October 1, 2025 marked a critical inflection point in American data privacy regulation as Maryland’s groundbreaking privacy law took effect, joining seven other new state laws that became active throughout 2025. With 18 states now enforcing comprehensive privacy legislation and aggressive enforcement actions intensifying—including Texas AG’s landmark letters to over 100 data brokers—businesses face an unprecedented compliance challenge that demands strategic adaptation.

Executive Summary

The American privacy landscape fundamentally transformed throughout 2025 as eight new state comprehensive privacy laws took effect: Delaware, Iowa, Nebraska, and New Hampshire (January 1), New Jersey (January 15), Tennessee (July 1), Minnesota (July 31), and Maryland (October 1). This seismic shift created a complex regulatory patchwork that varies significantly across jurisdictions in applicability thresholds, consumer rights, data minimization requirements, and enforcement mechanisms.

Key developments shaping the post-October 2025 landscape:

  • Maryland’s paradigm shift: The Maryland Online Data Privacy Act (MODPA) establishes one of the nation’s strictest frameworks, prohibiting the sale of sensitive data regardless of consent and requiring data collection be “strictly necessary” for requested services- Minnesota’s profiling rights revolution: The Minnesota Consumer Data Privacy Act (MCDPA) grants unprecedented consumer rights to contest profiling decisions, review underlying data, and understand alternative outcomes- Data inventory mandates: Minnesota explicitly requires businesses to maintain comprehensive data inventories—the only state to mandate this at the statutory level- Aggressive state-level enforcement: Texas AG Ken Paxton’s issuance of warning letters to over 100 companies for data broker registration failures signals a new era of proactive enforcement- Universal opt-out adoption: Twelve states now require recognition of universal opt-out mechanisms like Global Privacy Control, making browser-based privacy signals table stakes- Cure period sunset provisions: Multiple states are phasing out cure periods, allowing immediate enforcement without grace periods for violations

For businesses operating nationwide, these developments demand comprehensive data mapping, enhanced documentation of data processing necessities, robust consumer request infrastructure, and strategic assessment of data monetization models.

The October 2025 Milestone: Maryland’s Entry and Montana’s Evolution

Maryland’s Revolutionary Framework

October 1, 2025 witnessed the implementation of Maryland’s Online Data Privacy Act (MODPA), a law that privacy experts consider one of the most restrictive state privacy frameworks in the United States. Unlike the business-friendly “Virginia model” adopted by many states, MODPA draws heavily from the failed federal American Data Privacy and Protection Act (ADPPA) and incorporates provisions that fundamentally restrict not just how businesses use data, but what data they can collect in the first place.

The “Strictly Necessary” Standard

MODPA’s most significant departure from other state laws is its prohibition on collecting, processing, or sharing sensitive data unless such collection is “strictly necessary” to provide or maintain a specific product or service requested by the consumer. This goes beyond consent-based frameworks—businesses must justify processing with documented business necessity, regardless of whether consumers consent.

The law defines sensitive data broadly to include:

  • Racial or ethnic origin- Religious beliefs- Mental or physical health diagnosis, condition, or treatment- Sex life or sexual orientation- Citizenship or immigration status- Status as transgender or nonbinary- Genetic or biometric data processed for identification purposes- Personal data of known children under 13- Precise geolocation data

💡 Biometric Compliance: Maryland’s inclusion of biometric data in sensitive personal information requires heightened protections. Track state-specific biometric privacy requirements using the Biometric Privacy Tracker, which covers biometric laws across multiple states including Illinois’ BIPA, Texas’ CUBI, and emerging state frameworks.

Until regulators or courts provide guidance on what “strictly necessary” means in practice, businesses face significant uncertainty. Legal teams must prepare for regulatory inquiries by thoroughly documenting why each sensitive data processing activity is essential to delivering the specific service a consumer has requested.

Absolute Prohibition on Sensitive Data Sales

Unlike other state laws that allow sensitive data sales with opt-in consent, MODPA prohibits the sale of sensitive data outright—even with consumer consent. The only exception is consumer-directed disclosures where the consumer has intentionally used the controller to interact with a third party.

This creates compliance challenges for businesses whose models depend on data monetization. Consider a health and wellness app that collects health information: under MODPA, the app cannot sell this data to advertisers, insurers, or data brokers, regardless of whether users consent. The app can only disclose health data to third parties when strictly necessary to provide the wellness services the user requested.

Enhanced Protections for Minors

MODPA prohibits selling or processing personal data of anyone under 18 for targeted advertising if the controller “knew or should have known” the person was a minor. This “should have known” standard is more stringent than the “willful disregard” threshold found in most other state privacy laws and raises the age threshold from 13 or 16 to 18.

The law provides no guidance on what factors demonstrate “should have known,” creating uncertainty for businesses operating general-audience websites and apps. Unlike California or Oregon, MODPA contains no opt-in provision that would permit use of minor data for advertising with parental consent.

Data Minimization as Core Principle

MODPA restricts the collection of personal data (not just sensitive data) to what is “reasonably necessary and proportionate” to provide or maintain a specific product or service requested by the consumer. This data minimization requirement is more restrictive than most state laws, which typically allow processing for any disclosed purpose.

Businesses must audit their data collection practices to ensure they’re not collecting data “just in case” it might be useful later. Each data element must be tied to a specific, consumer-requested function.

Applicability Thresholds

MODPA applies to persons that conduct business in Maryland or target products/services to Maryland residents and, during the prior calendar year, either:

  • Controlled or processed personal data of at least 35,000 Maryland residents, or- Controlled or processed personal data of at least 10,000 Maryland residents and derived more than 20% of gross revenue from the sale of personal data

The 35,000 threshold is relatively low given Maryland’s population of approximately 6 million, bringing many mid-sized businesses into scope.

Montana’s Dramatic Amendments

The same day MODPA took effect, Montana implemented sweeping amendments (Senate Bill 297) to its Consumer Data Privacy Act (MCDPA), which originally went into effect October 1, 2024. These amendments represent substantial expansion and strengthening of Montana’s privacy protections:

For comprehensive analysis of Montana’s privacy framework and how it compares to other states, see our in-depth article: In-Depth Analysis of the Montana Consumer Data Privacy Act (MCDPA).

💡 Related Compliance: Montana’s enhanced privacy protections work in conjunction with breach notification requirements. Track state-specific breach notification laws using the Breach Notification Requirements Tracker, which covers all 50 states’ data breach notification requirements.

Lower applicability threshold: The law now applies to businesses processing personal data of just 25,000 Montana consumers (down from 50,000), making Montana the state with the lowest threshold in the nation—even lower than Maryland’s 35,000.

Eliminated financial institution exemption: Previously, entities subject to the Gramm-Leach-Bliley Act (GLBA) were exempt at the entity level. That exemption is now gone, bringing banks, credit unions, and auto dealerships into scope (though GLBA-regulated data itself remains exempt).

Removed cure period: The 60-day cure period for violations has been eliminated as of October 1, 2025, allowing the Attorney General to proceed with enforcement actions immediately without offering businesses an opportunity to cure violations.

Enhanced transparency requirements: Privacy notices must now include the last update date, an explanation of consumer rights, and a clear opt-out method outside the privacy notice for data sales and targeted advertising.

Minnesota’s Groundbreaking Profiling Rights

Minnesota’s Consumer Data Privacy Act, which took effect July 31, 2025, breaks new ground by granting consumers unprecedented rights to challenge profiling decisions and understand automated decision-making processes.

For a comprehensive examination of Minnesota’s privacy framework, implementation timelines, and compliance requirements, see our detailed guide: The Minnesota Consumer Data Privacy Act (MCDPA): A New Era for Data Rights.

The Right to Contest Profiling Outcomes

Minnesota defines “profiling” as any form of automated processing of personal data to evaluate, analyze, or predict personal aspects of an identified or identifiable individual, including economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

If a consumer’s personal data is profiled in furtherance of decisions that produce legal effects or “similarly significant effects” concerning a consumer, that consumer has the right to:

  1. Question the result: Be informed of the reason that the profiling resulted in the decision2. Understand alternatives: Be informed, if feasible, of what actions the consumer might have taken to secure a different decision and what actions they might take in the future3. Review underlying data: Review the consumer’s personal data used in the profiling4. Correct and re-evaluate: If the decision was based on inaccurate personal data, have the data corrected and the profiling decision reevaluated based on the corrected data

Distinction from Opt-Out Rights

Minnesota provides both an opt-out right and the right to contest profiling, but they apply differently:

  • The opt-out right applies to profiling “in furtherance of automated decisions” that produce legal or similarly significant effects. This means the opt-out extends to profiling used to inform decisions, not just fully automated ones.- The right to contest applies to profiling “in furtherance of decisions” (not necessarily automated) that produce such effects

This is a key distinction from laws like Delaware’s, which limits the opt-out right to profiling “in furtherance of solely automated decisions,” or Iowa’s and Utah’s laws that don’t provide a profiling opt-out right at all.

Practical Applications

Consider these scenarios where Minnesota’s profiling rights apply:

Housing decisions: A property management company uses algorithms to score rental applications, denying housing to an applicant. The applicant can request:

  • Why the algorithm scored them unfavorably- What changes to their application might have resulted in approval- The specific data points used in the scoring- Re-evaluation if any data was inaccurate

Employment screening: An employer uses automated background screening that flags an applicant negatively. The applicant can challenge the profiling, review the underlying data, and request correction and re-evaluation.

Insurance underwriting: An insurer uses behavioral data and predictive models to deny coverage or increase premiums. The consumer can contest the profiling outcome and understand what factors drove the decision.

Implementation Challenges

Minnesota’s profiling rights create significant operational challenges:

💡 Compliance Tool: Compare Minnesota’s profiling rights against other state consumer rights using the US State Privacy Rights Comparison Tool. This interactive tool tracks 21 different rights across all 20 comprehensive state privacy laws.

Documentation requirements: Businesses must document and maintain the logic behind profiling decisions in a format that can be explained to consumers. This requires collaboration between data science, product, and legal teams to translate complex algorithms into understandable explanations.

Feasibility determinations: The law recognizes that informing consumers of alternative actions may not always be “feasible.” Businesses must develop frameworks for determining when it’s feasible and documenting those determinations.

Re-evaluation processes: When consumers correct inaccurate data, businesses must have processes to re-run profiling with the corrected information and communicate the results—potentially overturning previous decisions.

Data Inventory Mandate

Minnesota is the only U.S. state privacy law to explicitly require data inventories at the statutory level. Specifically, the law requires businesses to “maintain an inventory of the data that must be managed” to exercise their responsibilities under the Act.

This mandatory data inventory must capture:

  • Categories of personal data processed- Sources of personal data- Purposes for processing each category- Categories of third parties with whom data is shared- Data retention periods- Security measures protecting the data

While data inventories are considered a best practice under all privacy laws, Minnesota’s statutory requirement means failure to maintain one constitutes a direct violation subject to enforcement action and potential penalties of up to $7,500 per violation.

The January Wave: Four States, Four Variations

Delaware’s Third-Party Transparency

Delaware’s Personal Data Privacy Act (DPDPA), effective January 1, 2025, introduces a unique transparency right that goes beyond what most states require. While many states require businesses to disclose categories of third parties that receive personal data, Delaware requires controllers to disclose the specific third parties to whom they have disclosed consumer data upon request.

This “list of specific third parties” requirement provides consumers with unprecedented visibility into where their data actually goes, not just general categories like “advertising partners” or “analytics providers.”

Applicability thresholds:

  • Controlled or processed personal data of 35,000+ Delaware residents (excluding payment transactions), or- Controlled or processed personal data of 10,000+ consumers and derives 20%+ revenue from data sales

Unique aspects:

  • Applies to nonprofit organizations and educational institutions (unlike most states)- Includes pregnancy status and nonbinary identity in sensitive data definition- Requires universal opt-out mechanism recognition starting January 1, 2026- Cure period expires December 31, 2025

Iowa’s Limited Rights Approach

Iowa’s Consumer Data Protection Act (ICDPA), also effective January 1, 2025, takes a more business-friendly approach with notably limited consumer rights.

What Iowa lacks:

  • No right to correct inaccurate personal data- No right to opt out of profiling- No right to opt out of targeted advertising- No requirement to conduct risk assessments for high-risk processing

Applicability thresholds:

  • Control or process personal data of 100,000+ Iowa residents, or- Control or process personal data of 25,000+ Iowa residents and derive 50%+ revenue from data sales

Extended timelines: Iowa provides businesses 90 days to respond to privacy rights requests, significantly longer than the 30-45 days required by most states.

Nebraska’s Universal Coverage with Small Business Exemption

Nebraska’s Data Privacy Act, effective January 1, 2025, takes a unique approach by applying broadly to all businesses processing personal data in Nebraska—with no numerical threshold—but exempting small businesses as defined by the U.S. Small Business Administration.

Key provisions:

  • Prohibits sale of sensitive data without consumer consent- Requires universal opt-out mechanism recognition from day one (no phase-in period)- 30-day cure period that sunsets after implementation- Broad definition of “sale” similar to California, Connecticut, and Delaware: the exchange of personal data for “monetary or other valuable consideration”

The small business exemption creates a clear divide: enterprises face comprehensive obligations while small businesses are entirely exempt, avoiding the complexity of differential compliance based on revenue and data volumes.

New Hampshire’s Flexible Cure Period

New Hampshire’s Privacy Act (SB 255), effective January 1, 2025, includes interesting enforcement flexibility.

Applicability thresholds:

  • Control or process personal data of 35,000+ New Hampshire residents (excluding payment transactions), or- Control or process personal data of 10,000+ consumers and derive 25%+ revenue from data sales

Unique enforcement provisions:

  • Mandatory 60-day cure period through December 31, 2025- After that date, the New Hampshire Attorney General has discretion to provide cure periods rather than being required to eliminate them entirely

This approach balances consumer protection with recognition that businesses may face good-faith compliance challenges, particularly as interpretations of the law evolve.

New Jersey’s Comprehensive Framework

New Jersey’s Data Privacy Act (NJ SB 322), effective January 15, 2025, incorporates several distinctive elements:

Broad definition of sensitive data: Includes financial account information in its definition of sensitive data, going beyond most states. This brings checking and savings account data under heightened protections.

Shortened data processing cessation timeline: Requires businesses to cease processing personal data within just 15 days of a consumer withdrawing consent—significantly shorter than the 30-45 day timelines seen in other privacy laws.

No FERPA exemption: Unlike most state privacy laws, New Jersey does not include the Family Educational Rights and Privacy Act (FERPA) exemption, potentially bringing educational technology and student data under the law’s scope.

For analysis of New Jersey and New Hampshire’s broader cybersecurity and privacy regulatory frameworks, including infrastructure protection measures, see: Enhancing State Cybersecurity Measures: A Comprehensive Review of New Regulations in New Jersey and New Hampshire.

Applicability thresholds:

  • Control or process personal data of 100,000+ New Jersey residents (excluding payment transactions), or- Control or process personal data of 25,000+ consumers and derive revenue or receive discounts from selling personal data

Universal opt-out mechanisms: The Division of Consumer Affairs in the Department of Law and Public Safety is responsible for clarifying technical specifications for universal opt-out mechanisms.

Tennessee’s NIST Framework Affirmative Defense

Tennessee’s Information Protection Act (TIPA), effective July 1, 2025, offers a unique legal protection for compliant businesses.

Applicability Scope

TIPA applies only to businesses with $25 million+ annual revenue that either:

  • Process personal data of 175,000+ Tennessee residents, or- Process personal data of 25,000+ Tennessee residents and derive 50%+ revenue from data sales

The high thresholds (175,000 consumers and $25 million revenue) make TIPA one of the most limited state privacy laws in terms of business applicability.

NIST Privacy Framework Affirmative Defense

Tennessee’s most distinctive provision allows businesses to establish an affirmative defense against enforcement actions by maintaining a privacy program that conforms to the NIST Privacy Framework or other recognized frameworks.

To qualify for this defense, businesses must:

  • Implement and maintain a documented privacy program reasonably conforming to a recognized framework- Conduct periodic assessments to demonstrate compliance- Maintain evidence that the program was in place and reasonably designed at the time of the alleged violation

This provision incentivizes proactive compliance by offering legal protection rather than simply relying on cure periods or negotiated settlements. Businesses investing in robust NIST-aligned privacy programs gain a concrete legal defense against civil penalties.

Implementation Considerations

The NIST Privacy Framework consists of five core functions:

  1. Identify-P: Develop organizational understanding to manage privacy risk2. Govern-P: Develop and implement organizational governance structure3. Control-P: Develop and implement activities to enable organizations to manage data4. Communicate-P: Develop and implement activities to enable transparency5. Protect-P: Develop and implement safeguards for data processing

Tennessee’s affirmative defense creates a clear compliance roadmap: invest in NIST framework implementation to minimize enforcement risk.

The State-Level Enforcement Revolution: Texas AG’s Data Broker Campaign

Warning Letters to 100+ Companies

In June 2024, Texas Attorney General Ken Paxton issued warning letters to over 100 companies regarding their apparent failure to register as data brokers with the Texas Secretary of State, as required by Texas’s Data Broker Law enacted in 2023.

This mass notification campaign represents one of the most aggressive state-level enforcement initiatives in privacy law history. The AG’s office emphasized it would be enforcing “the full slate of Texas privacy laws,” signaling a multi-pronged approach that treats failures to comply with specific privacy statutes as potential violations of broader consumer protection laws like the Texas Deceptive Trade Practices Act (DTPA).

First-Ever State Privacy Law Enforcement Action

On January 13, 2025, Texas filed its first lawsuit enforcing the Texas Data Privacy and Security Act (TDPSA), which took effect July 1, 2024. The complaint against Allstate Corporation and its subsidiaries establishes critical precedents for privacy enforcement nationwide.

The Allstate/Arity Case

Allegations: Allstate’s subsidiary Arity developed a software development kit (SDK) that was integrated into mobile apps. The SDK allegedly collected sensitive driving data—including phone latitude, longitude, speed, GPS time, bearing, and altitude—from approximately 45 million Americans, including Texas consumers, without adequate notice or consent.

Key violations alleged:

  1. Failure to provide privacy notices: Consumers were unaware Arity was processing their sensitive data2. Lack of consent for sensitive data processing: No opt-in consent obtained before collecting geolocation data3. Failure to provide opt-out mechanisms: No method for consumers to exercise rights to stop data sales4. Data broker registration failure: Arity failed to register with Texas Secretary of State’s Data Broker Registry

Multiple legal theories: The AG’s complaint includes claims under:

  • Texas Data Privacy and Security Act (TDPSA)- Texas Data Broker Law- Texas Insurance Code (unfair or deceptive business practices)- Texas Deceptive Trade Practices-Consumer Protection Act

Monetary relief sought: More than $1,000,000, including:

  • Up to $7,500 per TDPSA violation- $10,000 penalty for violating Data Broker Law- $100 per day Arity was in violation of registration requirement- Up to $10,000 per violation of Texas Insurance Code- Attorney’s fees and costs

Key Enforcement Lessons

The Allstate case establishes several critical compliance principles:

Software Development Kits create liability: Companies licensing SDKs to third-party apps can be held liable for data collection, even if they don’t directly control the apps. The “background” operation of SDKs doesn’t shield companies from privacy obligations.

Privacy policies must be accurate: Arity’s privacy policy allegedly stated it did not sell personal information, when in fact it was selling driving data to insurance companies. Contradictions between stated policies and actual practices create significant legal exposure.

“Should have known” standards: Even if consumers technically consented to the host app’s terms, controllers can be liable if they “should have known” users weren’t aware of background data collection.

Cumulative legal theories: State AGs can pursue violations under multiple statutes simultaneously, dramatically increasing potential penalties. A single data practice can violate privacy laws, consumer protection laws, industry-specific regulations, and data broker requirements.

30-day cure periods have limits: While TDPSA includes a 30-day cure provision, the AG can still seek substantial penalties after that period, and alleged violations of other laws (like data broker registration) may not include cure rights.

Implications for Data Collection Practices

The Texas enforcement actions establish that state AGs will:

  • Actively monitor and investigate data collection practices, particularly involving location data and cross-app tracking- Hold parent companies liable for subsidiary practices- Pursue maximum penalties under multiple legal theories- Investigate practices even when technically structured through third-party relationships- Reject formalistic compliance (e.g., privacy policies that don’t reflect actual practices)

Data Mapping and Inventory: The Foundation of Compliance

The diversity of state privacy laws makes comprehensive data mapping essential. Organizations can no longer rely on generalized descriptions of data practices; they need granular, system-level visibility into data flows.

Why Minnesota’s Data Inventory Requirement Matters

Minnesota’s statutory requirement to maintain a data inventory transforms what was previously considered a “best practice” into a legal obligation. This has ripple effects beyond Minnesota because:

Audit trail necessity: Without documented data inventories, businesses cannot demonstrate compliance with data minimization requirements, assess whether processing is “necessary,” or respond accurately to consumer requests.

Multi-state efficiency: A data inventory built to Minnesota’s standard will generally satisfy requirements in other states, making it an efficient approach to multi-jurisdictional compliance.

Enforcement leverage: Minnesota’s AG can cite failure to maintain a data inventory as a standalone violation, separate from and in addition to violations related to specific data processing activities.

Core Data Inventory Elements

An effective data inventory for 2025 compliance should document:

💡 Compliance Tool: Use the PII Compliance Navigator to explore which data types are classified as sensitive across 19 states. This interactive tool helps identify which enhanced protections apply to specific data categories in each jurisdiction.

Data categories and elements:

  • Specific types of personal data collected (not just high-level categories)- Which data elements are “sensitive” under each applicable state’s definition- Special notation for data about minors, particularly those under 13, 13-16, and 16-18 given varying state protections

Sources and collection methods:

  • First-party collection (forms, account creation, purchases)- Third-party sources (data brokers, social media, public records)- Automated collection (cookies, pixels, SDKs, device sensors)- Derived or inferred data (scores, profiles, predictions)

Processing purposes:

  • Specific business purposes for each data element- Distinction between “necessary” and “nice to have” processing- Documentation of necessity determinations (critical for Maryland’s “strictly necessary” standard)

Data flows and transfers:

  • Internal systems and databases containing the data- Third-party vendors, service providers, and processors- Data sharing for advertising, analytics, or other purposes- Cross-border transfers- Specific third-party names (required for Delaware’s transparency right)

Retention and deletion:

  • Retention periods for each data category- Deletion procedures and schedules- Legal holds and retention exceptions- Records of deletion requests and completion

Security and access controls:

  • Who can access each data category- Technical and administrative safeguards- Encryption and pseudonymization measures- Incident response procedures

Data Mapping for Sensitive Data

States’ varying definitions of “sensitive data” create particular mapping challenges. The same data element may be:

  • Not sensitive in Iowa- Requiring opt-in consent in most states- Subject to strict necessity requirements in Maryland- Prohibited from sale entirely in Maryland and Nebraska (without consent)

Organizations should maintain a sensitivity matrix that maps each data element against all applicable state definitions to identify the most restrictive requirements that apply.

Profiling and Automated Decision-Making Inventory

Minnesota’s profiling rights require additional documentation:

Algorithm inventory:

  • Each algorithm or automated system that processes personal data- Purpose and function of each algorithm- Data inputs and outputs- Decision-making role (fully automated, assisted, informational)- Legal or significant effects determination

Profiling documentation:

  • Logic and factors used in profiling decisions- Data elements that influence outcomes- How consumers could have achieved different outcomes- Procedures for reviewing and correcting data- Re-evaluation processes after corrections

Assessment records:

  • Data protection impact assessments for each high-risk algorithm- Maryland’s requirement for “an assessment for each algorithm that is used”- Documentation of assessments conducted

Data Protection Impact Assessments: Evolving Requirements

Ten states now require data protection assessments (DPAs) before certain personal data processing activities begin. While requirements vary, businesses should focus on common triggers:

Universal DPA Triggers

Nearly all states requiring DPAs mandate them for:

  • Targeted advertising using personal data- Sale of personal data to third parties- Profiling that may result in legal or similarly significant effects- Processing sensitive data (with expanded definitions in 2025 laws)

Maryland’s Per-Algorithm Requirement

Maryland stands apart by requiring “an assessment for each algorithm that is used” in high-risk processing. The statute does not define “algorithm,” creating uncertainty about scope.

Potential interpretations:

  • Narrow: Only machine learning models and AI systems- Broad: Any systematic logic or code that processes personal data, including conditional business logic, scoring systems, and decision trees

Until the Maryland Attorney General provides guidance, businesses should take a risk-based approach, focusing on algorithms that:

  • Make decisions with significant consumer impact- Process large volumes of personal data- Use sensitive data as inputs- Generate automated outputs affecting consumer rights or opportunities

DPA Content Elements

Comprehensive data protection assessments should document:

Processing description:

  • Categories of personal data processed- Purposes for processing- Volume of data and consumers affected- Duration of processing

Necessity and proportionality:

  • Why the processing is necessary to achieve the stated purpose- Whether less invasive alternatives exist- Proportionality analysis balancing business needs against privacy risks

Risk identification:

  • Risks to consumers from the processing- Likelihood and severity of potential harms- Particular risks to vulnerable populations (minors, protected classes)

Safeguards and mitigation:

  • Technical and organizational measures to reduce risks- Access controls and security measures- Data minimization and retention practices- Consumer rights facilitation

Legal compliance:

  • Applicable laws and regulations- Exemptions or limitations relied upon- Contractual protections with third parties

Assessment Documentation and Retention

Timing: DPAs must be conducted before initiating processing activities, not retroactively.

Updates: Assessments should be reviewed and updated:

  • When processing practices change significantly- When new risks are identified- At least annually for ongoing processing- When requested by regulators

Production to regulators: Multiple states authorize AGs to request DPAs during investigations. Organizations must balance:

  • Maintaining assessments in readily producible formats- Protecting attorney-client privilege and work-product protections where applicable- Documenting the assessment process itself

Cure Periods: The Sunsetting Safety Net

Many early state privacy laws included “cure periods”—typically 30 to 60 days—during which businesses could remedy violations after being notified by the Attorney General before facing penalties. This approach was intended to give companies time to achieve compliance, particularly given the novelty and complexity of privacy requirements.

2025 marks a turning point: Several states are phasing out cure periods entirely or making them discretionary rather than mandatory.

States Eliminating Cure Periods in 2025

Montana: Removed its 60-day cure period as of October 1, 2025, allowing immediate enforcement without warning.

Delaware: Cure period expires December 31, 2025, after which the Delaware AG can proceed directly to enforcement.

New Hampshire: Mandatory 60-day cure period expires December 31, 2025, though the AG retains discretion to offer cures thereafter.

Minnesota: 30-day cure period sunsets January 31, 2026 (six months after the law’s July 31, 2025 effective date).

States Maintaining Non-Sunsetting Cure Periods

Texas: TDPSA includes a 30-day cure provision with no sunset date, providing ongoing opportunities to remedy violations before penalties.

Tennessee: 60-day cure period with no sunset provision.

Strategic Implications

The elimination of cure periods means:

First violation penalties: Businesses may face immediate financial penalties for first-time violations without opportunity to cure, increasing the stakes of non-compliance.

Compliance urgency: The traditional approach of “implementing gradually and fixing issues when identified” becomes untenable. Businesses must prioritize proactive compliance.

Enhanced documentation: Demonstrating good-faith compliance efforts may influence enforcement discretion even without formal cure periods. Detailed compliance documentation becomes critical.

Insurance considerations: Cyber and privacy insurance policies should be reviewed to ensure coverage for regulatory penalties, particularly given higher immediate exposure.

Universal Opt-Out Mechanisms: The New Standard

The rapid adoption of universal opt-out mechanism requirements represents one of the clearest trends in state privacy legislation. As of October 2025, twelve states require businesses to recognize browser-based signals like Global Privacy Control (GPC):

States requiring universal opt-out: California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Maryland, and Minnesota.

What Universal Opt-Out Mechanisms Do

Universal opt-out mechanisms allow consumers to communicate privacy preferences automatically through browser settings, app settings, or third-party services. When enabled, these mechanisms send a signal to websites and services indicating the user wishes to opt out of:

  • Sale of personal data- Targeted advertising- Certain types of profiling (in Minnesota)

Global Privacy Control (GPC)

GPC is the most widely adopted universal opt-out signal. It’s a technical specification that enables:

  • Browser extensions to send opt-out signals- Browser manufacturers to build opt-out into their products (e.g., DuckDuckGo, Brave)- Websites to detect and honor these signals automatically

Implementation Requirements

Businesses must:

Detect signals: Implement technical infrastructure to detect universal opt-out signals from users’ browsers or devices.

Honor immediately: Process opt-out requests from universal signals on the same timeline as manual opt-out requests.

Scope correctly: Apply opt-outs to the appropriate processing activities:

  • Data sales (all 12 states)- Targeted advertising (all 12 states)- Profiling for automated decisions with legal/significant effects (Minnesota, Delaware, others)

Don’t require additional steps: Businesses cannot require users to provide additional information, create accounts, or take additional actions beyond enabling the universal signal.

Maintain documentation: Keep records of how universal signals are processed and honored.

Compliance Challenges

Signal interpretation: Determining what processing activities fall under “sale” or “targeted advertising” requires careful legal analysis, as definitions vary by state.

Technical implementation: Detecting and processing GPC signals requires coordination between legal, privacy, and engineering teams, particularly for complex technical infrastructures with multiple data flows.

First-party vs. third-party: Understanding which data practices are subject to opt-out rights versus exempt as necessary service provision.

Multi-state operations: A consumer in California enabling GPC must have their opt-out honored, while the same business may not need to honor GPC for users in states without universal opt-out requirements—creating complex geolocation-dependent processing logic.

The Enforcement Landscape is Intensifying

California’s aggressive posture: The California Privacy Protection Agency (CPPA) has moved from educational warnings to substantial penalties, including the groundbreaking $632,500 Honda settlement in March 2025 for requiring excessive information when consumers exercised privacy rights.

Texas’s multi-theory approach: The Allstate lawsuit demonstrates state AGs will pursue violations under privacy laws, consumer protection laws, industry-specific regulations, and data broker requirements simultaneously.

Coordinated investigations: State AGs are increasingly sharing information and coordinating investigations, as seen in investigations into automotive data practices and social media companies.

Lessons from Recent Enforcement

Privacy policy accuracy matters: Statements in privacy policies must accurately reflect actual practices. Contradictions between policies and practices create significant legal exposure.

Real-world breach examples: Organizations can learn from documented data breaches and enforcement actions. Search for company-specific breach information and regulatory actions at breached.company to understand patterns in enforcement and security failures.

User experience is compliance: Honda’s penalty demonstrates that making it difficult for consumers to exercise rights—even technically allowing them—can constitute a violation.

💡 Listen & Learn: For audio discussions of state privacy law developments, compliance strategies, and enforcement trends, explore Demystifying the Data Landscape: A Look at State Privacy Laws in Your Podcast.

“Unnecessary” information requests: Requiring consumers to provide information not actually needed to verify identity or process requests violates privacy laws.

SDKs and third-party tech: Companies integrating third-party SDKs, pixels, or tracking technologies remain liable for those technologies’ data collection, even if they don’t directly control them.

Data broker status: Many businesses that don’t consider themselves “data brokers” may meet legal definitions, particularly if they:

  • Purchase data from third parties and resell it- Collect data through cookies/pixels and sell it to advertisers- Aggregate data from multiple sources and monetize it

Strategic Compliance Framework for Nationwide Operations

Phase 1: Applicability Assessment (Immediate Priority)

Determine which state laws apply to your business:

  • Calculate consumer volumes by state based on the prior calendar year- Assess revenue thresholds and percentages derived from data sales- Review exemptions (HIPAA, GLBA, FCRA coverage; small business status in Nebraska and Minnesota)- Document applicability determinations with supporting data

Identify your most restrictive obligations:

  • Maryland’s “strictly necessary” standard if processing sensitive data- Minnesota’s data inventory requirement- Delaware’s specific third-party disclosure obligation- State-specific sensitive data definitions

Phase 2: Data Mapping and Documentation (Q4 2025/Q1 2026)

Comprehensive data inventory:

  • All personal data categories collected, processed, and stored- Sources of data (first-party, third-party, derived)- Processing purposes with necessity justifications- Data flows to third parties with specific entity names- Retention periods and deletion procedures

Sensitive data classification:

  • Map each data element against all applicable state definitions- Identify most restrictive classification that applies- Document consent mechanisms and necessity justifications

Algorithm and profiling inventory:

  • Identify all automated decision-making systems- Document logic, inputs, outputs, and effects- Assess whether decisions have “legal or similarly significant effects”- Prepare consumer-facing explanations

Privacy notice enhancements:

  • Specific third-party recipients (Delaware requirement)- Sensitive data processing justifications (Maryland necessity standard)- Profiling and automated decision-making disclosures (Minnesota, others)- Universal opt-out mechanism instructions- Clear descriptions of consumer rights by state

Consent mechanisms:

  • Opt-in consent for sensitive data processing (most states)- Separate consents for minors (enhanced protections under Maryland)- Documentation of when consent was obtained and scope- Easy withdrawal mechanisms (New Jersey’s 15-day cessation requirement)

Phase 4: Consumer Rights Infrastructure (Q1-Q2 2026)

Request intake and verification:

  • Multiple request submission methods (web forms, email, phone)- Identity verification processes that don’t require unnecessary information- Automated acknowledgment and tracking systems- Reasonable verification standards that match risk

Response procedures:

  • Access: Providing data in portable formats within 45 days (30 days in many states)- Deletion: Confirming deletion from active systems and directing service providers- Correction: Processes for reviewing and correcting inaccurate data- Opt-out: Honoring opt-outs of sales, targeted advertising, and profiling- Profiling challenges: Minnesota-specific procedures for explaining decisions, providing alternative outcome information, reviewing data, and re-evaluating decisions

Appeals processes:

  • Clear instructions for appealing denials- Timely review and response (typically 30-45 days)- Documentation of appeals and outcomes

Universal opt-out mechanisms:

  • Technical implementation to detect GPC and similar signals- Automated processing of universal opt-outs- Documentation and audit trails

Phase 5: Data Protection Assessments (Ongoing)

Conduct DPAs for high-risk activities:

  • Processing sensitive data- Targeted advertising and data sales- Profiling and automated decision-making- Processing children’s data- Each algorithm used in high-risk processing (Maryland)

Document assessments:

  • Necessity and proportionality analysis- Risk identification and mitigation measures- Regular reviews and updates- Attorney-reviewed assessments where privilege important

Phase 6: Vendor and Service Provider Management (Q2 2026)

Contract updates:

  • Data processing agreements with mandatory CCPA/state law compliance- Instructions for handling deletion requests- Prohibition on selling or retaining data beyond service provision- Data breach notification obligations- Audit rights and compliance certification requirements

Vendor due diligence:

  • Initial privacy and security assessments- Ongoing monitoring for compliance- Vendor risk scoring and prioritization- Annual vendor privacy audits

Phase 7: Training and Documentation (Ongoing)

Staff training programs:

  • Privacy law fundamentals for all employees handling personal data- Specific training for teams receiving consumer requests- Technical training for engineering teams implementing privacy controls- Regular refreshers as laws evolve

Documentation and audit trails:

  • Policies and procedures for all privacy obligations- Records of data processing activities- Consumer request logs and response documentation- Vendor assessment and monitoring records- DPAs and supporting materials- Training completion records- Incident response and remediation documentation

Phase 8: Monitoring and Adaptation (Ongoing)

Regulatory monitoring:

  • Track new state privacy laws and amendments- Monitor AG guidance, FAQs, and rulemaking- Follow enforcement actions and settlements- Participate in industry associations for advance notice

Program assessment:

  • Regular privacy program audits (annually at minimum)- Gap analyses against new requirements- Third-party assessments and certifications- Board and executive reporting on privacy compliance

The Road Ahead: What to Expect in 2026 and Beyond

Additional States Implementing Laws

Several additional states have passed comprehensive privacy laws with 2026 effective dates:

  • Indiana: January 1, 2026- Kentucky: January 1, 2026- Rhode Island: January 1, 2026- Maine: July 1, 2026 (already has several sector-specific privacy laws)

These states will add millions more consumers to the protected population and potentially introduce new compliance requirements.

Federal Preemption Uncertainty

While Congress continues to consider federal privacy legislation, the likelihood of comprehensive federal law in 2026 remains uncertain. If enacted, key questions include:

  • Preemption scope: Would federal law preempt state laws entirely, create a floor with state law ceilings, or allow states to maintain stricter requirements?- Enforcement model: Federal Trade Commission, new privacy agency, or state AG enforcement?- Private right of action: Would consumers be able to sue directly for violations?

Businesses should plan for continued state-by-state compliance rather than assuming federal preemption will simplify the landscape.

Enforcement Escalation

Expect continued intensification of enforcement:

  • More states creating dedicated privacy enforcement divisions (following California and Texas)- Increased penalties as cure periods sunset- Coordinated multi-state investigations- Private litigation in states with private rights of action

Emerging Privacy Topics

State legislatures are actively considering new privacy-adjacent legislation:

  • AI governance: Disclosure requirements, impact assessments, and restrictions on automated decision-making- Biometric privacy: Enhanced protections for facial recognition, fingerprints, and other biometric identifiers- Children’s privacy: Stricter age verification, design standards, and default privacy settings for minors- Data broker regulation: Registration, disclosure, and deletion requirements beyond just California and Texas- Health privacy: Protections for reproductive health data, genetic information, and mental health data beyond HIPAA coverage

Conclusion: The New Privacy Compliance Reality

The post-October 2025 privacy landscape demands a fundamental shift in how businesses approach data governance. The era of treating privacy as a compliance checklist or legal formality has ended. Privacy is now a core operational requirement that touches every aspect of data-driven business models.

Key imperatives for nationwide compliance:

  1. Implement comprehensive data mapping: You cannot comply with laws requiring data minimization, necessity justifications, and consumer rights fulfillment without knowing exactly what data you have, where it is, how it moves, and why you need it.2. Document everything: From necessity determinations to profiling logic to consumer request handling, documentation is the foundation of demonstrating compliance. States increasingly require not just compliance, but proof of compliance.3. Prioritize Maryland and Minnesota: These states’ requirements—Maryland’s strict necessity standard and Minnesota’s data inventory and profiling rights—generally exceed other states’ requirements. Building compliance programs around these standards creates a strong foundation for multi-state compliance.4. Prepare for enforcement: With cure periods sunsetting and state AGs demonstrating aggressive enforcement, businesses must assume violations will result in immediate penalties. Insurance, legal counsel, and incident response planning should reflect this reality.5. Embrace universal opt-out mechanisms: With twelve states already requiring them and more likely to follow, universal opt-out is becoming the standard. Implement technical infrastructure now rather than playing catch-up.6. Audit vendor relationships: The Allstate case demonstrates companies remain liable for third-party data collection and processing. Vendor privacy due diligence, contract protections, and ongoing monitoring are essential.7. Question data monetization models: Maryland’s prohibition on selling sensitive data and strict necessity requirements challenge business models built on unrestricted data monetization. Strategic assessment of sustainable, compliant data practices is critical.8. Monitor and adapt continuously: The privacy landscape evolves rapidly. Compliance cannot be a “set it and forget it” exercise. Ongoing monitoring, assessment, and program updates are necessary.

The October 2025 milestone—with Maryland’s entry, Montana’s amendments, and the full activation of eight new state laws throughout the year—marks a fundamental transformation in American privacy regulation. Businesses that treat compliance as a strategic priority, invest in robust data governance infrastructure, and embrace transparency and consumer control will be best positioned to navigate this complex landscape successfully.

For those continuing to operate with minimal privacy controls, hoping states won’t notice or enforcement won’t reach them, the Texas AG’s warning letters to over 100 companies provide a stark reminder: state enforcement is real, aggressive, and only intensifying.

The patchwork is here to stay. Success requires not just understanding individual state requirements, but building comprehensive, adaptable privacy programs that can scale with the evolving regulatory landscape.

ComplianceHub In-Depth Articles

2025 US State Privacy Laws: Compliance Guide for 8 New Regulations

October 1, 2025: Three Major State Privacy Law Updates and the Universal Opt-Out Revolution

The Minnesota Consumer Data Privacy Act (MCDPA): A New Era for Data Rights

In-Depth Analysis of the Montana Consumer Data Privacy Act (MCDPA)

Enhancing State Cybersecurity Measures: New Jersey and New Hampshire Regulations

California’s SB 361: New Data Broker Transparency Requirements

Demystifying the Data Landscape: State Privacy Laws Podcast

Navigating the Maze: U.S. State Data Privacy Laws

2025 State Privacy and Technology Compliance Guide

Interactive Compliance Tools

US State Privacy Rights Comparison Tool - Compare consumer privacy rights across all 20 US states with comprehensive privacy laws. Track 21 rights including emerging AI and neural data protections.

PII Compliance Navigator | Sensitive Data Categories - Comprehensive tool to explore which U.S. states classify different types of data as sensitive under privacy laws. Navigate compliance requirements across 19 states.

Biometric Privacy Tracker - State-by-state biometric data protection requirements covering laws like Illinois BIPA, Texas CUBI, and emerging state biometric frameworks.

Breach Notification Requirements Tracker - Comprehensive state breach notification law tracker covering all 50 US states, including notification timelines, requirements, and regulatory authority contacts.

Breach Information & Enforcement

Breached.Company - Search for company-specific data breach information, enforcement actions, and regulatory investigations across industries.

This article is for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel regarding their specific compliance obligations under state privacy laws.