While there are many significant federal laws and regulations related to cybersecurity, states have led the way in regulating this area on a general, sector-agnostic basis, with the most notable and widely acknowledged state cybersecurity provisions being state data breach notification laws. However, more recently, states have focused on passing comprehensive privacy, rather than security, laws, and 2025 promises to be a continuation of this trend, with eight additional comprehensive state privacy laws coming into effect next year.
State Data Breach Notification Laws
All 50 states, along with Puerto Rico, Guam, the U.S. Virgin Islands, and the District of Columbia, have enacted data breach notification laws, with California pioneering the first in 2003. Although the last state data breach notification law was enacted in 2018, several amendments have been passed to such state laws more recently.
In general, state data breach notification laws establish the requirements for notifying individuals and entities when a security incident results in a breach of personal data. Most statutes protect personal information such as the first name, or first initial, and last name in combination with at least one other unencrypted data element, although the range of protected data elements has been expanding, with some statutes now including biometric data, medical information, health insurance details, and other personally identifiable information.
In 2024, we saw a few updates to state data beach notification laws including in Utah and Pennsylvania. Pennsylvania made a series of short, yet substantial updates to its data breach notification statute with Senate Bill 824, which took effect in September of this year. Updates include, among other things, (i) entities notifying more than 500 Pennsylvania residents must now notify the PA attorney general; (ii) if a breach affects social security numbers, driver’s license numbers or bank account numbers, the entity must provide credit monitoring free of charge for 12 months; and (iii) a narrowed definition of “personal information,” which was expanded last year to include “medical information,” but now requires notification only for medical information “in the possession of a State agency or State agency contractor.” Utah made a few updates to its breach notification law as well, with Senate Bill 98, which came into effect in May. The bill amends Utah’s breach notification law to, among other things, specify what is required to be included in a covered entity’s breach notification: the date the breach of system security occurred; the date the breach of system security was discovered; the total number of people affected by the breach of system security, including the total number of Utah residents affected; the type of personal information involved in the breach of system security; and a short description of the breach of system security that occurred.
Comprehensive State Privacy Laws
In the absence of a federal comprehensive privacy law in the U.S., states have been enacting their own patchwork of laws. There are currently 19 states that have enacted comprehensive state privacy laws: California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, eight of which become effective in 2025. The first three laws, the California Consumer Privacy Act (“CCPA”), the Virginia Consumer Data Protection Act, and the Colorado Privacy Act, have largely set the scope of these laws, and largely limited their application to cybersecurity. As is the standard international practice, these laws enumerate various duties for data controllers reflecting common personal data processing principles, such as the duty to be transparent, to specify the purposes for processing, and to minimize the processing of personal data. Some, although not all, include general security provisions requiring companies to appropriately secure all personal data.
Privacy Laws Effective in 2024:
In 2024, three comprehensive state privacy laws went into effect: Oregon and Texas on July 1 and Montana on October 1. First, the Oregon Consumer Privacy Act (“OCPA”) applies to businesses and nonprofits that (1) control or process the personal data of 100,000 or more Oregon residents, or (2) control or process the personal data of 25,000 or more Oregon residents, while deriving 25% or more of gross revenue from selling personal data. The OCPA is enforced exclusively by the Oregon Attorney General with no private right of action, and penalties for violations of the OCPA consist of up to $7,500 per violation after a 30-day cure period.
Next, the Texas Data Privacy and Security Act (“TDPSA”) applies to businesses that (1) conduct business in Texas or produce products or services consumed by Texas residents, or (2) process or engage in the sale of personal data and are not “small businesses” as defined by the SBA. The TDPSA is enforced exclusively by the Texas Attorney General with no private right of action, and penalties for violations consist of fines of up to $7,500 per violation after a 30-day cure period.
Finally, the Montana Consumer Data Privacy Act (“MTCDPA”) applies to businesses that (1) control or process the personal data of at least 50,000 Montana residents, or (2) control or process the personal data of 25,000 or more Montana residents and derive more than 25% of gross revenue from the sale of personal data. The MTCDPA is enforced by the Montana Attorney General with no private right of action for violations, and penalties for violation consist of fines of up to $7,500 per violation after a 60-day cure period.
Privacy Laws Passed in 2024:
Seven states, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Kentucky, and Rhode Island have enacted comprehensive privacy laws, which are set to take effect between January 1, 2025, and January 1, 2026. A few of these new comprehensive state privacy laws present some nuances. For example, in May of this year, Maryland signed into law the Maryland Online Data Privacy Act, which will go into effect on October 1, 2025; this law brings new stringent protections for children’s data and biometric data and introduces a novel “strictly necessary” data minimization requirement for processing “sensitive data” and prohibits the sale of such data, setting different standards for data minimization based on whether the relevant data is “personal” or “sensitive.”
In addition, in May of this year, Minnesota signed into law the nation’s 19th comprehensive privacy law, the Minnesota Consumer Data Privacy Act, which takes effect on July 31, 2025. This law is unique in that it includes an exemption for small businesses and extends the right to opt out of profiling, allowing consumers to access and question the results of a controller’s profiling decisions that produce legal or similarly significant effects on the consumer (i.e., the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods or services).
Updates to Existing Legislation in 2024:
Several states have passed updates to their existing privacy legislation to broaden their scope and enhance protections. For example, this year, California signed into law AB 1008, AB 1824, and SB 1223, which amend the CCPA by (i) updating the definition of “sensitive personal information” to include a “consumer’s neural data,” which is defined to mean “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information;” and (ii) requiring businesses that acquire personal information as an asset from another business in the context of a merger, acquisition, or other business transfer to honor opt-out requests that consumers made to the transferring business.
In addition, in May of this year, Colorado signed into law HB 1130, which expands the Colorado Privacy Act to impose new requirements on controllers that process biometric data, which includes protections for both consumers and employees who were previously not within the scope of the law, and to regulate neural data. The amendment, effective July 1, 2025, requires controllers who collect or process biometric identifiers or data to adopt a written policy related to data retention and incident response, avoid selling, leasing, or trading such data, provide a just-in-time notice and obtain consent to collect or disclose such data, and offer a right of access to biometric data. The amendment also allows employers to require employees or prospective employees to consent to the collection or processing of their biometric identifiers for specific purposes, such as access to physical locations and secure systems, clocking in and out, and safety and security. If employers intend to use biometric identifiers for other purposes, they must obtain the employee’s freely given consent without any preconditions or retaliation.
State AI Laws
Currently, there is no comprehensive federal law in the U.S. that regulates the development or deployment of artificial intelligence (“AI”), however, several states have enacted comprehensive privacy legislation that also regulates the use of AI.
In May of this year, Colorado became the first state in the U.S. to enact comprehensive legislation regulating AI with the signing of the Colorado AI Act, which takes effect on February 1, 2026. The law applies to all Colorado businesses that develop or deploy high-risk AI systems and is aimed at addressing AI bias, establishing a requirement of human oversight throughout the life cycle of AI systems, and requiring significant documentation around the use of AI. The law applies to any AI system that, when deployed, makes, or is a substantial factor (a factor generated by an AI system that is used to assist in making, and is capable of altering the outcome of, a consequential decision) in making, a consequential decision (any decision that has a material legal or similarly significant effect on the provision or denial to any consumer of, or the cost or terms of, education, employment, financial or lending services, essential government services, health care service, housing, insurance, or legal services).
See our post on AI Developments for further information on U.S. AI laws.
Looking Ahead to 2025
The new year will continue to bring several developments to the U.S. privacy landscape. In 2025, several states’ new comprehensive privacy laws will take effect – beginning on January 1, with Nebraska, Iowa, Delaware, and New Hampshire, then New Jersey on January 15, Tennessee on July 15, Minnesota on July 31, and Maryland on October 1.
In addition, states have highlighted their enforcement priorities for 2025. For example, the Colorado Attorney General’s Office indicated that it would focus its enforcement of the Colorado Privacy Act on targeted advertising and profiling opt-out requests and sensitive data processing requirements. Similarly, the Connecticut Attorney General’s Office released a report highlighting a series of “warning letters” that the office has sent to companies for alleged violations of the Connecticut Consumer Data Protection Act.
Finally, additional rulemaking by the California Privacy Protection Agency (“CPPA”) is anticipated on a variety of issues, including automated decision-making, risk assessments, and cybersecurity audits and is expected to issue regulations in 2025. For automated decision-making, the initial proposed rules would, among other things, instruct companies how to provide notice of automated technology’s use, when and how opting out is permitted, and how consumers can access information.
For more information on PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Risk, click here.
