State-by-State Privacy Legislation Update: A Compliance Roadmap for 2025

Kelley Chandler, Jacqueline Cooney, Kevin Coy, Erin Doyle
Arnall Golden Gregory LLP
Contact
LinkedIn
Facebook
X
Send
Embed

States have been active in passing and enacting comprehensive consumer privacy laws in the absence of a federal statute. To date, 19 states have passed such laws, starting with the California Consumer Privacy Act (“CCPA”), which took effect in 2020, followed by Virginia, Colorado, Utah, and Connecticut. Since that initial tranche of states, 14 more have passed their own comprehensive consumer privacy laws. Some of these laws went into effect last year or earlier this year, while others will become effective in the coming months or in early 2026.

As more and more states legislate, the privacy landscape is expanding in reach, and compliance with privacy laws is expanding in complexity. Below we provide an overview of the consumer privacy laws passed by this second tranche of states, including key dates, the status of each law, cure periods, exemptions, and notable provisions, as well as key takeaways for companies to keep in mind for the rest of 2025.

Key Aspects of the State Privacy Legislation Landscape

Cure Periods

Most of the recently passed or enacted laws contain a mandatory cure period of some form — either 30, 60 or 90 days, with variations between states regarding cure period expiry dates. Rhode Island is an outlier with no cure period included in its statute and Montana recently removed the cure period from its privacy law.

Exemptions

All state privacy statutes contain (1) exemptions for data collected and used as regulated and authorized by the Fair Credit Reporting Act (“FCRA”); and (2) exemptions for either entities or data regulated by the Gramm-Leach-Bliley Act (“GLBA”) and Health Insurance Portability and Accountability Act (“HIPAA”).

Recently, states such as Delaware, Maryland, Minnesota, Montana, New Jersey, and Oregon passed statutes that don’t provide general exemptions for nonprofit organizations and/or higher educational institutions — indicating a trend toward accountability and consumer privacy protection in more than just for-profit business contexts. Minnesota, Nebraska, and Texas each include exemptions for small business entities. Notably, California remains the only state among the 19 states with comprehensive consumer privacy laws that apply to B2B contact data and employee and job applicant data.

Children and Minors

Since the CCPA’s inclusion of provisions that require opt-in consent for selling or sharing the personal data of children between ages 13 to 16, more states have followed this trend. Delaware, New Jersey, Maryland, and Montana have also included provisions that cover minors between the ages of 13 to 18 — as opposed to only minors under 13, the age threshold in the federal Children’s Online Privacy Protection Act.

Data Minimization

While other states have included data minimization requirements, the Maryland Legislature passed three new significantly restrictive personal data collection and use standards that the other state consumer privacy statutes do not address.

Actionable Steps for Companies

  • Assess your business against the applicability thresholds and exemptions to determine which states’ statutes apply to your company.
  • Assess the data processing conducted by your company and document data flows and use practices.
  • Conduct a gap assessment comparing the company’s current privacy practices against the compliance obligations imposed by the applicable laws.
  • Update policies, procedures, and contractual provisions to remediate compliance gaps.
  • Continuously monitor for new laws or regulations related to the comprehensive consumer privacy landscape and engage trusted professionals to assist with meeting privacy obligations.
State Status Effective Date Notable Provisions
Delaware Effective 1/1/2025
  • Mandatory 60-day cure period expires on 12/31/2025, subject to attorney general discretion thereafter
  • Applies to companies that conduct business or produce products or services targeted to residents of Delaware and control or process personal data: (1) of at least 35,000 Delaware residents; or (2) of at least 10,000 residents and derive more than 20% of gross revenue from the sale of personal data
  • No general exemption for nonprofits or institutions of higher education
  • Requires consent for processing or sale of personal data where a controller has actual knowledge or willfully disregards that a consumer is between 13 to 18 years old
  • Grants consumers the right to obtain a list of third parties to which the controller has disclosed the consumer’s personal data
  • Requires responding to the Global Privacy Control (“GPC”) signal (beginning January 1, 2026)
  • Contains GLBA exemption (entity and data level) and HIPAA exemption (data level) Contains exemption for personal information collected and used as authorized under the FCRA
Indiana Passed (5/1/2023) 1/1/2026
  • Mandatory 30-day cure period
  • Applies to companies that conduct business in Indiana or produce products or services targeted to Indiana residents and control or process personal data: (1) of at least 100,000 Indiana residents; or (2) of at least 25,000 residents and derive more than 50% of gross revenue from the sale of personal data
  • Contains nonprofit and higher education exemptions, GLBA exemption (entity and data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Iowa Effective 1/1/2026
  • Mandatory 90-day cure period
  • Applies to companies that control or process personal data: (1) of at least 100,000 Iowa residents; or (2) of at least 25,000 residents and derive over 50% of gross revenue from the sale of personal data
  • Does not grant consumers the right to correct inaccuracies in their personal data or opt out of profiling based on their personal data
  • Contains nonprofit and higher education exemptions, GLBA exemption (entity and data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Kentucky Passed (4/4/2024) 1/1/2026
  • Mandatory 30-day cure period
  • Applies to companies that do business in Kentucky or produce products or services targeted to Kentucky residents and control or process personal data: (1) of at least 100,000 Kentucky residents; or (2) of at least 25,000 residents and derive more than 50% of gross revenue from the sale of personal data
  • Contains nonprofit and higher education exemptions, GLBA exemption (entity and data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Maryland Passed (5/9/2024) 10/1/2025
  • Mandatory 60-day cure period until 4/1/2027
  • Applies to companies that conduct business or produce products or services targeted to residents of Maryland and control or process personal data: (1) of at least 35,000 Maryland residents; or (2) of at least 10,000 residents and derive more than 20% of gross revenue from the sale of personal data
  • Contains collection limitation to what is reasonably necessary and proportionate to provide or maintain a specific product or service
  • Contains consumer right to obtain a list of categories of third parties to which the controller has disclosed their personal data
  • Expansive definition of “sensitive data” and strict limitations on sensitive data collection and processing, with a blanket prohibition on the sale of sensitive data
  • Prohibition on selling data for the purpose of targeted advertising of consumers that the controller knows or should have known are under the age of 18
  • No general exemption for nonprofits or higher education
  • Requires responding to the GPC signal
  • Contains GLBA exemption (entity and data level) and HIPAA exemption (data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Minnesota Passed (5/24/2024) 7/31/2025
  • Mandatory 30-day cure period until 1/31/2026
  • Applies to companies that conduct business or produce products or services targeted to residents of Minnesota and control or process personal data: (1) of at least 100,000 Minnesota residents; or (2) of at least 25,000 residents and derive more than 25% of gross revenue from the sale of personal data
  • Contains exemption for small businesses as defined by the U.S. Small Business Administration (but note that small businesses are still subject to requirement to obtain consent prior to sale of sensitive data)
  • No general exemption for nonprofits or higher education
  • Becomes effective for postsecondary institutions on 7/31/2029
  • Grants consumers the right to access information used and question the result of a decision made based on profiling
  • Grants consumers the right to obtain a list of third parties to which the controller has disclosed the consumer’s personal data
  • Contains a requirement to document and maintain a description of the policies and procedures the controller has adopted to comply with this law
  • Requires responding to the GPC signal
  • Contains GLBA exemption (data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Montana1 Effective 10/1/2024
  • No mandatory cure period
  • Applies to companies that conduct business or produce products and services in Montana and control or process personal data: (i) of at least 25,000 consumers; or (ii) of at least 15,000 consumers and derive more than 25% of gross revenue from the sale of personal data
  • No general exemption for nonprofits
  • Requires consent for processing data of consumers that the controller actually knows or willfully disregards is under the age of 18 for (i) targeted advertising, sale, or profiling; (ii) processing for purposes beyond the scope of what the controller originally disclosed; (iii) longer than is reasonably necessary to provide the controller’s service; (iv) include design features that increase or extend a minor’s use of the service; and (v) collection of precise geolocation that goes beyond what is reasonably necessary for the service or retention of such data for longer than necessary to provide the service
  • Controllers that collect precise geolocation from minors must provide a signal to the minor during the entire duration of its collection of the minor’s precise geolocation data
  • Statute’s provisions related to minors apply regardless of whether a company meets the applicability thresholds in the statute
  • Requires responding to the GPC signal
  • Contains higher education exemptions, GLBA exemption (data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Nebraska Effective 1/1/2025
  • Mandatory 30-day cure period
  • Applies to businesses that conduct business in Nebraska or produce products and services consumed by state residents, process or sell residents’ personal data, and are not small businesses as determined under the federal Small Business Act (but note that small businesses are still subject to requirement to obtain consent prior to sale of sensitive data)
  • Requires responding to the GPC signal
  • Contains nonprofit and higher education exemptions, GLBA exemption (entity and data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
New Hampshire Effective 1/1/2025
  • Mandatory 60-day cure period until 12/31/2025, subject to Attorney General discretion thereafter
  • Applies to businesses that conduct business or produce products and services in New Hampshire and control or process personal data: (1) of at least 35,000 residents; or (2) of at least 10,000 residents and derive more than 25% of gross revenue from the sale of personal data
  • Requires responding to the GPC signal
  • Contains nonprofit and higher education exemptions, GLBA exemption (entity and data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
New Jersey Effective 1/15/2025
  • Mandatory 30-day cure period until July 2026
  • Applies to businesses that conduct business or produce products or services targeted to residents of New Jersey and control or process personal data: (1) of at least 100,000 New Jersey residents; or (2) of at least 25,000 residents and derive revenue or receive discounts on the price of any goods or services from the sale of personal data
  • No general exemption for nonprofits or higher education
  • Contains requirement for consumers ages 13 to 17 to consent to using their personal data for targeted advertising, sale, or profiling in furtherance of consequential decisions
  • Requires responding to the GPC signal (beginning July 15, 2025)
  • Contains GLBA exemption (entity and data level) and HIPAA exemption (data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Oregon Effective 7/1/2024
  • Mandatory 30-day cure period until 1/1/2026
  • Applies to businesses that conduct business or provide products or services to residents of Oregon and control or process personal data: (1) of at least 100,000 Oregon residents; or (2) of at least 25,000 residents and derive 25% or more of revenue from the sale of personal data
  • No general exemption for nonprofits (which must comply by 7/1/2025) or higher education
  • Contains consumer right to obtain a list of third parties to which the controller has disclosed their personal data
  • Requires responding to the GPC signal (beginning January 1, 2026)
  • Contains GLBA exemption (data level) and HIPAA exemption (data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Rhode Island Passed (6/25/2024) 1/1/2026
  • No mandatory cure period
  • Applies to businesses that conduct business in Rhode Island or produce products or services that are targeted to Rhode Island residents and control or process personal data: (1) of at least 35,000 Rhode Island residents; or (2) of at least 10,000 residents and derive more than 20% of gross revenue from the sale of personal data
  • Commercial websites or internet service providers conducting business in the state or with customers in the state must designate a controller
  • Contains nonprofit and higher education exemptions, GLBA exemption (entity and data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used a authorized under the FCRA
Tennessee Passed (5/11/2023) 7/1/2025
  • Mandatory 60-day cure period
  • Applies to businesses that conduct business in Tennessee or produce products or services that are targeted to Tennessee residents, have annual revenues over $25 million, and control or process personal data: (1) of at least 175,000 Tennessee residents; or (2) of at least 25,000 residents and derive more than 50% of gross revenue from the sale of personal data
  • Provides an affirmative defense to an entity subject to a cause of action under the statute if: (1) the entity’s privacy policy reasonably conforms to National Institute of Standards and Technology (“NIST”) privacy framework or other documented standards for consumer privacy; and (2) is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two years of the publication date stated in the most recent revision to the NIST or comparable framework
  • Contains nonprofit and higher education exemptions, GLBA exemption (entity and data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA
Texas Effective 7/1/2024
  • Mandatory 30-day cure period
  • Applies to businesses that conduct business in Texas or produce a product or service consumed by state residents, process or sell residents’ personal data, and are not small businesses as defined by the U.S. Small Business Administration (but note that small businesses are still subject to requirement to obtain consent prior to sale of sensitive data)
  • Requires responding to the GPC signal (beginning January 1, 2026)
  • Contains nonprofit and higher education exemptions, GLBA exemption (entity and data level) and HIPAA exemption (entity and data level)
  • Contains exemption for personal information collected and used as authorized under the FCRA

 

[1] This chart includes recent updates to Montana’s privacy statute by SB 297, signed on May 8, 2025.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Arnall Golden Gregory LLP

Written by:

Arnall Golden Gregory LLP
Arnall Golden Gregory LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Arnall Golden Gregory LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide