2025 Data law trends

California was the first state to pass a comprehensive consumer privacy law, called the California Consumer Privacy Act (CCPA), in 2018. Since then, other states started to pass their own laws and the first half of 2024 saw a surge of states passing these laws; at one point, a new state law seemed to pass weekly. These state consumer privacy laws are either in effect or shortly coming into effect through 2026.

As of the end of August 2024, 20 states had passed consumer privacy laws, and two further states had passed consumer health data laws. Notably, these laws have gained support on both sides of the political aisle, from both Democrat and Republican legislators.

The chart below shows the degree of bipartisan support for these privacy laws, reflecting, in blue, the states with consumer privacy laws with Democratic-party affiliated governors, and red for states with Republican-party affiliated governors.

*Consumer health data specific laws
1. Nevada Act Relating to Data Privacy
2. Washington My Health My Data Act
Laws passed as of August 31, 2024

While there initially appeared to be momentum in Congress toward a federal privacy bill, including for the American Privacy Rights Act of 2024 (APRA) being deliberated in this 118th Congress, support for the APRA has appeared to cool and commentators now think it’s unlikely that the APRA will pass in its current form in this legislative session.

This means that, for the foreseeable future, the state-level privacy laws are here to stay. Notoriously, the US has 50 different state data breach laws, and in principle, we could potentially end up with 50 different state consumer privacy laws as well.

The state consumer privacy laws share many core elements, including requirements related to:

• notice (eg additional detailed notices required in certain states);
• consumer rights (eg access, correction and deletion rights, as well as rights to limit processing of sensitive personal information and to opt out of certain activities, such as sale or sharing/use of personal information for targeted advertising);
• oversight of service providers/processors; and
• governance and accountability (eg data protection assessments, training and record-keeping).

While the state consumer privacy laws have started aligning in certain areas, none of these laws are exact duplicates, and the detailed requirements vary from state to state. Below, we highlight a few of the key areas where the laws differ more fundamentally in approach.

Applicability Thresholds

The laws generally apply to companies that conduct business in that state or produce goods or services that are targeted to residents of that state and meet certain thresholds, such as the number of consumers whose personal information they process each year and the level of revenue (if any) they derive from sale of personal information.

For example, the Virginia Consumer Data Protection Act (the Virginia law) applies to businesses that produce products or services that are targeted to Virginia residents and (i) during a calendar year, control or process personal information of at least 100,000 consumers, or (ii) control or process personal information of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal information.

In contrast, other laws apply only to companies that reach an annual revenue threshold (such as the CCPA) or exclude small businesses as defined by the US Small Business Administration. These laws also may apply to varying degrees to non-profit organizations.

Scope of Covered Individuals

Most of the laws apply only to consumers acting in an individual or household context and exclude individuals acting in an employment or professional/B2B context. However, the CCPA applies to all California residents, including those acting in an employment or professional/B2B context.

Sensitive Data Opt-in versus Opt-out; Health Data

The laws provide heightened protections for a wide range of data defined as ‘sensitive’ under these laws, such as:

• government issued identification numbers (eg Social Security Number);
• precise geolocation;
• data revealing racial or ethnic origin;
• genetic or biometric information; and
• personal information concerning a known child.

Certain laws include additional types of data as sensitive, for example, under the CCPA, sensitive personal information includes union membership, as well as the contents of a consumer’s mail, email and text messages (unless the business is the intended recipient of the communication).

The Oregon Consumer Privacy Act includes a consumer’s status as transgender or nonbinary, or status as a victim of crime, as ‘sensitive’ data.

While some may assume that California’s CCPA has the highest requirements among the state privacy laws, the CCPA takes a less restrictive approach to sensitive data than many of the later state consumer privacy laws: the CCPA requires businesses to allow California residents to limit the processing of their sensitive personal information (similar to an opt-out approach), while many of the other state consumer privacy laws require businesses to obtain opt-in consent to process a consumer’s sensitive personal information.

New health data laws, have novel requirements for consumer health data, with distinct notice and consent requirements. For example, the Washington My Health My Data Act requires that businesses provide a separate and distinct link to a Consumer Health Privacy Policy that may not contain additional information not required under the law.

Sale of Personal Information; Use for Targeted Advertising

The laws give consumers varying rights to opt out of the ‘sale’ of their personal information, and to opt out of the use of their personal information for targeted advertising.

California’s CCPA obligations are particularly broad-reaching and administratively burdensome, given the CCPA’s expansive definition of ‘sale’ and requirement to include a specific ‘do not sell or share my personal information’ link if a company engages in covered ‘sales’ or ‘sharing.’ Differing definitions of ‘sale’ among these laws also can complicate attempts to take a cohesive approach across states.

Governance

The laws generally require that businesses conduct a data protection assessment for processing activities that present a heightened risk of harm to a consumer. The Minnesota Consumer Data Privacy Act goes further and requires that companies maintain an ‘inventory’ of personal information, and separately document and maintain a description of policies and procedures to comply with the law, including where applicable, the name and contact information for the chief privacy officer or other individual with primary responsibility.

California’s CCPA also includes training requirements for personnel handling privacy-related inquiries or requests.

State attorneys general and regulatory agencies can initiate investigations and enforcement actions against both controllers and processors. For example, the CCPA regulations provide that the California Privacy Protection Agency (CPPA) may audit a ‘business, service provider, contractor or person,’ and that the audit may be announced or unannounced as determined by the CPPA. The Virginia Law also explicitly states that the Attorney General has authority to enforce the provisions of the law on controllers and processors.

As the state privacy laws are relatively new, we focus on predictions, including based on past actions from enforcement activities and guidance on the oldest of the state privacy laws.

• 2025 will come with more enforcement actions and continued ‘sweeps.’ State attorneys general and regulators have initiated investigative ‘sweeps’ of certain industries under these laws, in which the regulator sends information requests to companies and may initiate further investigations based on their responses. Examples include California’s CPPA launching investigative sweeps with letters to businesses with popular streaming apps and devices, as well as on topics such as employers and HR-related data, mobile applications and loyalty programs. In July 2023, the CPPA initiated an inquiry into privacy practices of connected vehicles and related technologies, which is understood to be understood to be ongoing.
• 2025 enforcement actions will focus on processing of sensitive data. Colorado has announced an investigative sweep focused on collection and use of sensitive data, including on the requirements to obtain consent prior to collecting sensitive data, and allow consumers to opt out of targeted advertising and profiling. Additionally, the Texas Attorney General launched a major data privacy and security initiative earlier this summer to establish a team that is focused on ‘aggressive enforcement’ of Texas’ privacy laws. The statement noted that the data privacy enforcement team will focus on several privacy laws to protect Texans’ sensitive data.
• 2025 enforcement actions will be responsive to consumer complaints. State attorneys general and regulators have emphasized that they are listening to consumer complaints and taking action informed by these complaints. For example, the CPPA has detailed its process to review and evaluate every complaint that it receives, and over 2,000 consumer complaints were received from July 6, 2023 to June 30, 2024. The California Attorney General also noted that one of its major recent CCPA actions arose in part from a consumer’s complaint on social media about the company’s processing of their personal information. The volume of complaints will likely increase over time, as a number of the state consumer privacy laws now require a business to provide the consumer with a mechanism or information through which the consumer may contact the Attorney General to submit a complaint if the business has denied the consumer’s request even in part.