The landscape of data privacy and cybersecurity legislation in the United States continues to evolve, with states taking a leading role in enacting comprehensive laws aimed at protecting personal information. As reported by LexBlog, while federal laws provide a framework, it is at the state level where significant progress is being made, particularly with privacy regulations poised to come into effect in 2025.
All 50 states, along with Puerto Rico, Guam, the U.S. Virgin Islands, and the District of Columbia, have established data breach notification laws. California was the pioneer of these laws with its enactment in 2003. By 2018, every state had adopted similar legislation, compelling entities to notify affected individuals when a data breach occurs. Recent updates to such laws have been noted, particularly in states like Pennsylvania and Utah. According to the report, Pennsylvania has introduced amendments via Senate Bill 824, which now stipulate that entities notifying over 500 residents must also inform the attorney general. Furthermore, affected individuals whose Social Security numbers or financial details are breached are entitled to a year of complimentary credit monitoring. Utah's Senate Bill 98 has similarly specified the requirements for notifications, enhancing transparency regarding the nature and impact of breaches.
Amidst the backdrop of increasing data breaches, states have shifted their focus towards comprehensive privacy laws. Nineteen states currently possess such legislation, and as noted in the LexBlog report, an additional eight states will join this list in 2025, including Nebraska, New Hampshire, New Jersey, and Minnesota. The California Consumer Privacy Act (CCPA) has been a foundational model for many of these legislations, mandating transparency in personal data processing while addressing cybersecurity provisions.
In 2024, key updates to privacy laws included new regulations in Oregon, Texas, and Montana. Oregon's law targets businesses handling substantial amounts of personal data, enforced by the state attorney general. The Texan and Montanan laws similarly focus on businesses engaging in the processing of personal data, imposing penalties for violations.
Seven more states have passed laws set to take effect between 2025 and 2026. Maryland, for instance, has enacted the Maryland Online Data Privacy Act, which introduces stringent protections for children's data and biometric information, alongside imposing strict data minimization regulations. Minnesota's Consumer Data Privacy Act, also set to come into effect in 2025, allows consumers the right to opt out of profiling, emphasising increased consumer control in data handling.
California's updates to the CCPA in 2024 have further expanded the scope of what's considered sensitive information, now including neurological data. Colorado's recent amendment to its Colorado Privacy Act has introduced enhanced requirements surrounding biometric data processing.
As states increasingly regulate the use of artificial intelligence (AI), Colorado has taken the lead by enacting the Colorado AI Act, designated to take effect in 2026, which seeks to address issues of AI bias and mandates human oversight throughout the AI system lifecycle.
The path forward into 2025 suggests a concerted effort among states to bolster consumer data protection frameworks. The Colorado Attorney General's focus areas will likely revolve around targeted advertising and profiling opt-out requests, echoing a trend possibly seen across other states as well. In California, the California Privacy Protection Agency is expected to provide further regulatory clarity regarding automated decision-making and cybersecurity audits.
As more states adopt comprehensive data protection and AI legislation, businesses across the U.S. will face an increasingly complex compliance landscape, underscoring the importance of understanding and adapting to these legal developments.
Source: Noah Wire Services