Jul 312025

A Mid-Year Privacy Check-In – Important Developments and New Compliance Obligations for Privacy Laws

Colleen Theresa Brown, Sheri Porath Rockwell and Sasha Hondagneu-Messner
, , , , , ,

During the first half of 2025, state legislators and regulators have been working overtime to enact new data privacy laws and expand existing laws, all of which are likely to have an impact on businesses in the remainder of the year and into 2026.  These efforts reflect key themes such as increased regulation of teen data and social media platforms, enhanced restrictions on the collection and sale of geolocation and biometric data, simplified opt-out mechanisms for tracking technologies, and broader obligations concerning consumer health data and data minimization. In parallel, significant regulatory activity surrounding AI has emerged, including a new federal AI Action Plan and proposed amendments to the CCPA addressing automated decision-making technologies, alongside a wave of new state AI laws.

Beyond tackling new subject areas, lawmakers have expanded the scope of existing legislation. This includes lowering thresholds of applicability, removing exemptions for specific entity types broadly subject to federal privacy laws such as the Gramm-Leach-Bliley Act (GLBA).

Enforcement activity has continued apace. California regulators have issued several instructive enforcement actions within the last six months, focusing on the need to audit cookie classifications, pressure test opt-out links, and scrutinize the user experience as consumers exercise their privacy rights. The California Privacy Protection Agency is also beginning to focus on purpose limitations in CCPA regulations, in particular as they relate to sensitive data uses. Enforcement reports from state attorneys general mirror these concerns and stress the importance of clear privacy policy disclosures that clearly apprise state residents of their rights.

Industry pushback against aggressive state legislation has seen mixed results. Litigation in federal court around laws seeking to protect children online has led to some state laws being upheld, and some struck down, leaving a complex landscape for age verification standards and age-appropriate design code initiatives. Also unsuccessful, at least this year, was an effort by some California legislators to clarify the scope of the state’s wiretap law (CIPA) in a manner that would have put an end to the “shakedown” lawsuits and demand letters hitting businesses of all sizes for common and even purely operational website functionality. On the other hand, industry (and California legislative) efforts to rein in some of the more aggressive elements of proposed CCPA AI regulations appear to have succeeded, as proposed rules making their way through the final stages of rulemaking were significantly scaled back from initial drafts.  (For more information about recent CCPA rulemaking, see Sidley Data Matters – California Privacy Protection Agency Advances Substantial Rulemaking – Cyber Audits, Risk Assessments, New Automated Decisionmaking Rights, and More). At the federal level, efforts to place a moratorium on enforcement of the growing patchwork of state AI laws also failed—which may further bolster the trend of state AI legislation.

These developments unfold within a broader legal landscape already defined by close to two dozen state privacy laws—some newly effective in 2025 and others becoming effective later this year and in January 2026.

Notable Trends – Mid Year 2025

  1. Children and Teen Privacy and Online Protection

Several states have enacted strict laws targeting the collection and sale of minors’ data. Key provisions vary by state and include:

  • Opt-in consent for the collection of teens’ data unless reasonably or strictly necessary to provide a service or product (e.g., NY, CO, MT);
  • Opt-in consent for the sale of teen data or its use for targeted advertising (e.g., CO, NY);
  • Complete bans on targeted advertising or sale of teen data, regardless of consent (e.g., OR); and
  • Prohibitions on the sale of geolocation data (e.g., LA [for social media platforms], MD [all ages]).

In addition, Colorado has initiated rulemaking to define what constitutes “willful disregard” in determining a user’s minor status, and how service design features might increase or sustain a minor’s use of an online service, potentially in violation of provisions of Colorado’s privacy law regarding minors’ data. The state’s amendments apply even to businesses that don’t meet the general CPA thresholds, but make products or services available in Colorado—an approach also adopted by Montana and Oregon.

The impact of app store age-verification laws, scheduled to take effect in 2026, could be significant. These laws would require app stores to verify users’ ages and then send signals to app developers indicating users’ age ranges, with some variation by state. In addition to triggering compliance obligations under state data privacy laws, knowing the age of app users may also implicate compliance with the federal Children’s Online Privacy Protection Act (COPPA), including new regulations finalized earlier this year that, among other things, institute new consent requirements for digital advertising, written information security programs, and more requirements that will be enforceable beginning in April 2026.

  1. Service Providers and Third Parties: Expanded Requirements and Regulator Expectations

States are increasingly requiring transparency around third-party data sharing. For example:

  • Minnesota’s new data privacy law, effective July 31, 2025, grants residents the right to know the identities of third parties receiving their data—mirroring requirements under Oregon’s law and pending changes in Connecticut’s law that will become effective July 1, 2026.
  • New COPPA rules require entities to disclose, in their online privacy notices, the identities and categories of third parties to which an operator (an entity subject to COPPA) discloses children’s personal data.
  • Regulators in California have signaled their expectation that businesses maintain comprehensive inventories of vendors that process or otherwise receive personal data to ensure appropriate contractual terms required by the CCPA are in place.
  • The Department of Justice’s recently enacted Data Security Program requirements under Executive Order 14117 Preventing Access to Americans’ Bulk Sensitive Personal Data also highlights the importance of vendor diligence.
  • Lawsuits focused on the use of third-party website technologies are also on the rise.
  1. Sensitive Data: Biometric, Sexual Health, and Location Data

Several states have enacted laws concerning sensitive data types, and one bill addressing this topic is still pending:

  • Colorado now mandates opt-in consent for sharing/selling biometric data and requires annual retention reviews—even if biometric identifiers are not used to identify individuals. As previously reported, this amendment to the Colorado Privacy Act applies more broadly than other provisions of the law with data thresholds and instead applies to all companies doing business in Colorado or that otherwise make their products or services available in the state.
  • Virginia, via its Consumer Protection Act (separate from the Virginia Consumer Data Protection Act (VCDPA)) now requires opt-in consent for collecting, selling, or disclosing “reproductive or sexual health” data in connection with consumer transactions, including advertising. This definition is broader than a similar term used in Virginia’s data privacy law, including because it includes derived/inferred data. Notably, this law includes a private right of action and applies more broadly than the VCDPA to all entities doing business in Virginia.
  • Location data restrictions: States have continued to strengthen laws concerning the collection and processing of precise location data.  For example, Colorado requires opt-in consent and disclosure when collecting teen geolocation data. Oregon and Maryland have imposed outright bans on sales of geolocation data. A proposed CCPA amendment (AB-322) includes a similar ban on the sale of such data and would also prohibit the leasing or “trading” of such data.
  1. Revisions to Applicability Thresholds and Exemptions

Several states have amended their state data privacy laws to expand their scope, including:

  • Lowered applicability thresholds:
    • Montana: From 50,000 to 25,000 residents’ data.
    • Connecticut: From 100,000 to 35,000 residents’ data; no thresholds for entities that engage in the sale of personal data or that control or process sensitive data (unless used to process payments). Sensitive data definitions were also expanded and will include, for example, biometric data even if not used to identify an individual; financial account log-in or credit card or debit card with access codes or passwords that allow access; and government-issued ID numbers.
  • GLBA exemptions narrowed:
    • Amendments to laws in Connecticut and Montana exempt only GLBA-covered data and certain types of financial institutions—not every type of entity subject to GLBA.
  • Nonprofit exemptions refined:
    • In Montana, nonprofits are now mostly in scope—except those focused on insurance fraud prevention.

Looking Ahead

This mid-year update highlights some of the most important U.S. state privacy developments, with more changes anticipated in the second half of 2025. Privacy enforcement remains a high priority among state AGs and regulators, with additional interpretive guidance likely to emerge. It will be important for businesses to stay vigilant and proactively review their privacy programs for compliance in this rapidly evolving landscape.

Summer law clerk Maya Barbieri also contributed to this blog post.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Sheri Porath Rockwell

Century City

sheri.rockwell@sidley.com

Sasha Hondagneu-Messner

New York

shondagneumessner@sidley.com

You might also like
Regulatory Update: National Association of Insurance Commissioners Summer 2025 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Summer 2025 National Meeting (Summer Meeting) August 10–13, 2025. This blog summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Summer Meeting. Highlights include adoption of guidance on asset adequacy testing for reinsurance transactions, renewed focus on the risks of offshore reinsurance transactions, evaluation of insurers’ use of funding-agreement-backed note (FABN) and funding-agreement-backed securities (FABS) programs, and consideration of additional regulatory frameworks to address insurers’ use of artificial intelligence (AI).

New Digital Health Ecosystem and HIPAA Flexibilities Facilitate Sharing of Patient Health Information

Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), released a new Frequently Asked Question (FAQ) related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule, which establishes national standards to safeguard “protected health information” or “PHI.”

The Trump Administration’s 2025 AI Action Plan – Winning the Race: America’s AI Action Plan – and Related Executive Orders

On July 23, 2025, the Trump administration released its much-anticipated AI Action Plan, outlining 90 federal policy positions across three key pillars: Accelerating Innovation, Building American AI Infrastructure, and Leading in International Diplomacy and Security. These pillars are designed to guide near-term action and are underpinned by three cross-cutting priorities: protecting and promoting American workers, ensuring that artificial intelligence (AI) systems are trustworthy and free from ideological bias, and safeguarding AI from misuse, theft, or other risks posed by malicious actors. The scope of the AI Action Plan demonstrates the far-reaching impact of AI, with policy positions affecting not only technology but also trade, national security, cybersecurity, energy, labor, education, environmental regulation, antitrust, science, and financial markets.