Key point: While no state has passed a new consumer data privacy law in 2025, five states passed bills amending their existing laws.
In recent years, the number of states passing consumer data privacy laws has steadily risen. However, as of today, no state has passed a consumer data privacy law in 2025 (although a handful of states could still do so before year-end). Meanwhile, five states — Colorado, Connecticut, Kentucky, Montana, and Oregon — passed legislation amending their existing laws. Of those five, Connecticut and Montana enacted significant and far-reaching amendments.
Below is a summary of those amendments.
Colorado
For the second consecutive year, Colorado lawmakers amended the Colorado Privacy Act. This year, lawmakers added precise geolocation to the law’s definition of sensitive data. Prior to the amendment, Colorado was the only state consumer data privacy law that did not include precise geolocation data in its definition of sensitive data. The amendment also prohibits controllers from selling sensitive data without obtaining consumer consent.
Connecticut
For the second time since Connecticut first passed its privacy law in 2022, Senator James Maroney ran a bill significantly amending the law. The changes are extensive and include modifying the law’s applicability standard, exemptions, definitions, consumer rights, data minimization provisions, and children’s privacy sections. The bill also significantly modifies the law’s approach to profiling, which will impact the use of artificial intelligence in some contexts.
With respect to the law’s applicability, Maroney made three changes. First, the consumer threshold for applicability drops from 100,000 to 35,000. Second, the bill deletes the applicability threshold for persons that control or process the personal data of at least 25,000 consumers and derive more than 25% of their gross revenue from the sale of personal data. Instead, the law applies to persons that “offer consumers’ personal data for sale in trade or commerce.” Third, entities that control or process consumers’ sensitive data are subject to the law unless that data is used solely for purposes of completing a payment transaction (a necessary exception given the expansion of the definition of sensitive data discussed below).
The bill also amends the law’s Gramm-Leach-Bliley Act (GLBA) entity-level exemption and replaces it with exemptions for insurers, health carriers, insurance-support organizations, banks, credit unions and agents, broker-dealers, and investment advisers or their agents.
In addition, the bill creates a new approach to profiling and impact assessments. It expands the right to opt out to apply to all automated decisions, not just solely automated decisions. It further expands the right to include decisions made on behalf of controllers, not just those made by the controller. Consumers also are provided a new right to question profiling results under some circumstances. In a first for a state privacy law, Connecticut also now requires controllers to provide a statement disclosing whether the controller collects, uses or sells personal data for the purpose of training large language models. Finally, controllers that engage in profiling for the purpose of making a decision that produces any legal or similarly significant effect concerning consumers must conduct an impact assessment.
Other notable changes include:
- Modifying the law’s data minimization provision to draw it closer to California’s standard.
- Updating the definition of sensitive data to include information such as disability or treatment, status as nonbinary or transgender, neural data, and certain types of financial information.
- For requests to know, controllers do not need to disclose sensitive information such as Social Security numbers and biometric information.
- Adding a new right to obtain a list of the third parties to which such controller has sold the consumer’s personal data or, if such controller does not maintain a list of the third parties to which such controller has sold the consumer’s personal data, a list of all third parties to which the controller has sold personal data.
- Controllers do not have to provide a Connecticut-specific privacy notice or section of a privacy notice as long as their notice contains all the information required by the law.
- Revising the law’s existing children’s privacy provisions to prohibit the sale of children’s personal data and targeted advertising when the controller knows or willfully disregards the child’s age.
The changes are effective July 1, 2026.
Kentucky
Kentucky’s amendment adds two health care-related exemptions and makes a technical change to the law’s data protection impact assessment provision. Kentucky’s privacy law goes into effect on January 1, 2026.
Montana
Senator Daniel Zolnikov — author of Montana’s consumer data privacy law — returned this year to significantly revise the law.
Among the more notable changes, Zolnikov’s amendment lowered the law’s applicability threshold from 50,000 to 25,000 state residents. For reference, Montana was the first state to use a threshold lower than 100,000 residents, reflecting Montana’s smaller population. However, even with a 50,000-resident threshold, Montana’s applicability threshold was out of line with the other states that have passed laws when viewed as a percentage of state population. The 25,000 threshold brings Montana more in line with other states.
Zolnikov also narrowed the exemptions for nonprofits and GLBA financial institutions. The nonprofit exemption was narrowed to only nonprofits that detect and prevent fraudulent acts in connection with insurance. The GLBA entity-level exemption was narrowed to state and federally chartered banks, credit unions, or affiliates or subsidiaries principally engaged in financial activities. That change is consistent with the laws in Oregon, Minnesota, and Connecticut (as amended this year).
Other notable changes include:
- Adding Connecticut- and Colorado-style children’s privacy protections.
- Broadening the right to opt out of profiling by removing the word “solely.”
- For requests to know, controllers do not need to disclose sensitive information such as Social Security numbers and biometric information.
- Controllers do not have to provide a Montana-specific privacy notice or section of a privacy notice as long as the notice contains all the information required by the law.
- Removing the right to cure, which was set to sunset April 1, 2026.
By law, the changes are effective on October 1, 2025.
Oregon
Oregon lawmakers passed three bills amending the state’s consumer data privacy law.
First, lawmakers amended the law to prohibit targeted advertising, profiling, and the sale of personal data if a controller has actual knowledge or willfully disregards that a consumer is 13 to 15 years old. Controllers also cannot sell precise geolocation data. These changes are effective January 1, 2026.
Second, lawmakers amended the law’s applicability to provide that a motor vehicle manufacturer and its affiliates must comply with the law’s requirements for the processing of data obtained from a consumer’s use of a motor vehicle, regardless of the number of consumers from which the motor vehicle manufacturer or affiliate obtains personal data. Those changes are effective September 26, 2025.
Finally, lawmakers revised the law’s right to cure provision. The current right to cure sunsets on January 1, 2026. The law was amended to extend the right to cure for six months (until July 1, 2026) for noncommercial educational broadcast stations that receive Corporation for Public Broadcasting funding or serve as emergency alert entry points and provide journalism content at no cost.
