The Bottom Line
- Two new state comprehensive privacy laws will go into force in July, bringing the total number of active state laws to fifteen, but these are not the only new privacy laws.
- State regulators continue to increase their enforcement efforts, including a $1.55 settlement secured by the California Attorney General’s office this month.
- Privacy compliance is not a one-and-done exercise. Companies should revisit their privacy disclosures and practices at least annually in light of constantly changing requirements. It is easy for a compliant privacy program to quickly fall out of compliance.
The U.S. privacy landscape continues to evolve, with new laws being enacted or coming into effect, existing laws being amended or updated, and state regulators building up their privacy enforcement capacity. Below are some significant U.S. privacy developments to consider as 2025 reaches the halfway mark.
Tennessee and Minnesota Privacy Laws Come Into Force
With the Tennessee Information Protection Act (TIPA) effective as of July 1, 2025, and the Minnesota Consumer Data Privacy Act (MCDPA) going into effect on July 31, businesses face new privacy requirements including, but not limited to, the following:
- NIST Framework Compliance — The TIPA requires companies to maintain and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework.
- Internal Policies and Procedures —The MCDPA requires controllers to document and maintain a description of their policies and procedures adopted to comply with the law, including those addressing: their obligations as a controller under the MCDPA; incorporation of MCDPA principles in system design; how to identify and provide personal data to consumers upon request; data security practices; maintenance of a data inventory; data minimization; data retention; and how to identify and remediate violations of the MCDPA.
- Privacy Officer Requirement — Controllers subject to the MCDPA must name a chief privacy officer or other individual (such as a Data Protection Officer) with primary responsibility for directing policies and procedures implemented to comply with the law.
- Notification of Material Changes to Privacy Practices — Under the MCDPA, controllers must affirmatively notify consumers of any material change to the controller’s privacy policy or personal data practices, and for previously collected personal data, provide a reasonable opportunity for consumers to withdraw consent to any materially different processing.
- Specific Geolocation Data — The MCDPA’s definition of “specific geolocation data” diverges from the 1,750 square feet threshold used by other state laws, and instead relies on a standard of “accuracy of more than three decimal degrees of latitude and longitude (i.e., more than 364 feet), or a street address derived from the coordinates.”
Texas Enacts Data Broker Law Amendments
On June 20, 2025, Governor Greg Abbott signed into law Texas S.B. 1343 and 2121, which amend the State’s existing data broker law. S.B. 1343 will require data brokers to inform consumers how to exercise their privacy rights under the law, and S.B. 2121 removes the “principal source of revenue” criteria from the definition of “data broker.” The revised definition of “data broker” now refers to “a business entity that collects, processes, or transfers personal data that the business entity did not collect directly from the individual linked or linkable to the data.” While there are still other threshold tests, more companies are now likely to be considered data brokers in Texas.
New Children’s Privacy Laws and Codes
Regulating children’s privacy is politically popular on both sides of the aisle, and as a result, states have introduced a slew of new laws. Age-appropriate design codes have been enacted in California (though currently subject to a preliminary injunction), Maryland, Vermont and Nebraska. Other states, such as New York and Arkansas, have passed laws regulating marketing and advertising to minors, including via social media platforms. With the growing number of state restrictions on the collection and processing of children’s data, it will become increasingly difficult to engage in targeted advertising to minors.
State Regulators Redouble Their Enforcement Efforts
State agencies are bolstering their privacy enforcement resources and placing increased pressure on businesses to comply with state privacy frameworks. On July 1, 2025, California Attorney General Rob Bonta announced a $1.55 million settlement with website publisher Headline Media LLC. According to the Attorney General’s complaint, Healthline: failed to provide consumers with the right to opt out of the sale or sharing of their personal data for certain targeted advertising activities; violated the CCPA’s purpose limitation principle; failed to execute “third party” contractual terms with advertising partners; and deceived consumers about their ability to disable cookie tracking. The Connecticut Attorney General announced an $85,000 settlement with a ticketing company on July 8, 2025, and other state attorneys general are sending out letters regarding alleged violations of their respective laws. In light of increased privacy regulation at the state level, companies should act first before they are contacted by a regulator.
Bulk Data Transfer Rules
A new data security program has been implemented by the Department of Justice under Executive Order 14117 (“Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern”), which prohibits the transfer of certain personal data to countries of concern or covered persons. Any contract regarding the transfer of personal data to any foreign recipient (not just those in countries of concern) must address this issue going forward.
Data Protection Assessments
Certain state privacy laws require companies to conduct and document a data protection assessment if they engage in certain activities deemed to present a heightened risk of privacy harms to consumers, such as targeted advertising or the processing of sensitive personal information, and state attorneys general can request copies of these assessments during an investigation. Given the uptick in state regulatory enforcement, businesses should immediately begin to evaluate their data processing activities to determine whether a data protection assessment is required.
Robert Chappell, an intern in the Advertising + Marketing and Privacy, Technology + Data Security practice groups at Davis+Gilbert assisted with this alert.