This article is Golden Data's yearly deep dive into the nation's newly enacted privacy laws, capturing the key trends and milestones that defined 2025. This year's legislative wave underscores how states continue to serve as the nation's proving grounds for privacy innovation. With hundreds of active proposals and dozens already enacted, consumer privacy has moved from the margins to the center of digital governance. As data technologies expand to include AI, biometrics, and even neurointerfaces, state lawmakers are racing to establish guardrails before new risks emerge. Whether this momentum leads to federal harmonization or a deeper patchwork remains uncertain — but for now, privacy has unmistakably become a defining feature of the American legislative landscape.

In 2025, data privacy expanded well beyond traditional personal identifiers as states began regulating algorithmic decision-making, AI transparency, and even neural data. Montana now extends privacy protections to "neurotechnology" data, addressing concerns raised by brain–computer interfaces. New York and Massachusetts introduced AI training-data transparency bills requiring disclosure of datasets used to train algorithmic systems, while California and Texas are considering limits on automated profiling and biometric analysis tools. Children's online privacy remained a major focus, with states including Utah, Louisiana, and North Carolina introducing or enacting limits on how platforms collect or use minors' data. States like Hawaii, Massachusetts, and Pennsylvania proposed new rules for GPS and connected-device data, underscoring growing concerns about the reach of smart technologies.

Together, these initiatives signal a shift toward a future in which privacy law governs not only how data is used, but also how machines behave.

While progress remains uneven, the national trend is clearly moving toward greater standardization. States like Massachusetts, New York, Michigan and Illinois considered broad consumer and biometric privacy frameworks, though few comprehensive bills advanced. Notable enactments include:

  • The California legislator is continuing its leadership in privacy with several pending bills that build on the CCPA. Proposals such as S 354 (Consumer Privacy Protection Act of 2025) and S 435 (Sensitive Personal Information Amendments) would refine consumer data rights and clarify responsibilities. S 345 would establish the Insurance Consumer Privacy Protection Act of 2025, setting standards for how insurance licensees and their third-party service providers collect, process, retain, and share consumer data, and making it a misdemeanor — punishable by fines or county jail time — to obtain such information under false pretenses. Under S 435 the existing exclusion of publicly available sensitive personal information from statutory definitions would be removed. The bill also relates to the California Privacy Rights Act of 2020. In parallel, the Agency enacted rules on Data Protection Impact Assessments (DPIAs), cybersecurity requirements, and Automated Decision Making Technologies.
  • Montana enacted S 297, updating the Montana Consumer Data Privacy Act (MCDPA) and substantially revising its requirements. The amendments generally align the law with other states by adding protections for minors, strengthening transparency obligations, and eliminating the cure period. Notably, Montana now has the lowest applicability threshold for businesses.
  • Texas enacted a suite of privacy-focused laws, including S 1343, which requires detailed data broker registration statements, and S 1964, which regulates the use of artificial intelligence in commercial applications. These reflect Texas's transition from sector-specific rules toward a more holistic privacy regime.
  • Utah enacted the App Store Accountability Act (S 142) and Data Privacy Amendments (H 444), both aimed at strengthening commercial accountability for data practices. S 142 requires app store providers to verify a user's age category, obtain parental consent, notify users and parents of significant changes, share specified data with developers, and protect age-verification information. It also prohibits enforcing contracts against minors without parental consent, designates violations as deceptive trade practices, directs the Division of Consumer Protection to set standards for age-verification methods, and creates a private right of action. H 444 updates governmental data-privacy requirements by revising privacy annotations and notices, updating government-website privacy-notice obligations, modifying data-breach notification rules, renaming and expanding the duties of the state privacy auditor, strengthening enforcement provisions, and making technical and conforming updates.

2025 Enactments

  • Arizona's H 2195 requires child-directed applications to take measures preventing inappropriate or mature advertisements — such as those promoting violence, alcohol, or drug use — and establishes criteria for identifying such applications and civil penalties for noncompliance.
  • Arkansas' H 1148 makes the unlawful use of unmanned aircraft systems involving critical infrastructure a Class B misdemeanor, defines related image offenses, allows civil actions for damages, and permits image capture by unmanned aircraft for specified lawful purposes.
  • Arkansas' H 1184 protects consumer privacy in mortgage applications by prohibiting the deceptive use of mortgage trigger leads, requiring disclosure of the loan officer and their affiliated broker or banker, and banning solicitations to consumers who have opted out of prescreened credit offers under the Fair Credit Reporting Act.
  • Arkansas' H 1717 makes it unlawful for operators of websites, online services, or mobile applications directed at or knowingly collecting personal information from children or teens to do so.
  • California's A 137 requires that funds deposited into the Consumer Privacy Grant Fund be used solely by the agency to administer and distribute grants for promoting and protecting consumer privacy, educating children on online privacy, and supporting international law enforcement efforts to combat consumer data breach fraud.
  • Colorado's H 1234 prohibits the state department from requiring applicants for low-income home energy assistance to disclose citizenship or immigration status unless it is a condition of eligibility, to protect utility customers and ensure consumer protection.
  • Colorado's S 38 requires the Division of Parks and Wildlife to keep claimants' personal information confidential, prohibits disclosure under the Open Records Act, and bars private actions challenging the Division's findings that a claimant's own actions made their information public.
  • Colorado's S 276 establishes facility access requirements for child care centers, schools, and health facilities; restricts detention facility access by federal immigration authorities without a warrant; creates the Immigration Legal Defense Fund; and reduces the Department of Labor and Employment's appropriation.
  • Colorado's S 282 makes it a deceptive trade practice for anyone assisting veterans with benefit claims to charge fees exceeding certain limits, with civil penalties directed to the State Veterans Trust Fund.
  • Colorado's S 297 requires the Department of Public Health and Environment to collect data on the health impacts of natural medicine, create a database, regulate licensing for businesses and employees, mandate judicial record checks and product labeling, and reduces an appropriation.
  • Colorado's S 299 requires a solar sales company to provide consumers with specified disclosures when entering agreements for clean energy systems or related services, ensure data privacy and salesperson requirements, offer certain warranties, and mandates utilities offering incentives to supply information, addressing deceptive trade practices.
  • Connecticut's H 6445 implements recommendations from the Office of Higher Education to expand dual credit opportunities, enhance college readiness and remedial support programs at state colleges and universities, and improve information reporting to the credential database.
  • Connecticut's H 7255 concerns judicial branch operations and procedures and the duties of judicial branch personnel.
  • Connecticut's S 3 ​​authorizes the Attorney General, after reasonable investigation and consultation with relevant commissioners, to issue a notice when an abnormal economic disruption exists or is likely imminent.
  • Washington DC's B 571 amends the Student Access to Treatment Act of 2007 to require submission of a seizure action plan for school treatment, permit self-administration of seizure medication, mandate Department of Health training for school staff, and authorize trained employees to administer seizure treatments.
  • Florida's H 515 defines when a person has control over such records, limits claims against qualifying purchasers, clarifies that filing certain financial statements does not establish property rights, authorizes account debtors to discharge obligations, and outlines rules for perfecting related security interests.
  • Florida's S 910 prohibits receiving compensation for referring individuals for veterans benefits assistance, requires disclosure and background screening for compensated advisors, restricts compensation under certain conditions, and classifies violations as deceptive and unfair practices.
  • Florida's S 7010 revises and maintains public records exemptions for the Department of Financial Services and insurers by expanding exemptions to include personnel and payroll records (excluding executive officer details) and eliminating the scheduled repeal of these exemptions under the Open Government Sunset Review Act.
  • Georgia's H 199 modifies provisions on protecting personally identifiable information of judges and their spouses, abolishes the Administrative Office of the Courts' database of protected persons, establishes a statewide form for requesting information restriction, and requires state and local governments to withhold such information from public disclosure.
  • Hawaii's S 1048 clarifies standards for online crowdfunding by requiring non-exempt platform charities to register with the Department of the Attorney General, file annual financial reports and fees, and comply with rules governing solicitation on charitable fundraising platforms.
  • Indiana's H 1004 authorizes the office to create and implement Medicaid state plan amendments to provide disproportionate share payments for state mental health institutions and hospitals, and to adjust the hospital reimbursement fee formula to offset reductions in federal medical assistance.
  • Indiana's S 141 establishes procedures for law enforcement agencies to conduct lineups or in-person witness identifications, requiring a neutral lineup investigator, inclusion of only one suspect, prohibition of influence on the eyewitness, and use of fillers resembling the perpetrator's description.
  • Louisiana's H 37 ​​relates to the duty of care when contracting with minors; establishes a duty of care for a covered platform; provides for definitions; provides for exceptions; provides limitations on how adults interact with minors on covered platforms.
  • Louisiana's H 570 relates to minors use of applications; provides for definitions; provides for application store requirements; provides for developer requirements; provides for protections; provides for applicability; provides for enforcement; provides for severability.
  • Louisiana's S 61 requires insurers offering private passenger automobile, homeowners, motorcycle, mobile home owners, noncommercial dwelling fire, boat, watercraft, snowmobile, and recreational vehicle insurance to provide consumers with copies of any credit information used for underwriting or renewal and to file their insurance scoring models with the Department of Insurance.
  • Maine's H 356 prohibits the doxing of a minor and to authorize a related civil action.
  • Minnesota's H 2115 revises policies for aging and disability services, health and behavioral health programs, and related departments, updates terminology for children's mental health, and codifies federal approval notification requirements.
  • Minnesota's S 2884 modifies multiple public retirement plans by increasing benefit multipliers and postretirement adjustments for general employees, legislators, unclassified employees, teachers, peace officers, and firefighters, and by revising duty disability and health insurance continuation provisions.
  • Minnesota's S 3045 establishes a biennial budget, appropriates funds for the legislature and various state entities, transfers money, authorizes additional legislative positions, and creates a Healthy Aging Subcabinet.
  • Missouri's H 974 relates to insurance modernization through standards governing digital systems.
  • Missouri's S 68 requires local educational agencies to report school safety incidents to the Department of Elementary and Secondary Education, ensure compliance with the Get the Lead Out of School Drinking Water Act, and implement a cardiac emergency response plan for incidents of sudden cardiac arrest or similar emergencies on school campuses.
  • Montana's S 124 clarifies that showing or handing an electronic driver's license to a peace officer does not constitute consent to search or seize the electronic device.
  • Montana's S 163 expands the law to include neurotechnology data, adds legislative findings and purposes, strengthens privacy protections and notice requirements, revises exceptions, and provides a definition for neurotechnology data.
  • Montana's S 297 requires data controllers to provide consumers with notice and opt-out options regarding information collection, issue privacy notices, fulfill specified duties based on role, and for the attorney general to post information on rights and responsibilities online.
  • Nebraska's L 298 provides that confidential information or records shared with the Office of Public Counsel must remain confidential and may not be disclosed by its employees to anyone outside the office, including members of the Legislative Oversight Committee.
  • Nebraska's L 474 renames the Nebraska Installment Sales Act, consolidates it by transferring and repealing provisions of the Nebraska Installment Loan Act, and removes certain provisions related to installment sales and loans.
  • Nebraska's L 521 provides that cities of the metropolitan class shall hold primary elections for elective officers on the first Tuesday of April preceding the general election, and general elections on the first Tuesday after the second Monday in May 1993 and every four years thereafter.
  • Nebraska's L 613 changes provisions relating to the disclosure of tax information to municipalities.
  • Nebraska's L 660 adopts the State Building Construction Alternatives Act and the Secure Drone Purchasing Act, requires agencies to submit a federal funding inventory, and revises provisions governing state building planning, construction, procurement, works of art acquisition, agency regulations, and professional liability insurance.
  • Nevada's A 197 requires government entities, with limited exceptions, to keep confidential and refrain from requesting or disclosing personal information about donors, members, or volunteers of nonprofit organizations.
  • Nevada's A 207 requires the Commissioner of Insurance to annually issue a data request to certain insurers to assess compliance with the federal Mental Health Parity and Addiction Equity Act, mandates submission through the System for Electronic Rate and Form Filing, and designates the collected data as a public record except for personally identifiable information and trade secrets.
  • Nevada's A 248 enacts the Physical Therapy Licensure Compact, authorizes information sharing with the Compact's data system, grants compact practitioners the same legal status as Nevada-licensed physical therapists or assistants, and updates related terminology.
  • Nevada's A 368 authorizes patients in certain covered facilities to install electronic communication devices under the same conditions as those in skilled nursing facilities and allows the Division of Public and Behavioral Health to deny, suspend, or revoke a facility's license for noncompliance with these requirements.
  • Nevada's S 445 requires the Department of Education to transfer student data to an archival system within one year after graduation or withdrawal and to remove personally identifiable information, except for the student's birth date, before the transfer.
  • Nevada's S 460 revises rules for improving academic achievement, updates school district accountability reporting, establishes a School District Oversight Board, and modifies provisions for school district boards, the Commission on School Funding, and the Early Childhood Literacy and Readiness Account.
  • New Hampshire's H 2 makes appropriations for the expenses of certain departments of the state for fiscal years ending June 30, 2026, and June 30, 2027.
  • New Hampshire's H 77 prohibits certain licensees from electronically recording or storing personal information obtained from an identification card.
  • New Hampshire's H 310 establishes a commission to study and recommend a regulatory framework for stable tokens, tokenized real-world assets, and blockchain-based trusts, including issues of consumer protection, privacy, environmental impact, and risk management.
  • New Jersey's A 2813 enters the State into the Social Work Licensure Compact, establishing a multistate licensing system allowing licensed social workers to practice across member states under certain conditions and providing for adverse actions, a governing commission, and data collection on member states.
  • New York's A 920 expands the definition of private information in the General Business Law to include medical and health insurance information, making such data subject to identity theft and privacy protection provisions.
  • New York's S 3007 requires the commissioner of health to provide quarterly reports on known and projected Medicaid expenditures for the specified state fiscal year.
  • North Carolina's H 67 establishes a streamlined, cooperative process among member states to reform healthcare workforce licensing and allow physicians to obtain multistate licenses, enhancing healthcare access and license portability.
  • North Carolina's S 479 supports community retail pharmacies and improves transparency by prohibiting insurers from restricting insured individuals who qualify for pharmacy service reimbursement from choosing a participating pharmacy of their choice under the insurer's health benefit plan.
  • North Dakota's H 1127 requires financial corporations to establish and maintain a risk-based information security program overseen by a designated qualified individual, and addresses related Department of Financial Institutions procedures on compliance, licensing, and enforcement.
  • North Dakota's H 1134 provides that a person commits an offense if, with intent to frighten or harass another, they communicate or publicly disclose an individual's personal identifying information through writing or electronic means.
  • North Dakota's S 2113 concerns certified community behavioral health clinics and the financing of health and human services, outlining the powers and duties of the Department of Health and Human Services, treatment hearing timelines, and the membership of the cross-disability advisory council.
  • Oregon's H 2421 relates to direct admissions; includes upon the consent of the institution, any private post-secondary institution that meets the criteria.
  • Oregon's H 2567 establishes grants for regional entities and federally recognized tribes to assist in purchasing and installing heat pumps, allows additional funding through existing agreements when available, and sets energy efficiency rating requirements.
  • Oregon's H 3875 requires motor vehicle manufacturers and their affiliates to comply with state privacy laws when controlling or processing personal data collected from consumers' use of motor vehicles, regardless of how many consumers' data is obtained.
  • Oregon's S 277 permits law enforcement agencies or public bodies to share or agree to share information as necessary to carry out an international extradition and return of a person charged with or convicted of a crime in the state and subject to an arrest warrant.
  • Oregon's S 537 creates workplace violence prevention requirements for certain health care entities.
  • Oregon's S 840 modifies and adds laws regulating drivers, vehicles, dealers, and dismantlers, authorizing the Department of Transportation to contract with qualified providers to conduct driver-related transactions and process associated fees or taxes on its behalf.
  • Rhode Island's H 5067 allows licensed dietitians from other compact states to become licensed in Rhode Island and vice versa, increasing public access to dietetic services and strengthening public health protections.
  • Rhode Island's S 345 allows licensed dietitians from other compact states to obtain licensure in Rhode Island and Rhode Island dietitians to be licensed in other compact states, expanding access to dietetic services and enhancing public health and safety.
  • South Carolina's H 3752 establishes the Social Work Interstate Compact, mandates state and federal fingerprint-based criminal records checks for social worker licensure and law enforcement certification applicants, and regulates the confidentiality and permitted uses of those records.
  • South Carolina's S 126 restrict disclosure of eligible officials' personal contact information on government websites, allow limited disclosure under subpoena, and direct the Office of Court Administration and the State Criminal Justice Academy to implement related procedures.
  • Texas' H 793 relates to the confidentiality of certain personal information of an applicant for or a person protected by a protective order.
  • Texas' H 2221 ​​relates to certain trade practices related to life insurance, annuity contracts, and accident and health coverage.
  • Texas' H 3801 relates to the establishment of the Health Professions Workforce Coordinating Council and a workgroup on nursing career pathways and the abolition of the statewide health coordinating council and the nursing advisory committee of that council.
  • Texas' H 4215 ​​relates to the regulation of delivery network companies; requires an occupational permit; authorizes a fee.
  • Texas' H 5081 relates to the protection of personal identifying information of certain individuals in the judicial system; creates a criminal offense.
  • Texas' S 370 relates to the availability of certain personal information of a child, spouse, or surviving spouse of a current or former employee of the office of the attorney general or of a public defender's office.
  • Texas' S 569 relates to virtual education in public schools and authorizes the Commissioner of Education to waive or modify methods for calculating average daily attendance during emergencies or crises to preserve school district funding under the Foundation School Program, and it authorizes a fee.
  • Texas' S 1188 relates to electronic health record requirements; provides that a covered entity shall ensure that electronic health records under the control of the entity that contain patient information are physically maintained in the United States or a territory of the United States.
  • Texas' S 1343 relates to the notice requirements of a data broker registration statement and Internet website.
  • Texas' S 1964 ​​relates to the regulation and use of artificial intelligence systems and the management of data by governmental entities.
  • Texas' SCR 8 expresses opposition to the creation of a central bank digital currency.
  • Utah's H 124 restricts local education agencies from selling or transferring certain contact information without consent, prohibits mandating specific technologies on personal devices, requires accommodations for required technology use, and authorizes employee complaints and State Board of Education investigations with potential corrective or licensure action.
  • Utah's H 418 requires social media companies to provide interoperable data interfaces, establishes consumer rights for social media data, authorizes the Division of Consumer Protection to enforce compliance, and imposes civil penalties for violations.
  • Utah's H 444 revises various aspects of governmental data privacy by updating privacy and breach notification requirements, renaming and redefining the duties of the state privacy auditor, enhancing enforcement provisions, and making related technical and conforming changes.
  • Utah's S 105 establishes protections for students' reasonable expectation of individual privacy and personal modesty by prohibiting requirements to undress in the presence of others and presuming compliance for schools that provide single-occupant or fully private changing facilities.
  • Utah's S 142 requires app store providers to verify users' ages, obtain parental consent, notify users and parents of major changes, protect and regulate age verification data, and prohibits enforcing contracts with minors without parental consent, designating violations as deceptive trade practices and creating a private right of action.
  • Utah's S 150 clarifies that under the Notice of Intent to Sell Nonpublic Personal Information Act, individuals — not class or representative groups — may bring actions against commercial entities in federal or state court, and confirms that the prohibition of class actions since the specified date is a remedy provision rather than a procedural rule.
  • Vermont's H 137 amends state insurance laws under the Department of Financial Regulation, addressing captive and property-casualty insurance, confidentiality of regulatory reports, unfair trade practices, and Medicare supplement rate standards.
  • Vermont's H 454 relates to transforming state's education governance, quality, and finance systems; creates five school districts to govern the public education system for the entire State, each governed by a school board and operated by a central office.
  • Vermont's S 63 removes the Green Mountain Care Board's duties related to health information technology oversight and Medicaid advisory rate cases, while revising its authority over the certification and budget review of accountable care organizations.
  • Virginia's H 1937 requires the Commissioner of Behavioral Health and Developmental Services to ensure contracts with private administrators include provisions protecting patient privacy and data security, with exemptions under the Virginia Freedom of Information Act.
  • Virginia's S 754 declares that it is unlawful for a supplier to engage in fraudulent acts in a consumer transaction, including obtaining, disclosing, selling, or sharing a consumer's personally identifiable reproductive or sexual health information without their consent.
  • Virginia's S 781 prohibits the Commonwealth from publishing on the Internet the personal information of a public official when a court has ordered such information withheld and the official has submitted a written demand, with the restriction effective for a specified period for retired or former law enforcement officers.
  • Virginia's S 1339 requires telephone solicitors to transmit their phone number and, when available, their name, and ensures the number allows recipients to request not to receive future calls or texts, including via reply text message for text solicitations.
  • Virginia's S 1439 establishes that data from the Acute Psychiatric Bed Registry shall be used solely for placing individuals needing psychiatric care and directs the Commissioner of Behavioral Health and Developmental Services to form a Bed Registry Advisory Council to guide its creation and operation.
  • Virginia's S 1486 establishes requirements and restrictions to ensure the protection of student personal information and educational records in the procurement, provision, and use of school-issued devices.
  • Washington's H 1023 ​​relates to the cosmetology licensure compact.
  • Washington's H 1382 relates to modernizing the all payers claims database by updating reporting requirements, data disclosure standards, and lead organization requirements.
  • Washington's H 1468 relates to accounts; provides that the department shall distribute the funds no more than specified number of days after the central nursing resource center submits to the department an invoice and any additional documentation required by the department.
  • Washington's S 5262 corrects obsolete or erroneous references in statutes administered by the insurance commissioner, by repealing defunct statutes and reports, aligning policy with federal law and current interpretations, making timeline adjustments, protecting patient data, and making technical corrections.
  • Washington's S 5419 requires authorized insurers to report each fire loss of property in the state to the insurance commissioner within 90 days of closing or further investigating a fire-loss claim, using a prescribed reporting method that may include a third-party vendor.
  • West Virginia's S 565 updates the regulation of optometry by defining key terms, expanding the scope of practice to include specific procedures for trained practitioners, authorizing the use of lasers under board regulation, establishing certification and training requirements, setting treatment guidelines, prohibiting certain practices, and providing exemptions from specified review processes.

Resources

National Conference of State Legislatures (NCSL): Consumer Privacy 2025 Legislation (Updated July 28, 2025)