope. Iowa and New Jersey use the 100,000-consumer threshold that we are accustomed to from Colorado, Connecticut, and Virginia. Nebraska’s privacy law, on the other hand, does not rely upon revenue or data processing volume for applicability. Instead, Nebraska’s law—like the Texas Data Privacy and Security Act—applies to persons that conduct business in Nebraska or produce products or services consumed by Nebraska residents and are not small businesses as defined by federal law.

UPDATES TO EXISTING STATUTES AND REGULATIONS

Meanwhile, even states that already had privacy laws in effect—such as California and Colorado—recently passed bills modifying those laws to address new developments in technology such as the processing of neural data, biometrics, and artificial intelligence. For now, these statutory updates are likely to have only a modest impact on most businesses’ compliance efforts, though they may prove to be more significant in years to come if computer chip implants and wearable brain activity monitors become more widespread.

In March 2023, the Colorado Attorney General (AG) released regulations under the Colorado Privacy Act describing detailed requirements and examples relating to topics such as notices, privacy rights requests, browser-based opt-out signals, DPIAs, loyalty programs and profiling. Now the Colorado AG is back at it, having recently announced proposed draft amendments to the Colorado Privacy Act Regulations that would create a process for issuing opinion letters and interpretive guidance, require special notices for biometric identifiers, and clarify some sections of the existing regulations. This new rulemaking is currently underway.

On March 29, 2023, the California Office of Administrative Law approved the first set of regulations promulgated by the California Privacy Protection Agency (CPPA) under the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA). These regulations followed extensive formal and informal rulemaking that began in 2021 but still did not address all of the topics designated for rulemaking under the CPRA. In the fall/winter of 2023, the CPPA published five additional sets of draft rules addressing cybersecurity audits, risk assessments, automated decision-making technology (ADMT), exceptions for insurance companies and still further updates to the existing CCPA regulations. Since then, the proposed regulations governing ADMT proved to be a source of much debate among the CPPA Board, stalling the entire rulemaking package from advancing into the formal rulemaking process.

When the CPPA Board met again on November 8, 2024, some members of the Board and many members of the public continued to raise issue with the ADMT Regulations. However, despite these apparent misgivings, a majority of the Board voted to move forward into the formal rulemaking process with the five sets of proposed CCPA regulations, citing (a) the further delay that would be caused by sending the rules back to the CPPA for further pre-rulemaking revisions, and (b) the hope that the formal rulemaking process would lead to appropriate revisions to the rules. At this point, we do not expect final regulations until at least mid-2025.

The Board also voted to give final approval for new regulations covering data broker registration requirements under the California Delete Act. The new data broker requirements diverge from prior requirements in several ways, and include a narrowed definition of a “direct relationship,” which could sweep many more businesses into the concept of a data broker. They also include a 1550% increase to the data broker registration fee, which the CPPA intends to use to fund its new “Deletion Request and Op-Out Platform” (DROP). The DROP is intended as a one-stop mechanism for California residents who wish to delete their personal information from data broker files. It is expected to open to consumers on January 1, 2026, with data brokers required to access the platform and start processing consumer deletion requests beginning August 1, 2026.

EXPANDING ENFORCEMENT

With the influx of new privacy laws, it is more important than ever to have a strong compliance posture going into 2025. Regulators from an increasing number of states are launching investigations, monitoring consumer complaints, and actively addressing privacy grievances. AGs are also actively working together and have expressed that they often receive referrals from other agencies. Generally, companies should approach investigations collaboratively to prevent escalation and maintain open dialogue with regulators, but the best strategy for mitigating enforcement risk remains actively focusing on compliance.

With so many new developments afoot, 2025 is looking to be another busy year in the world of U.S. data privacy.

ENDNOTE

Justin T. Yedor is a Partner in the Los Angeles office of BakerHostetler. Justin partners with clients to develop creative solutions to data privacy challenges. He is a thought leader on California privacy law and a go-to advisor on the California Consumer Privacy Act and the next wave of U.S. state privacy laws taking effect across the country. You can contact Justin at jyedor@bakerlaw.com or learn more about his background here: https://www.bakerlaw.com/professionals/justin-t-yedor/ 

Taylor A. Bloom is a Partner in the Orange County office of BakerHostetler. Taylor has significant experience operating at the intersection of law, technology and business, with a keen focus on both U.S. and international data protection, data privacy and governance. You can contact Taylor at tbloom@bakerlaw.com or learn more about her background here: https://www.bakerlaw.com/professionals/taylor-a-bloom/