Keypoint: Last week, governors in Colorado, Oregon, Nebraska, and Texas signed bills into law while bills advanced in Maine, Oregon, Vermont, and Texas.
Below is the twenty first weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.
What’s New
Colorado Governor Polis signed SB 276 into law. The bill amends the Colorado Privacy Act’s (CPA) definition of sensitive data to include precise geolocation data. It also amends the CPA to provide that a controller cannot sell a consumer’s sensitive data without first obtaining consent.
In Oregon, Governor Kotek signed HB 3875 into law. The bill amends Oregon’s consumer data privacy law’s applicability standard to provide that the law applies to any motor vehicle manufacturer and any affiliate of a motor vehicle manufacturer that controls or processes any personal data obtained from a consumer’s use of a motor vehicle or any component of a motor vehicle.
Meanwhile, the Oregon legislature passed HB 2008 on May 27 when the House concurred in Senate amendments. The bill amends Oregon’s consumer data privacy law to prohibit targeted advertising, profiling, and the sale of personal data if a controller has actual knowledge or willfully disregards a consumer is 13-15 years old. Controllers also cannot sell precise geolocation data.
Moving east, Maine’s Joint Judiciary committee passed one of two consumer data privacy bills under consideration – LD 1822. That bill contains data minimization provisions similar to Maryland’s law. The competing bill (LD 1088) failed to make it out of committee.
Turning to children’s privacy bills, Nebraska’s Republican Governor Jim Pillen signed LB 504 – the Nebraska Age-Appropriate Online Design Code Act – into law. The bill passed Nebraska’s Republican-controlled unicameral legislature last week. Meanwhile, Vermont’s Democrat-controlled legislature passed an Age-Appropriate Design Code Act last week (S.69). That bill will move next to Vermont’s Republican Governor, Phil Scott, for consideration. Notably, while the bills are both called Age-Appropriate Design Codes, their provisions significantly differ as discussed here by Future of Privacy Forum’s Keir Lamont.
In Texas, Governor Abbott signed SB 2420 (age verification for app stores) into law.
Meanwhile, the legislature passed two bills that amend the state’s data broker law. SB 1343 passed the legislature on May 27. The bill amends the state’s data broker registration law to require website notices to disclose how a consumer can exercise their data privacy law rights. The bill also adds a requirement in the law’s registration section that data brokers provide a link on their website that provides consumer with instructions on how to exercise their privacy rights. SB 2121 passed the legislature on May 31 after the Senate concurred in the House’s amendments. The bill modifies the definition of data broker and applicability section in the state’s data broker law. The Texas legislature closes on June 2.
The Oklahoma legislature adjourned on May 30 without passing any of the bills we have been tracking.
Looking ahead, Connecticut’s legislature closes on June 4.
For more information on all of the privacy bills introduced to date, including links to the bills, bill status, last action, and hearing dates, please see our bill tracker chart.
[View source.]
