Executive Summary

The United States privacy landscape is experiencing unprecedented transformation in 2025, with twenty states expected to have comprehensive privacy laws in effect by year’s end. Beyond traditional privacy frameworks, states are introducing groundbreaking legislation targeting age verification, artificial intelligence governance, health data protection, and digital identity management. This guide provides compliance professionals with essential insights into these evolving requirements, critical implementation deadlines, and strategic compliance approaches.

Compliance Resources Featured in This Guide:

For additional context on the evolving threat landscape, see our Global Cybersecurity Incident Review: January–April 2025.

Global Privacy & Compliance Explorer

Comprehensive State Privacy Laws

By the end of 2025, twenty U.S. states will have comprehensive privacy laws in effect. Eight new laws became active or will become active during 2025, adding to the twelve states that already had such legislation in place.

PII Compliance Navigator | U.S. State Privacy Law Sensitive Data Categories

New Laws Effective in 2025

Delaware Personal Data Privacy Act (DPDPA)

  • Effective Date: January 1, 2025- Cure Period: 60 days (expires January 1, 2026)- Applicability Thresholds:Controls/processes personal data of 35,000+ Delaware consumers per year (excluding payment transactions), OR- Controls/processes personal data of 10,000+ consumers and derives 20%+ revenue from data sales Penalties: Up to $10,000 per violation; $25,000 for repeated violationsKey Provisions:
  • Enhanced protections for children’s data (under 13)- Sensitive data categories include national origin and transgender/non-binary status- Universal opt-out mechanism requirement- Data protection assessments mandatory for high-risk processing

Iowa Consumer Data Protection Act (ICDPA)

  • Effective Date: January 1, 2025- Cure Period: 90 days (non-sunsetting)- Applicability Thresholds:Controls/processes personal data of 100,000+ Iowa consumers, OR- Controls/processes personal data of 25,000+ consumers and derives 50%+ revenue from selling personal data Penalties: Up to $7,500 per violationNotable Characteristics:
  • Most business-friendly among state privacy laws- Does NOT grant right to correct inaccurate data- Does NOT provide opt-out right for profiling- Does NOT require data protection impact assessments- Does NOT mandate recognition of universal opt-out mechanisms- Response time: 90 days (longest in U.S.)

Nebraska Data Privacy Act

  • Effective Date: January 1, 2025- Cure Period: 30 days- Applicability Thresholds:Conducts business in Nebraska or produces products/services consumed by Nebraska residents, AND- Processes or engages in sale of personal data, AND- Is NOT a small business under federal Small Business Act Penalties: Up to $7,500 per violationKey Provisions:
  • Small business exemption (federal SBA definition)- Prohibition on sale of sensitive data without consumer consent- Universal opt-out signal recognition from day one- Also enacted Age Appropriate Design Code (AADC) legislation

New Hampshire Privacy Act (SB 255)

  • Effective Date: January 1, 2025- Cure Period: Not specified- **Applicability Thresholds:**Controls/processes personal data of 35,000+ consumers (excluding payment-only transactions), OR- Controls/processes personal data of 10,000+ consumers and derives revenue from data sales Key Provisions:
  • Relatively low applicability thresholds- Mandates privacy impact assessments- Entity-level exemptions for nonprofits and HIPAA/GLBA-regulated organizations- Universal opt-out mechanism requirement

New Jersey Data Privacy Act (NJDPA)

  • Effective Date: January 15, 2025- Response Deadline: 60 days- **Applicability Thresholds:**Controls/processes personal data of 100,000+ consumers (excluding payment transactions), OR- Controls/processes personal data of 25,000+ consumers and generates revenue/receives discounts from selling data Key Provisions:
  • Does NOT include Family Educational Rights and Privacy Act (FERPA) exemption- Sensitive data categories include national origin and financial account information- Division of Consumer Affairs responsible for clarifying universal opt-out technical specifications- Universal opt-out mechanism required

Tennessee Personal Information Protection Act

  • Effective Date: July 1, 2025- **Applicability Thresholds:**Controls/processes personal data of 175,000+ consumers, OR- Controls/processes personal data of 25,000+ consumers and derives 50%+ revenue from data sales Key Provisions:
  • Both entity-level and data-level GLBA exemptions- Both entity-level and data-level HIPAA exemptions- Biometric data included in sensitive data definition- Data protection assessments required for high-risk processing

Minnesota Consumer Data Privacy Act (MCDPA)

  • Effective Date: July 31, 2025- Cure Period: 30 days (expires January 31, 2026)- Applicability Thresholds:Controls/processes personal data of 100,000+ consumers per year (excluding payment transactions), OR- Derives 25%+ gross revenue from data sales and processes personal data of 25,000+ consumers Penalties: Up to $7,500 per violationUnique Requirements:
  • Data processing inventory mandate (rarely required by statute)- Data-level GLBA exemption only (no entity-level exemption)- Small business exemption- Consumers can request list of third parties receiving their data (transparency right)- Allows consumers to question automated profiling decisions- Universal opt-out mechanism requirement

Maryland Online Data Privacy Act (MODPA)

  • Effective Date: October 1, 2025- Cure Period: 60 days (discretionary, expires April 1, 2027)- Applicability Thresholds:Controls/processes personal data of 35,000+ Maryland consumers per year (excluding payment transactions), OR- Controls/processes personal data of 10,000+ consumers and derives 20%+ revenue from data sales Penalties: Up to $10,000 per violation; $25,000 for repeated violationsDistinctive Provisions:
  • Most stringent data minimization standard in U.S.- Collection limited to “reasonably necessary and proportionate” for providing/maintaining consumer-requested services- Prohibits sale of sensitive data- Restricts sensitive data processing to strictly necessary purposes (even with consent)- Broad definition of “consumer health data” includes gender-affirming treatment and reproductive/sexual healthcare- Sensitive data includes national origin, transgender/non-binary status, and biometric data

US State Privacy Rights Comparison Tool | 20 States, 21 Rights

Common Core Principles Across State Privacy Laws

Consumer Rights (Generally Provided):

  • Right to access personal data- Right to delete personal data- Right to correct inaccuracies- Right to data portability- Right to opt out of targeted advertising- Right to opt out of personal data sales- Right to opt out of profiling (with exceptions)

💡 Compliance Tool: Use the Privacy Rights Navigator to compare consumer rights requirements across all state privacy laws.

Business Obligations:

  • Privacy notice requirements- Data security measures- Vendor/processor contract requirements- Data protection assessments (varies by state)- Universal opt-out mechanism recognition (most new states)

Sensitive Data Classification: States vary significantly in what they classify as “sensitive” personal data. Categories commonly protected include:

  • Racial or ethnic origin- Religious beliefs- Health data and medical information- Biometric data- Genetic data- Sexual orientation- Precise geolocation- Children’s data- Social security numbers- Financial account information

💡 Compliance Tool: Use the PII Compliance Navigator to explore which data types are classified as sensitive across 19 states. This interactive tool helps identify which enhanced protections apply to specific data categories in each jurisdiction.

Exemptions (Vary by State):

  • HIPAA-covered entities and/or data- GLBA-regulated entities and/or data- FCRA-regulated data- FERPA-regulated data (except New Jersey)- Small businesses (Nebraska, Minnesota, Texas)- Nonprofit organizations- Government entities

Strategic Considerations

Exemption Structures: States employ either:

  1. Entity-level exemptions: Entire organization removed from law’s scope2. Data-level exemptions: Only specific data types excluded; entity still subject to law

Organizations must carefully analyze which structure applies in each jurisdiction to determine compliance scope.

Harmonization Opportunity: While state-specific nuances exist, companies can often implement a unified baseline compliance program that satisfies the most stringent requirements, then layer on jurisdiction-specific elements as needed.

Additional Analysis: For detailed comparison of the eight new 2025 state privacy laws and strategic compliance approaches, see 2025 US State Privacy Laws: Compliance Guide for 8 New Regulations. This analysis includes:

  • GDPR comparison matrix- Cure period variations- Enforcement mechanisms- Revenue threshold analysis- Implementation strategies

App Store Accountability Acts: The New Frontier

A transformative trend emerged in 2025 with three states enacting “App Store Accountability Acts” that fundamentally reshape how minors access digital applications and services.

Texas App Store Accountability Act (SB 2420)

  • Signed: May 27, 2025- Effective Date: January 1, 2026- Enforcement: No statutory cure period; violations immediately actionable under deceptive trade practices framework

Core Requirements

Age Verification:

  • App stores must verify age of ALL users (not just minors) at account creation- Four age categories required:Child (<13 years)- Younger teenager (13-15 years)- Older teenager (16-17 years)- Adult (18+ years) Method: “Commercially reasonable” verification (undefined in statute) Parental Consent:

  • Minor accounts must be affiliated with verified parent/guardian account- Parental consent required for EACH individual download, purchase, or in-app transaction- No blanket consent permissions allowed- Consent must be renewed when app terms, privacy policies, or monetization features change significantly

Age Category Sharing:

  • App stores must share user’s age category and parental consent status with developers upon request- Developers notified if parental consent is revoked- Data collection limited to what’s necessary for age verification and obtaining parental consent

Developer Obligations:

  • Developers gain “actual knowledge” of user age ranges- Must comply with requirements based on age information received from app stores- Safe harbor: Reasonable reliance on app store-provided information

Exceptions:

  • Emergency services apps- Government/emergency service/nonprofit apps without account creation- Certain nonprofit educational apps- Apps limiting data collection to COPPA compliance or emergency services

Implementation by Major Platforms

Apple’s Response:

  • Updated Declared Age Range API to provide required age categories- New APIs allowing developers to invoke system experience for re-obtaining parental consent- Parents can revoke consent to prevent minor app usage- All users in Texas must confirm age 18+ when creating Apple Account- Under-18 accounts required to join Family Sharing group

Utah App Store Accountability Act

  • Enacted: March 2025- Effective Date: May 7, 2025- Compliance Deadline: May 6, 2026- Private Right of Action: Effective December 31, 2026

Key Distinctions from Texas

Regulatory Guidance:

  • Division of Consumer Protection authorized to issue rules establishing acceptable age verification methods- May establish “reasonableness” threshold for other states to follow

Enforcement:

  • Explicit private right of action for parents to sue app stores and developers- Unlike Texas, no safe harbor provision for app stores using industry standards

Similar Requirements:

  • Four-tier age categorization- Individual parental consent per download- Age verification for all users- Data sharing between app stores and developers

Louisiana App Store Accountability Act (HB 570)

  • Signed: June 30, 2025- Effective Date: July 1, 2026- Legislative History: Similar effort failed in 2024 amid Apple lobbying; succeeded in 2025 with unanimous passage

Distinctive Features

No Developer Safe Harbor:

  • Explicitly rejects safe harbor based on reasonable reliance on app store information- Developers face increased liability compared to Texas and Utah

Age Verification Limitations:

  • Requests for age verification or parental consent limited to once every 12 months unless reasonable circumstances exist

Unanimous Support:

  • Passed both chambers with no opposition- Reflects strong bipartisan support for child protection measures

Compliance Implications for App Developers

Universal Impact:

  • Laws apply to ALL apps, regardless of target demographic or content type- Developers not “directing” apps to children still must comply- Significantly expands compliance obligations beyond COPPA requirements

Implementation Challenges:

  1. Age range determination without government-issued IDs (minors)2. Distinguishing between different age brackets of minor users3. Building infrastructure for individual consent requests per transaction4. Managing consent renewals upon policy changes5. State-specific nuance navigation (different safe harbor provisions, private rights of action)

National Trend: More than a dozen other states are considering similar legislation, creating a complex compliance landscape that may ultimately push for federal standardization.

California’s Technology Safety Package

California enacted nearly a dozen privacy and AI-related bills on October 13, 2025, establishing the nation’s most comprehensive framework for regulating technology companies’ interactions with minors.

AB 56: Social Media Warning Labels

  • Signed: October 13, 2025- Similar Law: Minnesota (first state to enact, July 2025)

Requirements

Warning Display:

  • Mandatory mental health “black box warning” labels for users under 18- Labels must state: “Social media can have a profound risk of harm to the mental health and well-being of children and adolescents”

Frequency:

  • First access each calendar day- After 3 hours of cumulative use (unskippable, 30-second warning)- Thereafter, once per hour of continued cumulative use

Warning Duration:

  • Initial daily warning: Skippable, 10-second minimum- Extended use warnings: Unskippable, 30 seconds

Covered Platforms:

  • Instagram, Snapchat, TikTok, and other social media platforms

SB 243: Companion Chatbot Regulation

  • Signed: October 13, 2025- Effective Date: January 1, 2026- First of Its Kind: First U.S. state law regulating AI companion chatbots

Context and Catalyst

Tragic Incidents:

  • April 2025: 16-year-old Adam Raine died by suicide after suicidal conversations with ChatGPT- Leaked Meta internal documents showing chatbots engaging in “romantic” and “sensual” chats with children- Colorado family lawsuit against Character AI following 13-year-old’s suicide after sexualized conversations

Core Requirements

Safety Protocols:

  • Establish protocols to detect, remove, and respond to suicidal ideation, suicide, or self-harm expressions- Report statistics to California Department of Public Health on crisis center prevention notifications

Transparency Disclosures:

  • Clear notification that interactions are artificially generated- Chatbots cannot represent themselves as healthcare professionals

Minor Protections:

  • Break reminders for minors- Prevention of sexually explicit content viewing by minors- Alert minors every three hours that they’re interacting with AI (not human)- Prohibition on promoting sexually explicit conduct to minors

Covered Entities:

  • Large labs (Meta, OpenAI, Anthropic)- Focused companion startups (Character AI, Replika)

Industry Response

Support:

  • Computer and Communications Industry Association (post-amendments)- Transparency Coalition- Some tech companies viewing it as balanced approach

Opposition:

  • Child safety advocates initially supported, then opposed after amendments- Tech Oversight and Common Sense Media preferred AB 1064 (vetoed)- Concerns about insufficient protections

AB 1043: Digital Age Assurance Act

  • Signed: October 13, 2025- Effective Date: January 1, 2027- Support: Google, Meta, OpenAI, Snap- Opposition: Motion Picture Association

Requirements

Operating System Providers:

  • Collect birth date or age from account holders at account setup- Group users into four age brackets- Provide age signal to application developers

App Developers:

  • Must request age range information when app downloaded and launched- Age range signal creates imputed actual knowledge across all platforms- Exception: “Clear and convincing” internal information that user’s age differs

Penalties:

  • $2,500 per negligent violation per affected child- $7,500 per intentional violation per child

Privacy-Focused Design:

  • Shares age brackets, not specific dates of birth- Reduces need to collect sensitive data from all users- Device-level implementation rather than app-specific

Governor’s Directive

Governor Newsom requested legislature address in 2026:

  • Streaming service concerns- Video game developer concerns- Multi-user account complexities- Cross-device user profile issues

AB 316: AI Liability Expansion

  • Purpose: Remove civil legal defense for AI developers- Previous Defense: AI products act autonomously, therefore no developer responsibility- New Standard: Developers can be held liable for AI-caused harms

Other Notable California Laws (2025)

AB 566 (California Opt Me Out Act):

  • Requires browsers to include opt-out preference signal functionality- Public disclosures on how signals work and intended effects

SB 53 (Transparency in Frontier AI Act):

  • Requires large AI developers to publicly disclose catastrophic risk mitigation plans- Applies to foundation models trained using >10²⁶ operations- Successor to vetoed SB 1047

AB 45 (Reproductive Health and Location Data Privacy):

  • Prohibits collection/use/disclosure of personal information from individuals near “family planning centers”- Exception: Necessary for requested services/goods

SB 361 (Data Brokers):

  • Enhanced data collection and deletion requirements for data brokers

AB 621 (Deepfake Pornography):

  • Heightened penalties up to $250,000 per offense for profiting from illegal deepfakes

Colorado’s AI Governance Framework

Colorado Artificial Intelligence Act (SB 24-205)

  • Signed: May 17, 2024- Effective Date: February 1, 2026- Distinction: First comprehensive U.S. framework for “high-risk” AI systems

Scope and Approach

Risk-Based Framework:

  • Bifurcates “high-risk systems” from “general purpose models”- Focuses stringent regulations on systems with significant consumer rights impact- Similar to EU AI Act approach

Geographic Application:

  • Develops/deploys high-risk AI in Colorado- Targets Colorado consumers

No Revenue/Volume Thresholds:

  • Unlike privacy laws, no minimum business size exemptions (except small business carveouts)

Core Definitions

Artificial Intelligence System: “Any machine-based system that, for any explicit or implicit objective, infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations, that can influence physical or virtual environments.”

High-Risk AI System: Any AI system that, when deployed, makes or is a substantial factor in making a “consequential decision”

Consequential Decision: Decision with material legal or similarly significant effect on provision/denial or cost/terms of:

  • Education enrollment or opportunity- Employment or employment opportunity- Financial or lending service- Essential government service- Healthcare services- Housing- Insurance- Legal service

Developer Obligations

Reasonable Care Standard:

  • Use reasonable care to protect consumers from known or reasonably foreseeable algorithmic discrimination risks- Rebuttable presumption of reasonable care if compliance with law and AG rules

Documentation Requirements: Make available to deployers, other developers, and Colorado AG (within 90 days upon request):

  • General statement of reasonably foreseeable uses and known harmful uses- Known/reasonably foreseeable limitations and algorithmic discrimination risks- Information necessary for deployer compliance- Performance evaluation and discrimination mitigation details- High-level summary of data types used for training

Public Transparency:

  • Clear, readily available statement on website or public use case inventory- Descriptions of types of high-risk AI systems offered- How systems manage known/reasonably foreseeable algorithmic discrimination risks

Discovery Reporting:

  • Notify AG within 90 days if deployed system caused algorithmic discrimination- No unreasonable delay in reporting

Trade Secret Protection:

  • No requirement to disclose trade secrets, legally protected information, or security risk information

Deployer Obligations

Reasonable Care Standard:

  • Use reasonable care to protect consumers from algorithmic discrimination risks- Rebuttable presumption if compliance with law and AG rules

Risk Management:

  • Implement risk management policy and program- Specify principles, processes, and personnel for identifying, documenting, and mitigating algorithmic discrimination risks

Impact Assessments:

  • Annual impact assessments for high-risk AI systems- Can address comparable set of systems in single assessment- Must disclose extent system used consistently with or varied from developer’s intended uses

Consumer Disclosures:

  • Notify consumers when interacting with AI system- Notify consumers when AI made decision adverse to their interests- Provide statement about purpose/nature of AI system- Contact information for human review of AI decision

Discovery Reporting:

  • Without unreasonable delay (max 90 days), notify AG if system caused algorithmic discrimination

Small Business Exemptions

Small businesses (fewer than 50 full-time employees) exempt from several requirements if:

  1. Does not use own data to train high-risk AI2. Uses system for developer’s disclosed intended purposes3. System continues learning only from data not derived from business’s own data4. Makes certain impact assessments available to consumers

Other Notable Exemptions

  • High-risk AI approved by or following federal agency standards- Research supporting federal agency approval applications- Excluded tools: calculators, databases, anti-virus software, networking, spreadsheets, spam-filtering, data storage, cybersecurity- Chatbots with acceptable use policy prohibiting discriminatory/harmful content generation

Enforcement

Attorney General Authority:

  • Exclusive enforcement- Rulemaking power for implementation- No private right of action

Violation Classification:

  • Unfair trade practice under Colorado Consumer Protection Act

Affirmative Defenses:

  1. Robust AI Governance: Implementation of risk management compliant with frameworks (NIST AI RMF, ISO 42001)2. Federal Compliance: Following federal agency standards

💡 Related Resource: For broader privacy compliance strategies in the AI era, see Data Protection Officers and AI: Navigating Privacy in the Age of Machine Learning

Governor’s Concerns

In signing statement, Governor Polis:

  • Acknowledged “complex compliance regime”- Expressed concerns about:Potential innovation dampening- Competitive disadvantages- State law patchwork risks Urged legislative refinement through AI impact task force (HB24-1468)

Compliance Timeline

Phase 1 (Now - February 1, 2026):

  • Stakeholder engagement through AI impact task force- Potential legislative refinements- Development of AI governance programs

Phase 2 (February 1, 2026+):

  • Full law enforcement begins- Attorney General rulemaking- Compliance audits and assessments

Washington’s Health Data Protection

Washington My Health My Data Act (MHMDA)

  • Signed: April 27, 2023- **Effective Dates:**July 23, 2023: Geofencing prohibitions (Section 10)- March 31, 2024: Sections 4-9 (non-small businesses)- June 30, 2024: Sections 4-9 (small businesses)

Context and Purpose

Legislative Intent:

  1. Close HIPAA protection gap for health data not collected by covered entities2. Respond to Dobbs v. Jackson Women’s Health Organization Supreme Court decision3. Protect reproductive healthcare access and privacy

Support:

  • 76% of Washingtonians support the Act- Developed by Attorney General Bob Ferguson- First privacy-focused law protecting non-HIPAA health data

Scope: Extraordinarily Broad

Geographic Application:

  • Entities doing business in Washington- Entities providing products/services “targeted” to Washington consumers- No revenue or volume thresholds (affects SMBs)

Consumer Definition:

  1. Natural person who is Washington resident, OR2. Natural person whose consumer health data is collected in Washington

Note: “Collect” means buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process in any manner

Consumer Health Data: Expansive Definition

Includes:

  • Information identifying past, present, or future physical/mental health status- Individual health conditions- Diseases, treatments, procedures- Bodily functions- Reproductive or sexual health information- Gender-affirming care information- Biometric data (includes imagery/voice recordings from which identifier template can be extracted)- Genetic data- Precise location information that could reasonably indicate attempt to acquire health services- Data identifying consumer seeking health care services- Any information derived or extrapolated from non-health data (proxy, derivative, inferred, emergent data via algorithms or machine learning)

💡 Compliance Tool: For biometric data requirements across states, use the Biometric Privacy Tracker to understand varying state-specific protections for biometric information beyond Washington’s MHMDA.

Health Care Services (Broadly Defined): “Any service…to assess, measure, improve, or learn about a person’s mental or physical health”

Key Expansions Beyond Traditional Health Data:

  • Fitness tracking apps and wearables (Fitbit, Apple Watch)- Menstrual cycle trackers- Nutrition apps- Mental wellness apps- Data inferred from purchase patterns (e.g., “pregnancy prediction scores”)- Perspiration tracking- Digestion tracking

Exemptions:

  • Personal information used for public/peer-reviewed scientific, historical, or statistical research (with proper ethics oversight)- De-identified data (if requirements met)- Certain publicly available data- Data subject to HIPAA, GLBA, FCRA, FERPA

Core Requirements

Opt-In Consent Standard (GDPR-Level):

  • Required for any collection, use, disclosure, or processing beyond what’s necessary for consumer-requested product/service- Consent must be:Clear affirmative act- Freely given- Specific- Informed- Opt-in- Voluntary- Unambiguous Cannot be:
  • Inferred- Bundled with other consents- Part of general terms of use- Obtained via deceptive design

Separate Consent for Sharing:

  • Additional opt-in consent required for “sharing” beyond consumer-requested service- “Sharing” has normal English meaning (not CCPA’s advertising-specific definition)- Includes sharing with corporate affiliates

Authorization for Sales:

  • Even more onerous “authorization” requirement- “Sale” defined per CCPA (includes third-party targeted advertising)- Signed authorization required

Geofencing Prohibition:

  • Cannot establish virtual boundary ≤2,000 feet from perimeter of health care facility- Cannot use geofencing to:Identify consumers seeking health care- Track consumers- Collect consumer health data- Send notifications related to health services

Consumer Rights:

  • Right to confirm processing- Right to access consumer health data- Right to delete consumer health data- Right to withdraw consent

Privacy Policy:

  • Standalone consumer health data privacy policy required- Must detail collection, use, disclosure practices

Data Retention Limits:

  • No retention of identifying information after age verification (for those using verification)

Enforcement

Dual Enforcement:

  1. Attorney General enforcement under Washington Consumer Protection Act2. Private right of action for aggrieved consumers

Penalties:

  • Per se violation of Consumer Protection Act- Potential statutory damages- Attorney fees- Injunctive relief

Compliance Challenges

Vagueness Concerns:

  • “Consumer health data” definition potentially captures virtually any personal data- “Commercially reasonable” verification undefined- “Necessary” for consumer-requested service requires interpretation- Inference/derivative data creates broad scope uncertainty

Operational Impacts:

  • Retailers tracking purchases must evaluate pregnancy prediction and similar analytics- Wearable manufacturers face opt-in requirements for standard functionality- Apps/websites must reassess data flows for health-related inferences- Corporate affiliate data sharing requires separate consent

Full Private Right of Action:

  • Aggressive plaintiffs’ attorneys can exploit vague terms- Class action exposure- Settlement pressure

Timeline Ambiguity:

  • Potential drafting error created risk of earlier effective date (July 22, 2023) for certain provisions- Legislative intent indicated later dates, but text arguably supports earlier enforcement

Strategic Approach

Assessment Phase:

  1. Inventory all data potentially qualifying as “consumer health data”2. Map data flows involving Washington consumers3. Identify inference/derivative data uses4. Evaluate geofencing technologies

Implementation Phase:

  1. Develop standalone consumer health data privacy policy2. Implement opt-in consent mechanisms3. Create separate sharing consent processes4. Establish authorization procedures for sales5. Build consumer rights request infrastructure6. Remove geofencing around health facilities7. Update vendor contracts

Ongoing Compliance:

  1. Monitor Attorney General guidance and enforcement actions2. Train personnel on definition scope3. Regular data flow audits4. Privacy impact assessments for new products/features

Age Verification Laws Across States

As of late 2025, 24+ U.S. states have enacted age verification laws for online content, creating a complex compliance landscape for digital platforms.

Mississippi: Comprehensive Social Media and Adult Content Laws

Mississippi SB 2346 (Adult Content):

  • Enacted: April 18, 2023- Effective: July 1, 2023- Scope: Commercial websites where ≥1/3 of content is pornographic

Mississippi HB 1126 (Walker Montgomery Protecting Children Online Act):

  • Status: Temporarily blocked by federal court; Supreme Court allowed enforcement August 14, 2025- Requirements:Age verification for ALL social media users- Parental consent for minors to create social media accounts- Prohibition on collecting/selling/sharing minors’ personal information- “Commercially reasonable efforts” to prevent minors accessing “harmful material” Penalties: $10,000 per violationCatalyst: 16-year-old Mississippi boy’s suicide after Instagram sextortion scheme Supreme Court Developments:

  • June 2025: Court upheld Texas pornography age verification law (6-3 decision)- August 2025: Court allowed Mississippi social media law enforcement- Justice Thomas: “The statute advances the state’s important interest in shielding children from sexually explicit content”

Industry Response:

  • Major platforms (Pornhub, xVideos) geo-blocking Mississippi traffic- Bluesky blocked Mississippi users: “We cannot justify building the expensive required infrastructure”- NetChoice litigation challenging constitutionality continues

Verification Methods:

  • Government-issued ID (driver’s license, passport)- Biometric verification (AI facial recognition, selfie matching)- Transaction data analysis (mortgage, education, employment records)- Third-party verification apps (e.g., Yoti)- Payment card validation- Mobile carrier verification

Broader State Landscape

States with Age Verification Laws (Adult Content):

  • Arkansas- Florida- Georgia- Indiana- Kansas- Kentucky- Louisiana- Mississippi- Montana- North Carolina- Oklahoma- South Carolina- Texas- Utah- Virginia- And others (25 total as of September 2025)

Common Features:

  • Threshold: ≥1/3 pornographic content triggers requirements- Methods: Government ID, commercial verification systems, transaction data- Prohibitions: Retention of identifying information post-verification- Exemptions: News outlets, ISPs, search engines, cloud services (content not under control)- Penalties: Private right of action for damages, civil penalties

Constitutional Challenges:

  • First Amendment concerns (adult access to protected speech)- Privacy violations (sensitive data collection)- California’s Age-Appropriate Design Code: Blocked by federal court (First Amendment grounds)- Arkansas Social Media Safety Act (2023): Permanently enjoined; narrower version (Act 900) enacted 2025

Federal Momentum

Potential Federal Legislation:

  • App Store Accountability Act under Congressional consideration- Could standardize requirements nationwide- Supreme Court decisions opening door for federal action

Industry Impact

Platform Responses:

  1. Geo-blocking: Major adult sites blocking entire states2. Compliance: Some sites (xHamster, Stripchat) implementing verification3. Legal Challenges: NetChoice leading constitutional challenges4. VPN Usage: Users increasingly turning to VPNs to bypass restrictions

Privacy Concerns:

  • Massive sensitive data collection- Data breach vulnerabilities- Lack of trust in adult sites’ data security- Potential for data misuse or extortion

Two-Tiered Internet:

  • Some states: Free, open internet access- Other states: Restricted access, verification requirements- Growing digital divide based on geography

VPN Restrictions: Wisconsin and Michigan

A concerning new trend emerged in 2025: states attempting to restrict VPN usage to enforce age verification compliance.

Wisconsin Assembly Bill 105 / Senate Bill 130

  • Introduced: March 2025- Status: Passed Assembly (March 20, 2025: 69-22 vote); Senate public hearing held October 8, 2025- Progress: Approximately 50% through legislative process

Core Requirement

VPN Blocking Mandate: Entities “that knowingly and intentionally publish or distribute material harmful to minors on the Internet” must prevent anyone from accessing content when connected to a VPN.

Privacy Advocates’ Concerns

ACLU of Wisconsin:

  • Creates harmful surveillance of adult Wisconsinites- Raises significant First Amendment concerns- Requires personal information sharing with companies/applications- May block individuals lacking government ID- ID requirements may not match official documents (e.g., transgender individuals)

Fight for the Future (“Defend VPNs” Initiative):

  • VPNs essential for global internet freedom and security- Used by businesses, journalists, activists, privacy-conscious individuals- Restrictions threaten digital rights- Legitimate use cases far outweigh abuse potential

Civil Liberties Groups:

  • VPNs protect anonymity and sensitive data- Forcing ID disclosure to adult sites creates privacy risks- Chilling effect on free expression

Verification Methods Under Bill

Options for Access:

  1. Upload government-issued ID2. Zoom call with ID verification (face matching)3. AI facial-recognition software4. Biometric identification5. Credit card upload for AI data scraping

Additional Provision

Obscenity Lawsuits: Bill allows anyone to file lawsuit alleging content is “obscene”

  • Vague standards- Potential for harassment litigation- Chilling effect on protected speech

Michigan Parallel Proposal

September 2025 Introduction:

  • Would require ISPs to monitor and block VPN connections- Ban promotion or sale of circumvention tools- Proton VPN called it “a danger for the political discourse”

International Context

UK Officials:

  • Labeled VPNs as “problematic loopholes” in child protection frameworks- Examining VPN restrictions following age verification implementation

The Balancing Debate

Proponents Argue:

  • VPNs undermine age verification effectiveness- Children can easily bypass protections- Stronger enforcement necessary for child safety

Opponents Counter:

  • VPNs have extensive legitimate usesBusiness communications and remote work- Protecting personal data on public WiFi- Avoiding ISP surveillance and throttling- Accessing content while traveling- Protecting journalists and activists- Privacy from government overreach Blanket bans disproportionately harm innocent usersTechnical enforcement extremely difficultDrives technology undergroundCreates dangerous precedent for internet freedom

Compliance Strategies and Best Practices

Unified Compliance Framework

Step 1: Comprehensive Scope Assessment

  • Map operations across all 50 states- Identify states where laws apply based on:Physical presence- Targeted marketing- Customer/consumer volumes- Revenue thresholds- Data processing activities

Step 2: Data Inventory and Classification

  • Catalog all personal data collected, processed, stored- Classify data by:Type (general personal data, sensitive data, health data, children’s data)- Purpose of collection- Legal basis for processing- Retention period- Third-party sharing/sales Create data processing inventory (required in Minnesota; best practice everywhere) 🔧 Essential Compliance Tools:

Use these free interactive tools to streamline your compliance assessment:

  1. PII Compliance Navigator - Instantly identify which data types are classified as “sensitive” across 19 states. Search 34+ data categories to see state-by-state requirements.2. Privacy Rights Navigator - Compare consumer rights across all state privacy laws. Understand access, deletion, correction, and opt-out requirements by jurisdiction.3. Biometric Privacy Tracker - Navigate biometric data protection requirements state-by-state, including notice requirements, consent standards, and retention limitations.4. Breach Notification Requirements - Comprehensive tracker for breach notification laws, ransomware requirements, and privacy regulations across all 50 US states.

Step 3: Threshold Analysis Build matrix showing:

  • State requirements- Applicability thresholds- Whether organization meets thresholds- Effective dates- Cure periods- Exemptions applicable

Step 4: Gap Analysis Compare current practices against requirements:

  • Privacy notices/policies- Consent mechanisms- Consumer rights fulfillment processes- Data protection assessments/impact assessments- Vendor management- Security measures- Age verification (where applicable)- Geofencing prohibitions

Step 5: Baseline Compliance Program Implement program satisfying most stringent requirements:

  • Maryland’s data minimization (most restrictive)- Washington’s opt-in consent for health data- Universal opt-out mechanisms (majority requirement)- Data protection impact assessments (standard in most states)- Colorado’s AI governance (if deploying high-risk AI)

Step 6: Jurisdiction-Specific Overlays Layer additional requirements:

  • Iowa’s 90-day response time (vs. standard 45 days)- Minnesota’s data inventory- Maryland’s prohibition on sensitive data sales- California’s chatbot and age assurance requirements- App store accountability acts (Texas, Utah, Louisiana)

Privacy Policy Harmonization

Single Policy Approach: Many businesses adopt unified privacy policy covering all states to:

  • Simplify operations- Avoid ongoing threshold assessments- Ensure consistency in consumer request handling- Provide highest level of protection universally

Considerations:

  • Clearly identify applicable jurisdictions- Note state-specific rights where they differ- Maintain flexibility for future state additions- Include universal opt-out mechanism instructions

Vendor and Processor Management

Contract Updates Required:

  • Data processing agreements compliant with state requirements- Vendor obligations clearly specified- Data sharing limitations- Security requirements- Audit rights- Breach notification procedures- Subprocessor restrictions

💡 Compliance Tool: Ensure your vendor contracts address state-specific breach notification requirements using the Breach Notification Requirements Tracker - a comprehensive tool for researching breach notification laws, ransomware requirements, and privacy regulations across all 50 US states.

Due Diligence:

  • Vendor privacy and security assessments- Third-party certification verification- Regular compliance audits- Risk-based approach (higher scrutiny for sensitive data processors)

Security Context: Understanding breach vectors is critical for vendor assessment. Recent analysis shows that the most common methods behind major data breaches include credential-based attacks, phishing, and unpatched vulnerabilities. Organizations should evaluate vendors against these known threat patterns.

Consumer Rights Infrastructure

Request Management System:

  • Centralized intake portal- Identity verification procedures- Request categorization and routing- Response tracking and documentation- Deadline monitoring (varies: 30, 45, 60, 90 days)- Appeal process (where required)

Supported Rights:

  • Access/Confirm processing- Delete- Correct- Portability- Opt-out (targeted advertising, sales, profiling)- Transparency (third-party disclosure lists)

Data Protection Assessment Program

When Required: Most states mandate assessments for:

  • Sale of personal data- Targeted advertising- Profiling with legal/significant effects- Sensitive data processing

Assessment Components:

  1. Benefits of processing activity2. Potential risks to consumers3. Safeguards to mitigate risks4. Compliance with state requirements

Cadence:

  • Annual updates (minimum)- Upon material changes to processing- New high-risk activities

AI-Specific Compliance (Colorado)

For High-Risk AI Developers:

  1. Document reasonably foreseeable uses and harmful uses2. Identify limitations and algorithmic discrimination risks3. Conduct pre-deployment performance evaluations4. Create public transparency statements5. Maintain documentation for deployers and AG6. Implement discrimination discovery procedures

For High-Risk AI Deployers:

  1. Develop risk management policy and program2. Conduct annual impact assessments3. Implement consumer disclosure procedures4. Monitor for algorithmic discrimination5. Establish human review processes for adverse decisions6. Create AG notification procedures

Best Practice: Align with established frameworks (NIST AI RMF, ISO 42001) to support affirmative defense

App Store and Age Verification Compliance

For App Stores (Texas, Utah, Louisiana):

  1. Implement commercially reasonable age verification for ALL users2. Create four-tier age categorization system3. Build parental account linkage infrastructure4. Develop individual consent request mechanisms5. Create age category sharing APIs for developers6. Implement consent revocation notification systems7. Limit data collection to verification purposes

For App Developers:

  1. Integrate with app store age verification APIs2. Build parental consent re-request functionality3. Implement consent revocation handling4. Update privacy practices for “actual knowledge” of age ranges5. Prepare for state-specific differences (safe harbors, private rights of action)

For Adult Content Providers:

  1. Implement robust age verification systems2. Consider geo-blocking in strict states3. Do NOT retain identifying information post-verification4. Prepare for potential VPN restriction requirements5. Monitor state-by-state legal challenges

Health Data Protection (Washington)

Applicability Assessment:

  1. Determine if data qualifies as “consumer health data”
  • Direct health information- Inferred/derived from non-health data- Biometric data (broadly defined)- Precise location near health facilities2. Identify Washington connections (residents, data collected in WA)

Implementation:

  1. Create standalone consumer health data privacy policy2. Implement opt-in consent for collection/processing3. Create separate consent for sharing (including affiliates)4. Develop authorization process for sales5. Disable geofencing within 2,000 feet of health facilities6. Build consumer rights request infrastructure7. Establish data deletion procedures8. Update vendor contracts for health data processing

Training and Awareness

Personnel Training:

  • Privacy team: In-depth training on all applicable laws- Legal team: Enforcement trends, litigation risks- Product/engineering: Privacy by design, data minimization- Marketing: Consent requirements, targeted advertising restrictions- Customer service: Consumer rights request handling- Leadership: Strategic compliance importance, risk exposure

Ongoing Education:

  • Quarterly updates on new laws and guidance- Case study reviews of enforcement actions- Emerging technology implications (AI, chatbots, biometrics)

Monitoring and Adaptation

Regulatory Tracking:

  • Subscribe to AG newsletters and guidance documents- Monitor enforcement actions and settlements- Track federal legislative developments- Participate in industry associations

Recent Enforcement Trends: Privacy enforcement has intensified globally in 2025. For comprehensive analysis of recent enforcement patterns, see:

Major tech companies continue to face substantial penalties. Google’s mounting legal challenges illustrate the scope of potential exposure - see Google Mounting Legal Challenges: A Comprehensive Analysis of Privacy Violations and Antitrust Cases for details on $15+ billion in collective penalties.

Proactive Adjustment:

  • Regular compliance audits (at least annually)- Privacy impact assessments for new products/features- Sunset reviews of data retention- Vendor compliance verification

Documentation and Recordkeeping

Maintain Records:

  • Privacy policies (all versions with effective dates)- Consent logs- Consumer request logs and responses- Data protection assessments/impact assessments- Vendor contracts and due diligence- Training records- Incident response documentation- AG correspondence

Retention Periods:

  • Aligned with statute of limitations- Minimum: Duration of consumer relationship + applicable limitation period- Consider state-specific requirements

Looking Ahead: 2026 and Beyond

States with Laws Effective in 2026

Confirmed 2026 Effective Dates:

  • Indiana: July 1, 2026- Kentucky: January 1, 2026- Rhode Island: January 1, 2026- Colorado AI Act: February 1, 2026 (already discussed)- California AB 1043: January 1, 2027

Federal Privacy Legislation:

  • Growing state patchwork may force federal action- Potential preemption of state laws- Standardization vs. states’ rights debate

AI Regulation Expansion:

  • More states likely to follow Colorado’s lead- EU AI Act influence on U.S. approaches- Federal AI framework under consideration

Age Verification Proliferation:

  • Expect additional states to enact social media age verification- Broader application beyond adult content- Potential federal standardization via App Store Accountability Act

Health Data Protection:

  • Post-Dobbs privacy concerns driving legislation- Reproductive health data protections expanding- Biometric and genetic data regulations increasing

VPN and Circumvention Tools:

  • Potential restrictions in additional states- Technical feasibility challenges- International implications for internet freedom

Strategic Positioning

Build Scalable Infrastructure:

  • Systems that can accommodate new state requirements without major overhauls- API-driven architecture for jurisdiction-specific rule implementation- Automated compliance monitoring and reporting

Engage in Advocacy:

  • Industry association participation- Public comment on proposed regulations- Engagement with legislators on practical implications

Privacy as Competitive Advantage:

  • Consumer trust increasingly valuable- Transparency and control as differentiators- Privacy-first product design

Prepare for Federal Action:

  • Monitor federal bills- Prepare for potential preemption scenarios- Build compliance framework adaptable to federal standards

🛠️ Your Complete Compliance Toolbox

Navigating the complex U.S. state privacy landscape requires the right resources. Access our comprehensive suite of free compliance tools:

Interactive Compliance Navigators

Expert Analysis & Insights

  • Compliance Hub - Global privacy laws, information security frameworks, regulatory analysis- Breached Company - Cybersecurity incidents, data breaches, enforcement actions, threat intelligence- My Privacy Blog - Privacy rights, biometric data, digital identity, surveillance analysis

Why These Tools Matter

These resources save compliance teams hundreds of hours by consolidating fragmented state requirements into searchable, interactive formats. Rather than manually reviewing 20+ state statutes, use our navigators to instantly compare requirements across jurisdictions and identify gaps in your current program.

Conclusion

The U.S. privacy landscape has reached a critical inflection point in 2025. With twenty states enforcing comprehensive privacy laws, groundbreaking AI governance frameworks, unprecedented health data protections, and transformative age verification requirements, compliance teams face both unprecedented challenges and opportunities.

Key Takeaways:

  1. Complexity is Permanent: Absent federal preemption, state-by-state compliance will remain the reality. Build scalable, flexible systems.2. Children’s Privacy is Paramount: From social media warnings to app store accountability to chatbot regulations, protecting minors dominates the legislative agenda. Expect this trend to intensify.3. AI Governance Has Arrived: Colorado’s framework is just the beginning. High-risk AI systems face increasing scrutiny and regulation.4. Health Data Requires Special Attention: Washington’s expansive approach creates compliance obligations far beyond HIPAA’s scope. Inference and derivative data create particularly challenging compliance scenarios.5. Age Verification is the New Normal: Twenty-four states and counting require age verification for various online content. Supreme Court support signals judicial endorsement of these requirements.6. Privacy vs. Access Tensions Growing: VPN restrictions represent a concerning trend that pits child protection against internet freedom and privacy rights.

Strategic Imperatives:

  • Invest in Privacy Infrastructure: Technology, personnel, and processes must scale with regulatory complexity- Adopt Baseline-Plus Approach: Implement highest common requirements as baseline; layer jurisdiction-specific elements- Document Everything: Compliance, assessments, decisions, and rationales- Engage Proactively: Don’t wait for enforcement; seek guidance, participate in rulemaking, engage with regulators- Monitor Continuously: Laws, guidance, enforcement actions, and court decisions evolve rapidly- Prepare for Federal Action: Build flexibility to adapt to potential federal framework

The organizations that will thrive in this environment are those that view privacy not as a compliance burden but as a strategic imperative—building consumer trust, differentiating products, and positioning for the regulatory future.

Additional Resources

Compliance Hub Tools:

State Attorney General Privacy Pages:

Industry Associations:

Regulatory Guidance:

Legal Challenges:

Recommended Reading from Compliance Hub:

This compliance guide was prepared in October 2025. Laws, regulations, and guidance continue to evolve. Organizations should consult with legal counsel for jurisdiction-specific advice and ongoing compliance monitoring.