ARTICLE
13 August 2025

Mid-Year Recap: State Consumer Privacy Laws

PC
Perkins Coie LLP

Contributor

Perkins Coie LLP logo

Perkins Coie is a premier international law firm with over a century of experience, dedicated to addressing the legal and business challenges of tomorrow. Renowned for its deep industry knowledge and client-centric approach, the firm has consistently partnered with trailblazing organizations, from aviation pioneers to artificial intelligence innovators. With 21 offices across the United States, Asia, and Europe, and a global network of partner firms, Perkins Coie provides seamless support to clients wherever they operate.

The firm's vision is to be the trusted advisor to the world’s most innovative companies, delivering strategic, high-value solutions critical to their success. Guided by a one-firm culture, Perkins Coie emphasizes excellence, collaboration, inclusion, innovation, and creativity. The firm is committed to building diverse teams, promoting equal access to justice, and upholding the rule of law, reflecting its core values and enduring dedication to clients, communities, and colleagues.

Explore Firm Details
With 2025 more than half over and many state legislatures adjourned for the year, we look back at significant legislative developments concerning state comprehensive consumer privacy laws.
United States Colorado Connecticut Montana Oregon Privacy
Janis Claire Kestenbaum and Alison Watkins

With 2025 more than half over and many state legislatures adjourned for the year, we look back at significant legislative developments concerning state comprehensive consumer privacy laws.

With 19 such laws already on the books, seven of which were adopted in 2024, for the first time in several years, no state has enacted an omnibus consumer privacy law in 2025 to date. However, eight states have amended their consumer privacy laws, including sweeping changes to the Connecticut and Montana laws. This post highlights key changes introduced by these amendments across core areas of compliance.

Amendments Adopted Year to Date

Here are the laws that have been amended so far in 2025 and their effective dates. Across the amendments adopted in these eight states, we see the key changes and trends described below.

Expanded Applicability

A number of states broadened the reach of their laws by lowering thresholds, introducing new compliance triggers, and narrowing exemptions to capture more businesses within their regulatory frameworks.

State Privacy Law Effective Date of Amendment
Colorado Privacy Act, SB 25-276 May 23, 2025
Connecticut Data Privacy Act, SB 1295 Most provisions effective July 1, 2026
Kentucky Data Protection Act, HB 473 January 1, 2026
Montana Consumer Data Privacy Act, SB 297 October 1, 2025
Oregon Consumer Privacy Act, HB 2008; HB 3875

HB 2008 - January 1, 2026

HB 3875 - September 26, 2025
Texas Data Privacy and Security Act, HB 149 January 1, 2026
Utah Consumer Privacy Act, HB 418 July 1, 2026
Virginia Consumer Data Protection Act, SB 854 January 1, 2026

Across the amendments adopted in these eight states, we see the key changes and trends described below.

Expanded Applicability

A number of states broadened the reach of their laws by lowering thresholds, introducing new compliance triggers, and narrowing exemptions to capture more businesses within their regulatory frameworks.

  • Most notably, Connecticut's amended law now covers more businesses through novel compliance triggers and substantially lower thresholds. The amendment also narrows the exemptions for financial institutions by replacing the entity-level Gramm-Leach-Bliley Act (GLBA) exemption with a data-level exemption and creating a narrower entity-level exemption for a variety of organizations, such as certain insurers, banks, credit unions, and broker-dealers. (See our prior post for more detail.)
  • As described in our previous post, Montana likewise reduced thresholds, now applying to businesses processing personal data of 25,000 consumers (previously 50,000) or 15,000 consumers (previously 25,000) if the company derives more than 25% of its revenue from selling personal data. Controllers offering online services, products, or features to minors under 18 must now also comply with certain obligations, regardless of general thresholds. Montana also narrowed exemptions for nonprofits (bringing most nonprofits within scope) and financial institutions subject to GLBA. Similar to Connecticut, it generally replaced the entity-level exemption with a data-level exemption while also establishing an entity-level exemption for certain chartered banks, credit unions, insurers, and self-insurers.
  • Oregon established a unique provision focused on motor vehicle manufacturers and affiliates. Under the amendment, the state's privacy law will cover these entities if they control or process any personal data obtained from the use of motor vehicles, regardless of data volume. More specifically, HB 3875 expands the law to cover all motor vehicle manufacturers or their affiliates that control or process personal information obtained from a consumer's use of a vehicle or any component of a vehicle by removing car makers and affiliates from an exemption for entities that process the personal information of fewer than 100,000 consumers or that derive 25 percent or more of their revenue from selling such data. As a result, drivers have the right to opt out of having their personal information sold or used for advertising by carmakers under the Oregon law.

However, one state was an outlier: Kentucky narrowed applicability by expanding existing HIPAA-related exemptions. In addition to exempting HIPAA-covered entities and information, the law also now exempts information collected by health care providers acting as covered entities and maintaining protected health information in accordance with HIPAA, as well as information included in limited data sets as defined by HIPAA and to the extent maintained in compliance with its requirements.

Greater Scrutiny on Profiling and Automated Decision-Making

While profiling and automated decision-making have long been subject to regulation, the amendments generally reflect increasing regulatory scrutiny and obligations in connection with both.

  • Under the Montana amendments, businesses must provide opt-out rights for profiling "in furtherance of automated decisions that produce legal or similarly significant effects," even if not entirely automated. Previously, the opt-out right was available only for profiling in furtherance of "solely" automated decisions.
  • Connecticut's amendments go even further. Prior to amendment, Connecticut allowed consumers to opt out of profiling in furtherance of "solely automated decisions that produce legal or similarly significant effects concerning the consumer." (Emphasis added.) The statute defined "decisions that produce legal or similarly significant effects concerning the consumer" to mean decisions made by the controller that "result in the provision or denial by the controller of financial or lending services, housing, insurance, education, enrollment or opportunity, criminal justice, employment opportunities, health care services or access to essential goods or services." Similar to Montana, the Connecticut amendments removed the "solely" and has granted opt-out rights to profiling in furtherance of "any automated decision that produces any legal or similarly significant effect concerning the consumer." (Emphases added.) Further, the legislature modified "decision that produces any legal or similarly significant effect" to include any decisions "made on behalf of the controller," while omitting the vague term "access to essential goods or services." As a result, the opt-out right applies not only to decisions made by the controller but also when such decisions are made by other persons or entities (such as processors or other service providers) on its behalf. In addition, the Connecticut amendments introduced other consumer rights and business obligations related to profiling:
  • Consumers may access inferences about the consumer derived from personal data and know whether a controller or processor is engaging in profiling to make decisions with legal or similarly significant effects.
  • When profiling is used in such decisions, consumers have the right—if feasible—to challenge profiling results, understand the reasoning behind profiling decisions, review the personal data used, and for housing-related decisions, correct inaccurate personal data and request reevaluation of the decision.
  • Controllers must conduct impact assessments when profiling is used to make a decision with legal or similarly significant effects. In addition, as discussed in more detail below, the amendments require these assessments when controllers conduct profiling of minors. These assessments, which are separate from the data protection assessment requirements, must include information, "to the extent reasonably known by or available to the controller," such as purpose and intended use cases, risks of consumer harm, profiling inputs and outputs, main categories of personal data used for customization, performance metrics, transparency measures, and safeguards. As with data protection assessments, profiling impact assessments may be required to be produced to the Attorney General. While the Connecticut law generally takes effect July 1, 2026, the impact assessment provision applies to processing on or after August 1, 2026, and is not retroactive.
  • Along with these expanded obligations, the Connecticut amendments created an exemption for the internal use of profiling in furtherance of any automated decision, specifically for the detection and correction of bias, provided that specified conditions are met.
  • In contrast, Kentucky's amendmentsspecify that the requirement to conduct a data protection assessment for profiling based on a reasonably foreseeable risk of disparate impact on consumers only applies when the disparate impact is "unlawful."
  • On July 24, 2025, the California Privacy Protection Agency voted to adopt highly debated regulations on automated decision-making technology, which must be approved by the Office of Administrative Law before they can go into effect.

More Protections for Minors

In amending their laws, states have prioritized the protection of minors, including older teens, such as with stricter limits on targeted advertising, profiling, and the sale of personal data. The amendments also reflect increasing concerns about mental, emotional, and other potential harms to minors. For example,

  • Montana enacted a range of new protections for minors under 18, including a duty of care, consent requirements (including for targeted advertising, sale, certain profiling, and collection of precise geolocation unless reasonably necessary), and specific data protection assessment obligations. (See our prior post for more details.)
  • Connecticut's amendments also tightened restrictions governing minors' data:
    • Controllers are now prohibited from selling personal data or engaging in targeted advertising for minors under 18. Previously, these activities were allowed for minors under 16 with consent.
    • While controllers may still engage in certain profiling of minors with consent, a controller that offers any online service, product, or feature to consumers whom the controller has actual knowledge, or wilfully disregards, are minors, and that "engages in any profiling" of minors, must conduct an impact assessment as described above and implement a mitigation plan to address any identified risk. The Attorney General may require disclosure of both the impact assessment and mitigation plan (just as the Attorney General already has the authority to require disclosure of data protection assessments required by the Connecticut law).
    • Controllers may no longer collect minors' precise geolocation based on consent, even if "reasonably necessary" to provide an online product, service, or feature (and a signal is displayed). Rather, under the amended standard, precise geolocation of minors may only be collected if "strictly necessary" for the provision of the service, product, or feature with no exception for consent (raising the question of what differentiates "strictly" from "reasonably" necessary was also raised by the Maryland Age-Appropriate Design Code and Maryland comprehensive privacy law).
    • While Connecticut already imposed a duty on controllers that offer online services, products, or features to minors to avoid "heightened risk of harm to minors," the definition of such harm has expanded to encompass physical violence against minors, material online harassment of minors, and sexual abuse or exploitation of minors.
    • The amendment also adds details to the safeguards required to limit adult and minor communications online, including specifying that the protections must be enabled "as a default setting." The previous requirement limiting unsolicited communications from adults "to minors with whom they are not connected" has been clarified to prohibit such communications unless the minor and adult "are already connected on such online service, product, or feature."
  • As amended by HB 2008,the Oregon comprehensive privacy lawprohibits targeted advertising, profiling in furtherance of decisions that produce legal effects or effects of similar significance, or the sale of personal data if a controller has actual knowledge or willfully disregards that the consumer is under 16. Before amendment, the law allowed controllers to process the personal data of such consumers for these purposes with consent.
  • In Virginia, controllers or processors operating social media platforms must implement age verification measures to determine if a user is a minor under 16 and limit minors' usage to one hour per day, with mechanisms for parental consent to modify that limit.
  • Meanwhile, Colorado officials solicited public comments, due September 10, 2025, on targeted rulemaking matters involving minors, including use of system design features that encourage prolonged use, clarification of the standard for "willful disregard" of a consumer's minor status, and the role of age verification measures.

Expanded Protections for Sensitive Data

The amendments broaden the definition of "sensitive" data and impose new restrictions on such data, including a ban on "sale" of precise geolocation in Oregon, which could have broad implications for companies engaged in location-based advertising. Connecticut's expanded definition may also have substantial compliance ramifications in light of the revised standards for the law's applicability, which can be triggered based on any processing of sensitive data.

New Categories

  • As noted, Connecticut expanded the reach of its law to cover entities that process any amount of "sensitive data" while also adding new categories to the definition of "sensitive data," including neural data, financial account information in combination with an access code, government-issued identification number, mental or physical disability or treatment (in addition to condition or diagnosis), and status as nonbinary or transgender. Information from a child is also now sensitive if the controller "willfully disregards" that the consumer is a child. Genetic or biometric data no longer has to be "for the purpose of uniquely identifying an individual" to qualify as sensitive, and " information derived" from such data is now sensitive.

    Note also that biometric data collected without consent and that can be linked to a consumer is explicitly excluded from the definition of "publicly available information" and therefore qualifies as "personal data" even if otherwise publicly available under the amendments.
  • Colorado added precise geolocation data (within a radius of 1,850 feet) as a category of sensitive data.

New Restrictions

  • The Oregon amendments prohibit the sale of precise geolocation data. Given the broad definition of "sale" as any exchange of personal data for monetary or other valuable consideration, the restriction could affect common advertising practices—a concern raised by online advertising industry groups regarding the bill.
  • Both the Colorado and Connecticut amendments prohibit "selling" sensitive data without consent.
  • In addition to general data minimization requirements, the Connecticut amendments emphasize purpose limitations in connection with sensitive data, adding language prohibiting processing unless "reasonably necessary in relation to the purposes for which such sensitive data are processed."

Privacy Notices

The Montana and Connecticut amendments require additional disclosures and more user-friendly and accessible formats for privacy notices. Both states specify that businesses do not need to provide separate state-specific notices as long as the general privacy notice satisfies requirements.

  • In Montana, controllers must now include the date of last update, an explanation of consumer rights, and a clear disclosure of whether they sell personal data or engage in targeted advertising.
  • The Connecticut amendments require privacy policies to include the date of last update, categories of personal data the controller "sells to" (instead of "shares" with) third parties, categories of third parties to whom data is "sold" (instead of "shared"), and whether the controller processes personal data for targeted advertising or sells personal data to a third party for targeted advertising. Controllers must also disclose whether they collect, use, or sell personal data for the purpose of training large language models. The amendments further specify that the requirement to describe how consumers may submit consumer rights requests includes the rights as amended (such as the new right to challenge profiling results).
  • Both the Montana and Connecticut amendments introduce additional language and accessibility requirements for privacy notices. These include specific presentation standards, such as conspicuous hyperlinks with the word "privacy" and requirements for notice placement. The amended laws of both states also require controllers to take "all reasonable electronic measures" to notify consumers of material changes to their privacy notices or practices and provide a reasonable opportunity to withdraw consent for any materially different use of their personal data.

Recent enforcement activity suggests that compliant privacy notices are an enforcement priority. For example, in Connecticut, the Attorney General has conducted privacy notice sweeps and, on July 8, 2025, announced an $85,000 settlement with TicketNetwork, Inc., alleging its privacy notice was "largely unreadable" and "missing key data rights." (See our prior post.) The Oregon Attorney General's March 2025 enforcement report suggests a focus on deficient privacy notices, such as failures to disclose consumer rights, inadequate disclosures of rights, and privacy notices that are not "clear or accessible" to the average consumer, such as by not naming Oregon in the "privacy rights" section of the policy.

Consumer Rights Requests

The amendments in several states add new consumer rights and business obligations.

  • Utah added a consumer right to correct inaccurate personal data.
  • Montana now specifies that controllers must provide a clear and conspicuous method outside the privacy notice to opt out of the sale of personal data or targeted advertising, in addition to providing broader opt-out rights for profiling involving automated decisions described above.
  • Connecticut's amended law grants consumers new rights. In addition to the broader opt-out rights for profiling and new rights to question/know the basis for profiling described above, consumers may now request a list of the third parties to which the controller has sold the consumer's personal data or, if not available, a list of all third parties to which it has sold personal data. The amendments also provide that access rights include information about inferences derived from a consumer's personal data and whether a controller or processor is processing a consumer's personal data for the purposes of profiling to make a decision that produces legal or similarly significant effects.
  • Under the amended laws in Montana and Connecticut, controllers may not disclose certain types of highly sensitive data (e.g., social security, driver's license, or financial account numbers) in response to consumer access requests. Instead, they must inform the consumer with sufficient particularity that such data has been collected.

Recent enforcement actions underscore regulators' emphasis on effective and user-friendly implementation of consumer rights mechanisms. For example, in the TicketNetwork settlement, mentioned above, the Connecticut Attorney General called out "rights mechanisms that were misconfigured or inoperable." Similarly, in the California Attorney General's $1.55 million settlement with Healthline.com, the largest California Consumer Privacy Act settlement to date, the complaint alleged that the company failed to honor consumer requests to opt out of targeted advertising. (See our prior post for more details.) The March 2025 Oregon privacy enforcement report mentioned above also noted completely absent or burdensome consumer rights mechanisms as a common basis for violation notices.

Data Minimization and Secondary Use

Reflecting states' increased focus on data minimization and purpose limitation, the Connecticut amendments prohibit processing personal data for any "material new purpose" without consent. The amendments also specify the factors that bear on whether additional consent is required: the consumer's reasonable expectation based on the disclosed purposes at collection, the relationship of the new and originally disclosed purposes, the impact on the consumer of the new processing purpose, the relationship between the consumer, the controller, and context of the collection, and any additional safeguards, such as encryption or pseudonymization, to be deployed in connection with the new processing purpose.

Given the expanded scope and new compliance obligations under amended laws, businesses should consider necessary steps to stay on top of an increasingly complex patchwork of comprehensive state privacy laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Janis Claire Kestenbaum
Janis Claire Kestenbaum
Photo of Alison Watkins
Alison Watkins
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More