Comprehensive state privacy laws often task a state regulator to promulgate accompanying regulations that clarify the law’s requirements and to enforce the law by providing further guidance through its enforcement actions. Most state privacy laws empower a state’s office of the attorney general with rulemaking and enforcement authority, though California is a different story. The California Consumer Privacy Act created the California Privacy Protection Agency (CPPA), seeding sole rulemaking authority to the agency but splitting enforcement power between the state attorney general and the agency.
Recent state regulator initiatives will likely have a meaningful impact on enforcement of state privacy laws in 2025. We examine recent activity from a few of these regulators to highlight the different ways signals are sent to the market regarding compliance obligations.
Colorado
Colorado's attorney general adopted rules pursuant to its authority under the Colorado Privacy Act (CPA). After publishing draft rules in September and holding public hearings in November, the rules went into effect on December 6, 2024. These rules primarily cover three topics: biometric data, minors' data, and opinion letters issued by the Colorado attorney general.
- Biometric Data: On July 1, 2025, Colorado will require companies to notify consumers at or before collecting or processing a biometric identifier and how the company uses, retains, and discloses such data. Most significantly, the CPA rule regarding biometric data is one of the few provisions that apply to employees, which brings the CPA closer to Illinois's Biometric Information Privacy Act, which also requires employers to obtain employee consent before collecting a biometric identifier and to make available a biometric data policy detailing how such data is processed.
- Minors' Data: On October 1, 2025, companies must obtain consent from consumers between 13 and 18 years old if the company knows or has constructive knowledge that the consumer is a "minor." The treatment of minors is different than that of children — those 12 years old and younger — as a child’s parent or guardian must consent rather than the child themselves.
- Opinion Letters: The CPA rules create a process of issuing opinion letters to develop an operational framework that includes a good-faith reliance defense. A business seeking an opinion letter regarding a data protection assessment conducted in anticipation of the contemplated processing activity will be kept confidential. The submission will not be deemed a waiver of attorney-client privilege.
California
The CPPA voted to advance its proposed automated decision-making technology (ADMT) regulations on November 8, 2024. Under these regulations, ADMT is "any technology that processes personal information and uses computation to execute a decision, replace human decision-making, or substantially facilitate human decision-making." If the rules pass as drafted, technology that aids, but does not substantially facilitate, human decision making would not constitute an ADMT.
Businesses using ADMT to profile consumers or to make legally significant decisions (finance, employment, or health care-related) must disclose such use to consumers and notify them of their right to opt out of ADMT being used on their data. The consumer AMDT opt-out right does not apply if the consumer can elect to have a human review the decision. "Profiling" includes any automated processing that evaluates or predicts personal traits such as intelligence, economic status, health, preferences, or behaviors. This expansive definition likely encompasses widely used enterprise tools, including website tracking (i.e., cookies and pixels) and employee monitoring technologies.
In addition to the AMDT disclosures, businesses selling or sharing personal information or processing sensitive data must submit a risk assessment of their processing to the CPPA within 24 months of the draft rule's effective date and then annually thereafter. These ADMT-related requirements will require businesses to review and update their privacy notices to ensure all legal requirements are satisfied and that the information in the notice remains accurate.
New York and Texas
In 2025 we will likely see a higher volume of state regulators initiating rulemakings as a federal privacy law remains evasive and federal agency activity remains unclear. For example, near the end of 2024, New York passed the SAFE for Kids Act and the New York Child Data Protection Act, and the state attorney general has already issued two advance notices of proposed rulemaking as it seeks public comment on a number of questions that will guide the first draft of proposed rules.
On the other hand, state regulators without rulemaking authority are actively using their enforcement powers to send signals about the state’s privacy law requirements. Texas's Data Privacy and Security Act (TXDPSA), which grants the attorney general enforcement, but not rulemaking authority, has not slowed down the attorney general which has ongoing investigations into the handling of children’s data, collection of vehicle telemetry data, and the disclosure and sharing of personal data by insurance companies. Additionally, the TXDPSA’s requirement to recognize global opt-out mechanisms became effective on January 1, 2025. As the attorney general seeks to define the parameters of the TXDPSA through enforcement, these investigations will provide the market with clarity on what compliance is required or at least what activities to avoid in hopes of steering clear of the attorney general's crosshairs.
With the number of rulemaking and enforcement actions occurring across different states, businesses and their legal teams must pay close attention to the ever-shifting goal posts and requirements of state privacy laws.
[View source.]
