Resource Center / Reports and Research Articles / EU Digital Laws Report 2025

US State Comprehensive Privacy Laws Report

2025 Legislative Session

This report provides in-depth analysis of U.S. state comprehensive privacy laws.

Published: October 2025

Contributors:

Müge Fazlioglu

View Report (Members-Only)

The growth of U.S. state privacy law began slowly, but continues to develop exponentially with new laws introduced, enacted, and coming into force each year. It was not long ago, in 2018, that the California Consumer Privacy Act became the first comprehensive U.S. state privacy law to pass. It was not until 2021 that a data privacy law outside of the state of California was passed, with enactments in Virginia and Colorado. In 2022, that was matched when two more bills became laws in Utah and Connecticut. In 2023, seven bills became law in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee and Texas, while 2024 matched that with seven more bills becoming law in New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Nebraska and Rhode Island.

While no new states have added comprehensive data privacy laws to their ledgers in 2025, half of those with laws already on the books have made significant amendments to their scopes and requirements. As of mid-2025, eight states — Colorado, Connecticut, Kentucky, Montana, Oregon, Texas, Utah and Virginia — have amended their comprehensive privacy laws; further proposed amendments are pending in California and New Jersey.

The growth of US state privacy legislation

While 2025 has been a relatively inactive year, passage of new state privacy laws has outpaced prior years in terms of further expanding the remit of existing state privacy laws through legislative amendments. With no signs of slowing down, it remains as crucial as ever for privacy pros to understand the evolving contours of U.S. state privacy law.

In parallel to this legislative activity within U.S. state capitols around consumer privacy, calls continue for Congress to pass a comprehensive federal privacy law. Although no such federal lawmaking initiative has been undertaken in 2025 as of yet that would match the ambit of the American Privacy Rights Act of 2024 or the American Data Privacy and Protection Act of 2023, the House of Representatives voted in June to approve a 10-year federal moratorium on the enforcement of state-level laws targeting AI and automated decision-making systems. While that provision was removed by the Senate in final amendments to the budget bill, the episode revealed both support and opposition within Congress, both across and within parties, for halting state-level AI legislative activity. It is easy to imagine a similar debate — as indeed has happened in the past when both APRA and ADPPA were introduced — around federal preemption of state-level privacy laws.

US states with comprehensive privacy laws

Note: This report is limited to comprehensive U.S. state privacy laws enacted as of July 2025. Further information on IAPP's methodology and definition of "comprehensive" can be found here. The IAPP US State Privacy Legislation Tracker, maintained with an identical scope in mind, lists any U.S. state privacy law proposed or passed since this report was published.

This report provides an in-depth and refreshed analysis of the evolving scope, applicability, exemptions, consumer rights, business obligations, rulemaking activities, enforcement duties and key definitions for each of the 19 states that have passed comprehensive privacy laws to date. It sketches the contours of the nationwide portrait of privacy regulation that has emerged, while highlighting the idiosyncrasies of each state law that constitutes the U.S. state privacy kaleidoscope. Overall, this report aims to keep privacy professionals informed about all the comprehensive privacy bills that have become law, the rights they offer to consumers and the obligations they require from regulated entities.

Key takeaways

Applicability thresholds

Each U.S. state privacy law has a unique scope of applicability based on a variety of thresholds related to an entity's jurisdiction, revenue, volume of personal data processing and revenue from the sale of personal data. The applicability of each U.S. state privacy law can be determined through a multistep process.

Exemptions

Each of the 19 state privacy laws exclude from their scope various entities — such as government agencies, nonprofits and institutions of higher education — as well as entities already subject to federal, sectoral privacy legislation.

Across these categories of exemptions, there are two distinct types: entity-level exemptions and data-level exemptions.

Consumer rights

Each U.S. comprehensive state privacy law establishes various consumer rights, including the ability to access, correct and delete personal data held by companies. These laws also provide opt-out rights for targeted or cross-contextual behavioral advertising, sale of personal data and profiling.

Business obligations

In addition to granting a series of rights to consumers, U.S. state privacy laws impose a series of obligations for entities that fall within their scope. In general, these obligations revolve around privacy notices, data minimization and purpose limitation of data collection and processing, sensitive personal information, data protection assessments, and universal opt-out mechanisms.

Sensitive information

Each U.S. state privacy law recognizes at least some types of information as sensitive and deserving of heightened legal protection. Companies that collect and process any of the defined categories of sensitive personal information must comply with heightened requirements to protect it from misuse, loss or abuse.

Rulemaking

Three states — Colorado, California and New Jersey — give rulemaking authority to a state agency. Only California has a dedicated enforcement agency, the California Privacy Protection Agency, for the promulgation of rulemaking.

Enforcement

Privacy-related enforcement and compliance activities picked up in 2025 across the states, especially in California and Texas. Regulators are still feeling out how best to enforce their states' laws, but they are learning quickly — and with more and more state privacy laws coming into effect, it looks like enforcement is not going to slow down anytime soon.

Additional resources