January 1, 2026, isn’t just another date on the privacy calendar; it’s the moment three new state privacy laws snap into place and expand the already-complex U.S. privacy patchwork. Indiana, Kentucky, and Rhode Island are each stepping into the arena with comprehensive privacy acts that echo familiar frameworks while adding their own twists.

For privacy, compliance, and security professionals, this moment is both a challenge and an opportunity. A challenge because the operational complexity grows. An opportunity because privacy leaders are now shaping business strategy, not simply supporting it. And, like every great origin story, 2026 rewards the teams who prepare early, act decisively, and embrace accountability as a competitive advantage.

Welcome to the next chapter of state privacy evolution. New year, new laws, and a renewed proving ground for privacy excellence.

Understanding the new 2026 state privacy laws

Three states, three statutes, one expanding patchwork

The Indiana Consumer Data Protection Act (INCDPA), the Kentucky Consumer Data Protection Act (KCDPA), and the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) all take effect Jan. 1, 2026. Together, they reinforce a clear trend: comprehensive privacy laws aren’t slowing down. They’re accelerating.

Each law introduces familiar pillars such as consumer rights, transparency, assessments, and vendor accountability, while refining scope, thresholds, and obligations in ways that privacy teams will need to understand and operationalize.

Many organizations start this work by strengthening their data inventory, and tools like TrustArc Data Mapping & Risk Manager can streamline that process early in the journey.

Who’s covered

Across the three laws, businesses generally fall in scope if they:

• Conduct business in the state or target residents.
• Process or control personal data above the defined consumer thresholds.
• Sell personal data or process sensitive information.

Thresholds vary, but the overarching theme remains the same: if you’re handling consumer data at scale, these laws apply.

Why these 2026 laws matter

Three forces make this trio significant:

1. Momentum. More than 20 states now have comprehensive privacy laws, with additional bills advancing each year.
2. Convergence. While each state individualizes its law, the broad similarities make a unified compliance framework more realistic than ever.
3. Maturity. These laws reinforce that privacy is a full-scale governance requirement.

For organizations already feeling the strain of multistate compliance, 2026 inspires a strategic shift from reactive scrambling to proactive standardization.

Compliance dates and readiness milestones

Effective date: Jan. 1, 2026

All three laws go live on the same day. And, as every seasoned privacy leader knows, the effective date is never the starting line. With 2025 effectively in the rearview mirror, organizations are now in the final stretch of tightening controls, validating processes, and reinforcing the operational muscle needed for day-one compliance.

Your final readiness checklist

A unified data inventory should now be in place, thresholds should be evaluated, and any remaining compliance gaps should be resolved. Privacy notices must reflect accurate disclosures and jurisdiction-specific requirements. Rights-request workflows should be end-to-end functional, vendor contracts should be updated, and data protection impact assessment (DPIA) processes should be established and actively running.

Cross-functional readiness matters

Teams across Marketing, Legal, Engineering, Security, and Product should already be trained on their roles and escalation paths. These laws reward operational discipline, and the final weeks before January are the moment to validate that everything works under real conditions.

Think of this as the last practice lap before the flag drops: the moment when precision, coordination, and preparation determine how confidently you enter 2026.

DPDPA rights and obligations at a glance

Consumer rights across the laws

Across all three states, consumers gain:

• The right to access personal data.
• The right to correct inaccuracies.
• The right to delete data (with contextual exceptions).
• The right to confirm processing.
• The right to obtain a copy of their data.
• The right to appeal rights request decisions.
• The right to opt out of:
  • targeted advertising,
  • sale of personal data, and
  • automated profiling with certain risk considerations.

Indiana, Kentucky, and Rhode Island largely align on these rights, though differences in scope, response timeframes, and consent requirements require careful attention.

Individual Rights Manager helps teams meet these differing timelines at scale, especially when states like Rhode Island introduce accelerated turnaround requirements.

Controller duties and transparency requirements

Across all three laws, controllers are expected to uphold a set of core responsibilities that reinforce transparency, fairness, and accountability. Organizations must limit the personal data they collect to what is adequate, relevant, and reasonably necessary for the purposes they disclose.

They also need to maintain clear, accessible privacy notices that explain their data practices in plain language. Strong safeguards are essential, with technical, administrative, and physical measures that match the sensitivity and volume of the data they hold.

Just as important is nondiscrimination. Businesses cannot disadvantage consumers for exercising their privacy rights, whether those rights involve access, deletion, correction, or opting out.

High-risk processing activities require thoughtful evaluation through DPIAs, ensuring risks are identified and mitigated before issues arise. And because no organization operates alone, controllers must establish contracts with processors that define responsibilities, restrict use, and reinforce security expectations.

These obligations function as the privacy equivalent of good business hygiene, serving as fundamental, foundational, and nonnegotiable principles for any organization committed to responsible data practices.

Assessment Manager streamlines this work by automating DPIAs, PIAs, and TIAs with built-in legal logic aligned to state-specific triggers.

What businesses must do to comply with the Indiana CDPA

The Indiana CDPA mirrors Virginia, Utah, and Iowa in several important ways, but includes unique definitions and thresholds that have operational significance.

Practical steps for organizations

• Data mapping. Indiana’s thresholds are based on volume, making an accurate data inventory critical.
• Rights workflows. Build or refine intake, verification, and response mechanisms.
• Notice updates. Disclose categories, purposes, rights, and opt-out methods clearly.
• Consent for sensitive data. Explicit opt-in is required.
• Appeals process creation. Indiana mandates clear escalation paths.
• Universal opt-out mechanisms. While not as prescriptive as other states, Indiana still expects functional opt-out tools.
• Vendor contract alignment. Processors must follow instructions, support rights requests, and implement safeguards.

Common areas where companies struggle

Organizations often encounter friction when interpreting Indiana’s narrower definition of “sale,” which aligns with Virginia and Utah by focusing strictly on monetary exchanges. This stands in contrast to broader states like California, where “valuable consideration” significantly expands the scope.

Many teams also underestimate the breadth of profiling activities and the situations in which those activities trigger a DPIA, leading to compliance blind spots that surface later in the implementation process.

Even more foundational is the challenge of maintaining an accurate data inventory; without a clear picture of what data exists and where it flows, determining thresholds, obligations, and risk becomes guesswork.

Data Mapping & Risk Manager helps reduce that guesswork with automated flow mapping and real-time risk scoring tied directly to Indiana’s applicability criteria.

Indiana’s law ultimately reinforces that even so-called “lighter” privacy statutes carry meaningful operational expectations that demand rigor, visibility, and a well-structured compliance program.

If you need a deeper breakdown of Indiana’s requirements, thresholds, and obligations, explore our full guide to the Indiana Consumer Data Protection Act.

Preparing for the Kentucky KCDPA: Key operational priorities

Kentucky’s law mirrors Virginia, Tennessee, and Indiana, making it part of the “VCDPA family.” Its obligations may look familiar, but familiarity doesn’t equal simplicity.

Key requirements to operationalize

• Collect only data necessary for the disclosed purpose.
• Avoid undisclosed secondary use unless consent is obtained.
• Maintain security controls that match data sensitivity.
• Provide detailed privacy notices.
• Obtain consent for sensitive data processing.
• Uphold consumer rights without discrimination.

Contract refresh priorities

Vendor agreements must include:

• processing instructions,
• confidentiality guarantees,
• support for rights requests,
• use limitations, and
• security obligations.

Mixed footprint complexity

Companies operating across Kentucky, Virginia, Colorado, and California must reconcile differences across:

• opt-out mechanisms,
• profiling restrictions,
• notice requirements,
• DPIA triggers, and
• definitions of “sensitive data.”

Why early standardization matters

Kentucky rewards companies that adopt a baseline privacy posture that can be replicated across states, rather than being reinvented for each new law.

For a closer look at Kentucky’s requirements, definitions, and readiness considerations, explore our full guide to the Kentucky Consumer Data Protection Act.

How the 2026 laws compare: Indiana vs. Kentucky (and where Rhode Island fits)

Privacy pros are natural comparison shoppers, and for good reason. Understanding the nuances helps prevent misapplication, over-application, or conflicting controls.

Applicability thresholds

• Indiana: 100,000 consumers or 25,000 with 50% revenue from data sales.
• Kentucky: Identical thresholds to Indiana.
• Rhode Island: 35,000 consumers (excluding payment transaction data) or 10,000 consumers with more than 20% revenue from data sales.

Rhode Island uses the lowest threshold, resulting in big implications for mid-sized businesses.

Consumer rights

While all three grant core rights, Rhode Island includes unique timing and revocation-related requirements, including ceasing processing within 15 days of revoked consent.

Individual Rights Manager includes deadline-based routing and automated tracking that simplify compliance with accelerated requirements like Rhode Island’s revocation timeline.

Opt-out scope

All three include opt-outs for targeted advertising, sale, and profiling.

Enforcement

• Indiana: Up to $7,500 per violation; AG enforcement; 30-day cure.
• Kentucky: Up to $7,500; AG enforcement only; 30-day cure.
• Rhode Island: Up to $10,000 per violation; no private right of action; AG enforcement.

Rhode Island carries the highest risk exposure.

DPIA triggers

All require assessments for:

• targeted advertising,
• data sales,
• profiling with foreseeable risk,
• sensitive data, and
• other high-risk processing.

Rhode Island explicitly requires DPIAs for activities posing a high risk to customer privacy.

For a deeper look at Rhode Island’s thresholds, rights, and high-risk processing requirements, explore our full guide to the Rhode Island Data Transparency and Privacy Protection Act.

What the 2026 laws mean for business operations and vendor risk

Privacy leaders don’t just interpret laws—they operationalize them. And the 2026 statutes reshape how organizations work across every major function, often in ways that demand new levels of coordination and clarity.

Marketing

Marketing teams will feel the impact through tighter restrictions on targeted advertising and a heightened expectation for transparency. Clear, functioning opt-out mechanisms become essential, turning marketing workflows into front-line expressions of consumer trust.

Engineering and Product

Engineering and product teams must incorporate DPIAs into their development cycles, building privacy assessment into the earliest stages of design.

Consent workflows for sensitive data become part of the core architecture, and systems must evolve to support deletion, correction, and other consumer rights without friction.

Security

For security teams, the laws reinforce the need for stronger safeguards that match the sensitivity of the data they protect. Incident response processes must also align tightly with each law’s notice requirements, ensuring timeframes and escalation paths are well understood.

Legal and Compliance

Legal and compliance professionals face an expanded portfolio, including refreshing contracts to meet state-specific obligations, updating privacy notices for clarity and accuracy, and strengthening documentation to demonstrate ongoing accountability. The burden isn’t simply to comply; it is to demonstrate compliance consistently and transparently.

Vendor risk

Vendor management becomes increasingly complex, particularly under Rhode Island’s additional requirements for ISPs and commercial websites. All three laws elevate expectations around due diligence, clear data handling instructions, breach responsibilities, subprocessor oversight, and strict limits on how processors may reuse data. The mandate is simple: trust, but verify. And then verify again.

Assessment Manager and Data Mapping & Risk Manager work together to document vendor responsibilities, surface risks, and support processor due diligence across all three states.

Governance considerations across multiple 2026 laws

Privacy governance is no longer a back-office safety net. It has become the center of business strategy, shaping decisions, influencing design, and strengthening trust at every level of the organization.

Centralize where possible

A unified governance framework streamlines operations by reducing policy sprawl, eliminating duplicative assessments, and preventing inconsistencies across notices and disclosures. When governance is centralized, complexity gives way to clarity, and teams can execute with confidence rather than constantly recalibrating for each new jurisdiction.

To strengthen centralization with a proven governance model, explore the Nymity Privacy Management Accountability Framework.

Standardize definitions and processes

Standardization is where consistency becomes power. Establishing shared definitions for terms like personal data, sensitive data, profiling, sale, and targeted advertising creates a common language across the enterprise. Only when a specific law requires differentiation should teams diverge from these standards. This approach maintains operational alignment while respecting the nuances of each statute.

Build consistency across jurisdictions

Consistency delivers both procedural clarity and psychological confidence. When stakeholders understand the rules and see the same expectations repeated across state lines, compliance becomes predictable instead of reactive. Predictability, in turn, strengthens accountability and minimizes the operational “surprises” that often trigger risk.

Governance that drives executive-level visibility

Effective privacy governance elevates visibility at the highest levels. Boards gain clarity when they can see accountability maps, DPIA tracking, vendor inventories, risk metrics, and incident response readiness presented in a structured, repeatable way. This transparency reassures leadership that privacy risks are understood, managed, and continuously monitored.

Privacy leaders safeguard the organization and position it to thrive in a rapidly evolving regulatory landscape. Strong governance is the infrastructure that keeps companies steady as privacy laws continue to expand and evolve.

Turning the 2026 laws into a forward-looking privacy advantage

Indiana, Kentucky, and Rhode Island are expanding the U.S. privacy landscape in 2026, and privacy leaders who plan ahead can turn this next wave into a competitive edge. Success hinges on visibility, operational discipline, and the kind of automation that makes multi-state compliance repeatable rather than reactive. TrustArc provides that foundation through three purpose-built products: Data Mapping & Risk Manager, Assessment Manager, and Individual Rights Manager.

Data Mapping & Risk Manager gives organizations the clarity these new laws demand. Automated inventory creation, AI-assisted data flow mapping, third-party discovery, and intelligent risk scoring create a real-time understanding of where data sits, how it moves, and where risk concentrates. This level of visibility helps teams align their program with thresholds in Indiana, sensitive data triggers in Rhode Island, and core controller duties across all three states.

Assessment Manager operationalizes the impact assessments required for high-risk processing. Automated triggers, expert-built templates, gap analysis, and remediation tracking streamline DPIAs, PIAs, and TIAs and ensure documentation keeps pace with evolving obligations. When connected to Data Mapping & Risk Manager, assessments become part of a unified risk lifecycle that supports profiling reviews, cross-border evaluations, and sensitive data governance.

Individual Rights Manager helps organizations meet consumer rights obligations at scale. Automated request intake, identity verification, system integrations, and law-specific workflows help teams fulfill access, deletion, correction, and opt-out requests with speed and consistency. Capabilities like deadline-based routing and audit-ready reporting support unique requirements such as Rhode Island’s compressed timeline for revoked consent.

A platform designed for the next chapter of U.S. privacy

Together, these products form a modern privacy workspace that strengthens compliance today and builds resilience for whatever comes next. With visibility, assessments, and rights fulfillment unified under one platform, privacy leaders can enter 2026 with confidence—prepared not only to comply with Indiana, Kentucky, and Rhode Island, but also to set a higher bar for trust and accountability across the organization.

Setting the stage for AI transparency

If 2023 and 2024 were the teaser trailers for U.S. AI regulation, 2025 is the blockbuster release. And California (never shy about a starring role in tech policy) has premiered two headline acts: the California AI Transparency Act (SB 942) and Assembly Bill 2013 on Generative AI Training Data Transparency.

Both laws take effect January 1, 2026, and together they create a one-two punch of accountability. SB 942 focuses on outputs: how AI-generated content is labeled, detected, and disclosed. AB 2013 focuses on inputs: how the data used to train generative AI systems is documented and made public.

For privacy and compliance professionals, these laws are more than legislative updates. They are operational mandates with real penalties for noncompliance. And they’re arriving at a moment when public trust in AI is fragile, regulators are sharpening their teeth, and stakeholders are asking, “How do we prove our AI is playing fair?”

Understanding California’s AI Transparency Act (SB 942)

The California AI Transparency Act is a consumer protection law with a simple premise: if you make AI that generates or alters content, you must tell people clearly, consistently, and in a way that can’t be easily stripped out.

However, the law’s scope is narrower than “all AI”. It applies only to covered providers (developers of a GenAI system with over 1,000,000 monthly visitors or users that are publicly accessible within California). It does not apply to certain exclusively non-user-generated experiences, such as video games, television, streaming, movies, or interactive content that is not created or modified by users. These exemptions mean some large AI content producers are outside the Act’s reach.

Core requirements include:

AI detection tools, free to the public

Covered providers must offer a publicly accessible detection tool to identify whether their generative AI system created or altered an image, video, or audio file. The tool must work via a web interface and an API, support content uploads or URLs, and output system provenance data (such as the system version and creation date) without exposing personal provenance data. The detection tool must be free to use, though providers may impose reasonable limitations to address security or integrity risks to their GenAI system.

Manifest disclosures (visible labels)

Users must be able to add a visible label: “manifest disclosure,” that identifies content as AI-generated. Labels must be clear, conspicuous, permanent (or nearly so), and appropriate for the medium.

Latent disclosures (embedded metadata)

All AI-generated content must include embedded information: provider name, GenAI system name and version, creation timestamp, and a unique identifier. This must be detectable by the provider’s AI detection tool and aligned with industry standards.

License enforcement

If a licensed third party disables disclosure capabilities, the provider must revoke their license within 96 hours. Licensees must cease using the system once a license is revoked.

Penalties

Civil penalties of $5,000 per violation, per day, plus possible injunctive relief, make this a law with real teeth.

California’s AI Transparency Act moves labeling and provenance from a “nice to have” to a “non-negotiable” but only for covered providers and only for content within its defined scope. If your AI touches California consumers and isn’t in an exempt category, transparency must be woven into your design and delivery pipelines.

How mature is your AI risk management?

Take the quiz

Breaking down California AB 2013 Generative AI Training Data Transparency

If SB 942 answers “How do we show people what’s AI-made?”, AB 2013 asks “What’s in the AI’s brain?”

By January 1, 2026, any developer releasing a new or substantially modified GenAI system (or a significant update) in California must publish training data documentation on their website. This must include:

• High-level dataset summaries: sources or owners, purpose alignment, volume (ranges allowed), and types of data points.
• IP and privacy flags: whether datasets contain copyrighted, trademarked, or patented material; whether they include personal or aggregate consumer information under California Consumer Privacy Act (CCPA) definitions.
• Acquisition details: whether datasets were purchased or licensed.
• Processing history: cleaning, modification, or enhancement steps, and their purpose.
• Timeframes: when data was collected (and whether collection is ongoing), and when it was first used in training.
• Synthetic data disclosure: if synthetic data generation was used, with an optional explanation of its functional purpose.

Exemptions exist for:

• Generative AI systems or services whose sole purpose is to ensure security and integrity.
• Systems used solely for the operation of aircraft in the national airspace.
• Systems developed for national security, military, or defense purposes that are made available exclusively to a federal entity.

This is the first U.S. law to mandate public documentation of training data for commercial AI systems at this level of specificity. For compliance leaders, it means standing up data lineage management as a core governance function.

Unlock deeper compliance insights with a free trial of Nymity Research. Get instant access to jurisdiction-by-jurisdiction analysis, legislative tracking, and practical compliance guidance—including ongoing updates to California’s AI laws. Start your free trial today.

Practical implications for privacy and compliance teams

Think of SB 942 and AB 2013 as California handing you a two-page “AI transparency checklist,” except it’s written in legal code and costs $5,000/day to ignore.

Operational changes you’ll likely need:

• New governance workflows to track data sources, IP rights, and privacy risk from dataset ingestion through model deployment.
• Cross-functional playbooks between engineering, legal, privacy, and communications to handle disclosure labeling, detection tool updates, and public documentation.
• Vendor and partner audits to ensure licensees and third parties keep required disclosure features intact.

Risk factors and violation scenarios:

• Missing dataset documentation: A developer updates their GenAI model but fails to update the public training data summary as required under AB 2013. This could trigger enforcement if discovered during an investigation.
• Noncompliant metadata: A provider releases AI-generated marketing images without embedding the latent disclosures SB 942 requires. If these assets are publicly distributed, each piece of noncompliant content could count as a separate violation.
• License enforcement gaps: A licensee removes mandatory disclosure features from a licensed GenAI system. If the provider does not revoke the license within 96 hours of discovery, both the provider and the licensee could be exposed to penalties.

Broader compliance considerations for multi-jurisdiction alignment:

While not a requirement of SB 942 or AB 2013, California’s rules are among the most detailed in the U.S. Organizations operating across multiple regions should build processes that meet the most stringent overlapping requirements. This may include:

• Mapping disclosure obligations in each jurisdiction where your AI operates (e.g., SB 942 in California, Colorado AI Act transparency rules, EU AI Act content labeling).
• Designing universal disclosure templates that meet or exceed the strictest format, permanence, and metadata requirements you face globally.
• Coordinating dataset documentation standards so that your AB 2013-compliant training data summaries also satisfy disclosure or risk assessment obligations under other AI or privacy laws.

Meeting these standards can help differentiate your organization as a trusted AI provider, especially in markets where public skepticism of AI remains high. It also reduces operational friction when scaling AI deployments across states and countries.

Compliance roadmap for California’s AI transparency laws

Step 1: Conduct a gap analysis

Compare existing AI governance against both laws. Pay special attention to provenance tracking, dataset documentation, and labeling workflows.

Step 2: Build a living training data inventory

Document source, ownership, type, processing history, and legal status for every dataset. Update this inventory with each model update or retraining.

Step 3: Implement disclosure templates

Develop standardized manifest and latent disclosures that meet SB 942’s permanence and clarity requirements. Test for resilience against stripping or alteration.

Step 4: Update vendor contracts

Mandate disclosure compliance in all GenAI licensing agreements. Include revocation rights and enforcement timelines.

Suggested practices and tools for achieving AI transparency

From a privacy-by-design perspective, California’s laws effectively require:

• Integrated dataset documentation tools (e.g., metadata catalogs, lineage tracking platforms).
• Content authenticity solutions: watermarking, C2PA-compliant metadata embedding, and detection APIs.
• DPIA integration: add AI transparency checks to your data protection impact assessments and NIST AI Risk Management Framework processes.

Sector-specific watchpoints:

Healthcare: HIPAA considerations when disclosing dataset characteristics

Under AB 2013, developers must disclose whether training datasets include personal information or aggregate consumer information as defined in the CCPA. For healthcare organizations subject to HIPAA, this requirement demands extra caution. If training data includes protected health information (PHI), even in de-identified or aggregated form, disclosure summaries must avoid re-identification risks and maintain HIPAA-compliant safeguards.

Moreover, if synthetic data generation was used to augment sensitive datasets, AB 2013 allows developers to note its purpose, which could be leveraged to demonstrate HIPAA-aligned privacy preservation. The key challenge for healthcare entities will be balancing AB 2013’s transparency mandates with HIPAA’s strict confidentiality requirements and ensuring that no publicly posted dataset summaries inadvertently reveal sensitive medical details.

Finance: SEC and FINRA record retention rules for AI-generated disclosures

SB 942’s manifest and latent disclosure requirements mean that any AI-generated financial communications, from investor presentations to client statements, must be labeled and embedded with provenance metadata. For financial institutions under SEC or FINRA oversight, this creates a dual compliance obligation: maintaining SB 942-compliant disclosures while ensuring that all labeled AI-generated materials are retained in accordance with recordkeeping rules.

For example, FINRA Rule 2210 and SEC Rule 17a-4 require preserving certain communications for specified periods. If AI tools are used to create client-facing reports or marketing materials, firms must not only apply SB 942’s disclosure protocols but also store the original AI-labeled versions and their metadata in case of regulatory audits or disputes.

E-commerce: Brand protection when AI-generated marketing or product content is labeled

In the e-commerce sector, SB 942’s visible and embedded labeling of AI-generated content has direct brand implications. Marketing images, product descriptions, and promotional videos created by generative AI must carry manifest disclosures that are clear, conspicuous, and appropriate for the medium. This means customers may see explicit indicators that a product image or ad was AI-generated—a potential trust-building measure for some brands, but a reputational risk if not managed carefully.

The latent metadata requirements also mean that, even if visible labels are cropped or removed in unauthorized use, the embedded provenance can still identify the source. E-commerce companies will need to integrate these labeling practices into their creative workflows and brand guidelines, ensuring the disclosures are consistent, aesthetically aligned, and do not detract from customer engagement.

How California’s AI laws compare to other jurisdictions

California’s approach is more prescriptive than most U.S. states and aligns closely with the EU AI Act, which also requires training data and output transparency for specific systems.

EU AI Act: Applies tiered obligations based on risk category, with explicit transparency requirements for high-risk and foundation models.
Canada’s AIDA: Establishes requirements for “high-impact systems,” including risk mitigation and recordkeeping, but provides less detail on training data disclosure formats.

Colorado: The Colorado AI Act imposes obligations for developers and deployers of “high-risk AI systems,” including transparency measures, documented risk management programs, and consumer rights regarding AI-driven decisions.

Utah: The Utah AI Policy Act requires disclosure when AI is used in consumer interactions, including informing individuals when they engage with generative AI tools or chatbots.

Preparing for California AI Transparency Act (SB 942) and AB 2013 compliance: Why early action builds trust and reduces risk

Technical standards for provenance embedding, watermarking, and dataset documentation formats will continue to evolve—driven by both industry bodies and potential federal AI legislation. Privacy leaders should watch for updates from the NIST AI Risk Management Framework, the Coalition for Content Provenance and Authenticity (C2PA), and guidance from organizations like IAPP to ensure their programs stay current.

By acting early, organizations can do more than just meet California’s January 1, 2026 deadlines. They can shape industry norms, influence best practices, and position themselves as trusted leaders in the responsible use of AI.

Opacity was a feature of AI in its early days. In California, it’s now becoming a liability. By operationalizing transparency in both outputs (SB 942) and inputs (AB 2013), privacy and compliance leaders can:

• Minimize fines, legal risk, and reputational damage
• Build lasting trust with customers, partners, and regulators
• Future-proof their AI governance frameworks against a fast-moving regulatory landscape.

Compliance will no longer be the finish line; it will be the entry ticket to market credibility. The organizations that lead now won’t just meet California’s bar; they’ll set the benchmark for responsible AI worldwide. The question isn’t whether you’ll comply; it’s whether you’ll lead.

Frequently Asked Questions: California AI Transparency Act (SB 942) & AB 2013 Generative AI Training Data Transparency

1. What is the California AI Transparency Act (SB 942)?

The California AI Transparency Act (SB 942) is a state law that takes effect on January 1, 2026, and requires large generative AI providers to make their AI-generated content identifiable through both visible labels (manifest disclosures) and embedded metadata (latent disclosures). It also mandates that these providers offer a free, publicly accessible AI detection tool to identify content created or altered by their systems.

2. Who is considered a “covered provider” under SB 942?

A “covered provider” is defined in the bill as any entity that creates, codes, or otherwise produces a generative AI system with over 1 million monthly users in California and that is publicly accessible in the state.

3. Are there exemptions under SB 942?

Yes. SB 942 does not apply to products, services, websites, or applications that exclusively provide non-user-generated video games, television, streaming, movie, or interactive experiences.

4. What are “manifest” and “latent” disclosures in SB 942?

• Manifest disclosures are visible labels applied to AI-generated content, such as “This image was generated by AI.” They must be clear, conspicuous, permanent (or nearly so), and appropriate for the medium.
• Latent disclosures are embedded metadata that include details such as the provider’s name, the AI system name and version, the date/time of creation, and a unique identifier. These must be detectable by the provider’s AI detection tool and meet industry standards.

5. What is AB 2013: Generative AI Training Data Transparency?

AB 2013 is a California law effective January 1, 2026, that requires developers of generative AI systems to publish detailed documentation about the datasets used to train their systems. This includes information such as dataset sources, types of data points, intellectual property status, licensing details, data processing history, and whether synthetic data was used.

6. Who must comply with AB 2013?

Any developer releasing a new or substantially modified generative AI system in California (including significant updates to existing systems) must comply with AB 2013’s public documentation requirements.

7. What are the exemptions under AB 2013?

AB 2013 does not require documentation for:

• Generative AI systems whose sole purpose is to ensure security and integrity.
• Systems used solely for the operation of aircraft in the national airspace.
• Systems developed for national security, military, or defense purposes that are made available exclusively to a federal entity.

8. What specific information must be disclosed under AB 2013?

The law requires documentation that includes:

• Dataset sources or owners.
• How datasets align with the system’s intended purpose.
• Data point types and estimated volumes.
• Intellectual property and privacy status (e.g., copyrighted, personal data).
• Whether datasets were purchased, licensed, or in the public domain.
• Processing or cleaning steps taken.
• Data collection timeframes and first-use dates.
• Whether synthetic data generation was used, with an optional explanation of why.

9. What are the penalties for violating SB 942 or AB 2013?

• SB 942: Civil penalties of $5,000 per violation, per day, plus possible injunctive relief and legal costs. Each day a violation continues counts as a separate offense.
• AB 2013: The bill itself does not specify a monetary penalty in the retrieved text. However, it grants enforcement authority to the California Attorney General, meaning noncompliance could still result in enforcement actions, including investigations and other remedies allowed under California law.

10. How can privacy professionals prepare for compliance?

• For SB 942: Develop workflows for labeling AI-generated content with both visible and embedded disclosures, ensure metadata persistence, and deploy a compliant detection tool.
• For AB 2013: Maintain a living inventory of training datasets with full source, licensing, processing, and IP details, and ensure this can be published in the required public format before release.
• In both cases: Integrate these obligations into vendor contracts, data governance frameworks, and multi-jurisdiction compliance plans.

In the world of data privacy, the Texas Attorney General’s office is akin to a sheriff from a classic Western—unyielding, ever-vigilant, and relentless in pursuit of justice. Businesses operating in Texas or serving its residents must take heed: The Texas Attorney General (AG) has vigorously enforced privacy laws, even predating the Texas Data Privacy and Security Act (TDPSA), turning the Lone Star State into a formidable force for data compliance.

Texas: Championing consumer privacy

Texas’s aggressive consumer protection stance is marked by an impressive record of enforcement actions and staggering financial settlements. Over the past four years alone, the Texas State AG has initiated numerous high-profile investigations and lawsuits, underscoring his determination to protect Texans’ personal data from misuse and exploitation.

From suing tech giants to car manufacturers, the state AG’s office has repeatedly demonstrated zero tolerance for privacy violations. In 2022, the AG launched multiple lawsuits against Google for deceptive tracking practices, misleading Texans about the privacy protections of “Incognito Mode,” and unlawfully capturing biometric data. These aggressive legal maneuvers culminated in a historic $1.375 billion settlement with Google in May 2025, a potent reminder of Texas’s determination to hold corporations accountable.

Major Enforcement Milestones in Texas Privacy Law

• Jan 2022: Sued Google for deceptively tracking users’ location without consent.
• Feb 2022: Sued Facebook (Meta) for unauthorized use of biometric data.
• Feb 2022: Investigated TikTok for potential facilitation of human trafficking and child privacy violations.
• May 2022: Amended Google lawsuit to include deceptive practices related to “Incognito Mode.”
• Oct 2022: Sued Google again for unauthorized capture and use of biometric data.
• Dec 2023: Led multi-state amicus brief against Google for alleged privacy violations.
• June 2024: Launched Texas Data Privacy and Security Initiative targeting data misuse by tech and AI firms.
• July 2024: Secured a $1.4 billion settlement with Meta over the misuse of biometric data.
• Aug 2024: Sued General Motors for collecting and selling drivers’ private data.
• Oct 2024: Sued TikTok for violating Texas parental consent laws by sharing minors’ personal data.
• Dec 2024: Issued violation notices to SiriusXM, MyRadar, Miles, and Tapestri for data-sharing without consent.
• Dec 2024: Launched investigations into Character.AI, Instagram, Reddit, Discord, and others over children’s privacy practices.
• Jan 2025: Sued TikTok for deceptively promoting the app as safe for children.
• Jan 2025: Sued LinkedIn for using data to train AI models without proper consent.
• Jan 2025: Sued Allstate and Arity for unlawfully collecting and selling over 45 million Americans’ driving data.
• May 2025: Secured a $1.375 billion settlement with Google to resolve long-standing privacy lawsuits.

Early enforcement: Using existing laws to pave the way

Even before the TDPSA took effect on July 1, 2024, the state AG’s office skillfully leveraged existing Texas laws like the Capture or Use of Biometric Identifiers Act (CUBI) and the Deceptive Trade Practices Act (DTPA) to hold companies accountable and enforce stringent privacy standards and accountability.

In addition to the Google cases, Meta’s use of facial recognition without consent on Facebook led to a landmark $1.4 billion settlement in 2024. The case revealed that Meta indiscriminately scanned photos and videos uploaded to its platform, storing facial geometry records without informing or obtaining consent from users, a direct violation of CUBI and DTPA.

Texas secured a record $1.4B privacy settlement from Meta—the largest ever by a single state privacy case.

Other pre-TDPSA cases include lawsuits against TikTok for deceptive marketing to minors and potential facilitation of child exploitation, and LinkedIn for allegedly using private messages to train AI models without user consent. These cases showcase the Texas AG’s long-standing commitment to consumer protection using the legal tools available, even before a comprehensive privacy law existed.

TDPSA: A new era in Texas privacy enforcement

With a population of more than 30 million, virtually every nationally available service has Texas users, so even companies based outside the state are likely subject to the TDPSA. This vast jurisdictional reach significantly raises the stakes for noncompliance.

The Texas Data Privacy and Security Act, effective July 1, 2024, has formalized Texans’ privacy rights and introduced strict compliance requirements for businesses. Unique among state privacy laws, the TDPSA gives the Attorney General exclusive enforcement authority. This includes issuing civil investigative demands (CIDs), assessing organizations’ data protection efforts, and initiating legal actions when necessary.

Businesses benefit from a 30-day cure period to address violations before enforcement kicks in. To avoid fines of up to $7,500 per violation, organizations must swiftly document and implement corrective actions. The law also allows the AG to recover attorney’s fees and investigative costs, adding further financial stakes to enforcement.

TDPSA requires businesses to:

• Respond to consumer rights requests within 45 days.
• Provide clear, accessible privacy notices detailing data collection and processing practices.
• Obtain explicit opt-in consent before collecting sensitive data, including biometric identifiers and precise geolocation.
• Conduct data protection assessments for high-risk processing activities, such as profiling, sensitive data use, or targeted advertising.

Vendor Management and Contractual Safeguards

A critical yet often overlooked component of TDPSA compliance is vendor management. Controllers must establish formal contracts with processors, clearly defining data handling instructions, confidentiality obligations, and security practices. Contracts must ensure:

• Processors only act under the controller’s instructions.
• Sensitive data is returned or deleted upon termination.
• Subcontractors are held to the same privacy obligations.

Failure to enforce these contracts can expose organizations to enforcement actions if third parties violate the law while processing data on their behalf.

Want to know more about TDPSA requirements and timelines? Read the Background Brief: Texas Data Privacy and Security Act.

Lessons from recent enforcement actions

The enforcement actions against Allstate and its subsidiary Arity vividly illustrate the stringent new landscape. The 2025 lawsuit accused these companies of secretly collecting and selling driving behavior data from consumers’ mobile devices and vehicles without adequate consent or transparency, highlighting failures in providing clear opt-out mechanisms.

Similarly, General Motors faced litigation for using in-car technology to monitor drivers’ movements, recording sensitive data, and sharing it without meaningful disclosure. These cases stress the importance of clear opt-out mechanisms, user education, and detailed privacy policies.

Protecting minors and policing emerging tech

Protecting children online has become a cornerstone of the State of Texas’s privacy platform. Under the Securing Children Online Through Parental Involvement (SCOPE) Act, companies are prohibited from collecting or sharing children’s data without parental consent. TikTok, Instagram, Discord, and Character.AI have all come under investigation for allegedly putting minors’ safety at risk.

Emerging technologies like AI and IoT are also under the AG’s microscope. Lawsuits against LinkedIn and Allstate’s Arity have flagged the risks of using personal data to train algorithms without transparency or consent. As technology evolves, the State AG’s approach indicates that Texas intends to remain at the forefront of privacy oversight.

What privacy professionals need to know

Given Texas’s robust enforcement regime, privacy professionals must urgently reassess their strategies:

• Audit your data practices: Ensure compliance with TDPSA, focusing particularly on consent mechanisms and robust consumer rights frameworks.
• Transparency is non-negotiable: Privacy policies should be clear, accessible, and truthful. Even unintentional misleading practices can attract substantial fines.
• Prioritize sensitive data: Carefully manage biometric data, precise geolocation, and children’s information. These are highly scrutinized under Texas law.
• Review contracts: Ensure all processor agreements meet TDPSA standards, including breach notification and data deletion clauses.
• Regularly update training: Ensure your team fully understands compliance obligations and the high stakes involved. Train staff to identify and avoid dark patterns, honor opt-out signals, and handle sensitive data with care.

Warning signs you may be on the Texas State AG Office radar

• You collect location, biometric, or children’s data without explicit opt-in.
• Your privacy policy hasn’t been updated since 2023.
• You rely on third-party SDKs or analytics tools but haven’t conducted a vendor risk review.
• You process data from children or minors but don’t verify age or request parental consent.
• You engage in targeted advertising or profiling but haven’t conducted a data protection impact assessment.

Note on enforcement structure: Unlike California’s privacy laws, the TDPSA does not allow private lawsuits. Only the Texas AG can enforce the law, including civil investigative demands, hefty financial penalties, and cost recovery for enforcement actions.

Staying ahead of enforcement: A compliance imperative

The AG’s assertive stance on privacy enforcement sends a clear message: Texas is serious about protecting consumers’ data rights. Businesses must act decisively to fortify their privacy programs against regulatory scrutiny.

For privacy professionals, the urgency is clear—robust compliance isn’t just prudent; it’s imperative. After all, in the dynamic arena of Texas privacy enforcement, vigilance isn’t merely advisable; it’s essential to survival.

Navigating the patchwork: The rapid evolution of State privacy laws

Remember when consumer privacy laws in the U.S. were mostly synonymous with the California Consumer Privacy Act (CCPA)? Those days are long gone. In 2025, the patchwork of state privacy laws has expanded dramatically, with 20 states enacting comprehensive privacy regulations, some amending current laws, and more on the way. For privacy professionals, staying ahead of these changes is crucial to mitigating risks, maintaining consumer trust, and avoiding costly penalties.

This article comprehensively reviews each state’s privacy regulations, explores their similarities and differences, and offers practical insights to help businesses maintain compliance and future-proof their operations in 2025 and beyond.

A State-by-State breakdown: What’s in effect, what’s coming

As of 2025, the following states have enacted privacy laws:

Laws already in effect:

• California (CPRA) – Effective January 1, 2023
• Virginia (VCDPA) – Effective January 1, 2023
• Colorado (CPA) – Effective July 1, 2023
• Connecticut (CTDPA) – Effective July 1, 2023
• Utah (UCPA) – Effective December 31, 2023
• Florida (FDBR), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA) – Effective mid-2024
• Iowa, Delaware, Nebraska (NDPA), New Hampshire (NHPA), New Jersey (NJCPA) – January 1, 2025
• Tennessee (TIPA) – July 1, 2025
• Minnesota (CDPA) – July 31, 2025
• Maryland (MODPA) – October 1, 2025

For a comprehensive look at the new data privacy laws taking effect in 2025, check out Preparing for 2025: A Dive into New U.S. Data Privacy Laws.

Looking ahead to 2026:

• Indiana (INCDPA), Kentucky (KCDPA), Rhode Island – January 1, 2026
• Amendments to Virginia, California, Connecticut, Utah, Oregon, and Kentucky.

With this ever-expanding landscape, businesses must develop adaptive compliance strategies to address varying requirements across jurisdictions.

The common threads: Key similarities across state privacy laws

Despite the diversity in these laws, most state privacy acts share common principles, making it possible to create a unified compliance strategy. These include:

• Threshold-based applicability: Most laws apply to businesses that process data for a minimum number of consumers or derive revenue from data sales.
• Core consumer rights: Access, correction, deletion, data portability, and opt-out rights are standard across most states.
• Privacy notice requirements: Transparency mandates include detailed disclosure of data practices, processing purposes, and consumer rights.
• Opt-out and consent mechanisms: Many laws mandate opt-out mechanisms for targeted advertising and the sale of personal data, with some requiring explicit opt-in consent for sensitive data processing.
• Privacy Impact Assessments (PIAs): Several states, including Colorado and Virginia, require risk assessments for high-risk processing, such as biometric data collection and profiling.
• Vendor management and contractual requirements: Organizations must ensure data processors adhere to strict contractual obligations concerning data handling.
• Limitations on data retention and secondary use: Data minimization principles restrict how long organizations can retain consumer data and limit its use beyond disclosed purposes.

The differences: Where States deviate from the norm

While a broad compliance framework can cover most state laws, key differences require additional attention. Some of the most significant variations include:

1. Consumer rights and their scope

• Right to correct data: Not included in Iowa.
• Third-party data sales lists: Required in Oregon, Delaware, Tennessee, and Connecticut.
• Right to contest automated decision making: Minnesota introduces this new right, requiring businesses to explain profiling results and allow consumers to contest them. This right is also included in the 2025 amendments to the CCPA Regulations and the Amendments to the Connecticut (CTDPA). CCPA Regulations also include the right to access information and to appeal significant decisions.
• Opt-out rights in mergers and acquisitions: California mandates that consumers’ previous opt-out choices must be honored post-merger.

2. Data minimization standards: Maryland’s groundbreaking approach

Maryland’s Online Data Privacy Act (MODPA) goes beyond traditional notice-and-consent models by imposing a strictly necessary standard for data collection and use. This means businesses can only process sensitive data if it is strictly necessary to provide a consumer-requested service, which raises significant compliance challenges.

3. Privacy notices and retention policies

• Minnesota uniquely requires businesses to include data retention policies in privacy notices.
• Maryland requires businesses to provide a third-party notice if they use or share data in ways inconsistent with original disclosures.
• Rhode Island mandates additional privacy notices for commercial websites and internet service providers.

4. Opt-out signal recognition

Most states require organizations to recognize opt-out signals, which allow users to opt out of the sale of their personal information, targeted advertising, and profiling through preference signals sent to an organization with the consumer’s consent by a platform, technology, or mechanism. Preferences signals were first required by California and have been added to the privacy laws of several other states, excluding Virginia, Utah, Iowa, Indiana, Kentucky, Tennessee, and Rhode Island.

California is the only state that explicitly requires organizations to recognize Global Privacy Controls (GPC), while in Colorado, the AG designated GPC as an acceptable universal up-out mechanism (UUOM). Other states refer to the opt-out signal with general terms such as opt-out mechanisms or signals. Additionally, California is the only state that requires organizations to confirm to consumers if their opt-out request has been honored through a conspicuous sign on their website or similar means

Finally, California signed into law the California Opt Me Out Act, adding a new section to the CCPA. This law requires businesses that develop or maintain a browser to establish a function that enables consumers to send them an opt-out preference signal via the browser, which must be easily located and configurable, and clearly notify in a public disclosure how the opt-out preference signal functions and its intended effects. This requirement comes into effect in 2027.

5. Special protections for sensitive data

Children’s data

Maryland prohibits the sale of children’s data, while Colorado and Virginia require Data Protection Assessments (DPA) for minor-related processing. Colorado, Virginia, Connecticut, and Montana include prescriptive requirements for the processing of children’s data when offering an online service, product, or feature.

Health data

Maryland and Connecticut have introduced geofencing restrictions to prevent tracking individuals near sensitive locations like reproductive health clinics.

Biometric data

Colorado and Illinois impose stricter rules for biometric data collection, including explicit consent requirements.

Neural Data

Colorado is the only state that includes biological data, including neuronal data, in its definition of sensitive data if it is intended for identification purposes. California has a broader definition of neuronal data in its sensitive data definition, which is not limited to its intended purpose. Connecticut includes neural data, not limited to its intended purpose, in the definition of sensitive data.

Regulatory crackdowns: Key enforcement actions and lessons learned

Recent enforcement actions provide insight into how regulators interpret and enforce these laws. California’s Attorney General and Privacy Protection Agency (CPPA) have been actively pursuing violations related to non-compliance with consumer opt-out rights, dark patterns, and inadequate disclosures. Meanwhile, Texas has focused on consent violations for sensitive data processing including lack of consent and without any notice, and collection of location data, signaling a growing regulatory crackdown beyond just California.

For example, in 2025, four major CCPA enforcement actions sent a clear signal that California’s privacy regulator will hold companies fully accountable for any barriers, technical or procedural, that impede consumers from exercising their statutory rights. Businesses can no longer rely on the mere existence of a consent or opt‑out tool, and they must continuously monitor and test these mechanisms to ensure they function correctly in practice.

Similarly, in Texas, organizations have faced enforcement for failing to provide privacy notices to consumers explaining their right to opt out and the method to cease certain processing, processing sensitive personal information without consent, and failing to notify consumers that their data was being sold.

These enforcement actions underscore that organizations must be embedding privacy compliance into everyday operations, including:

• training staff;
• honoring opt-out signals like Global Privacy Control (GPC) automatically and consistently across all platforms;
• auditing user interfaces; and
• maintaining up‑to‑date, compliant contracts with all service providers/vendors.

Robust, user‑centered privacy workflows are not just best practices; they are essential to avoiding disruptive enforcement actions and reputational harm.

Additionally, enforcement authorities from California, Colorado, and Connecticut are actively examining company website tracking/cookie banners as part of their 2025 enforcement initiatives, to investigate potential noncompliance with the GPC, an easy-to-use browser setting or extension that automatically signals to businesses a consumer’s request to stop selling or sharing their personal information to third parties.

Practical strategies for multi-state compliance in 2025

Sector-Specific Privacy Considerations

Specific industries face additional regulatory scrutiny due to sector-specific privacy laws. For example:

• Healthcare: Organizations handling health data must comply with both state privacy laws and HIPAA, which imposes stringent requirements on how protected health information (PHI) is collected, stored, and shared.
• Financial services: Under GLBA (Gramm-Leach-Bliley Act), financial institutions must provide clear disclosures and safeguard sensitive consumer financial data, which may exempt them from some state privacy laws but still requires compliance with strict federal requirements.
• AdTech and data brokers: States like California and Vermont impose additional restrictions on data brokers, requiring registration and transparency in data sales.

Ensuring compliance in these sectors requires businesses to harmonize state privacy laws with existing federal mandates, often necessitating layered compliance strategies.

1. Standardize where possible, differentiate where needed

• Implement a baseline compliance framework that meets the highest common denominator across all states.
• Where laws diverge (e.g., Maryland’s strict data minimization rule), tailor compliance approaches accordingly.

2. Future-proof your compliance program

• Monitor ongoing rulemaking and legislative amendments—laws evolve quickly.
• Keep an eye on enforcement trends—California and Texas have aggressively pursued privacy violations.
• Prepare for new biometric, AI, and children’s privacy laws emerging as key regulatory priorities.

3. Automate and streamline consumer rights requests

With the rise of automated third-party bots submitting mass deletion requests, businesses should leverage identity verification tools and web-based request intake systems to reduce fraud risks.

4. Prioritize privacy by design

• Integrate Privacy Impact Assessments (PIAs) into product development cycles.
• Adopt data minimization techniques and default privacy settings to ensure compliance from the ground up.

Compliance as a strategic business imperative

Yes, the U.S. consumer privacy landscape is complex, but businesses that proactively adapt can turn compliance into a competitive advantage. By investing in robust privacy management frameworks, automation, and privacy-first product design, organizations can build consumer trust while staying ahead of regulatory changes.

With new laws on the horizon and enforcement ramping up, now is the time for businesses to solidify their privacy strategies. Because in 2025, managing compliance isn’t just about avoiding fines—it’s about future-proofing your business in a privacy-first world.

Privacy professionals, it’s time to gear up for a monumental shift in the U.S. data privacy landscape. In 2025, eight new state privacy laws will go into effect, joining an existing patchwork of regulations. These laws will raise the stakes for businesses handling consumer data, demanding greater transparency, accountability, and adaptability.

This article unpacks the essentials of these new laws, highlights their unique features, and provides actionable steps to ensure your organization is ready to thrive in the evolving privacy-first era.

The U.S. 2025 data privacy law wave: What’s new?

Here’s a snapshot of the eight new privacy laws coming into effect in 2025:

Iowa Consumer Privacy Act (ICPA)
Delaware Personal Data Privacy Act (DPDPA)
New Hampshire Consumer Expectation of Privacy (NHCEP)
New Jersey Consumer Privacy Act (NJCPA)
Nebraska Data Privacy Act (NDPA)
Tennessee Information Protection Act (TIPA)
Minnesota Consumer Data Privacy Act (CDPA)
Maryland Online Data Privacy Act (MODPA)

Iowa Consumer Privacy Act (ICPA)

Effective date: January 1, 2025

Highlights:

• Extended timelines: 90 days to respond to consumer requests, the longest among U.S. state laws.
• Limited rights: Opt-out rights are restricted to data sales, excluding profiling and targeted advertising, and businesses are not required to recognize opt-out signals. The right to correct is not available in this State.
• Enforcement: Handled solely by the Attorney General, with fines up to $7,500 per violation.

Learn more about the ICPA

Delaware Personal Data Privacy Act (DPDPA)

Effective date: January 1, 2025

Highlights:

• Low thresholds: Applies to businesses processing data of just 10,000 consumers if over 20% of revenue comes from data sales.
• Third-party lists: Requires businesses to provide consumers with the list of third parties with whom the controller disclosed personal data.
• Rapid response: 45-day compliance deadline for consumer rights requests.

Learn more about the DPDPA

New Hampshire Consumer Expectation of Privacy (NHCEP)

Effective date: January 1, 2025

Highlights:

• Transparency first: Strong focus on notice requirements and consumer rights like access, correction, and deletion.
• Enforcement: Attorney General-led with clear guidelines for business compliance.

Learn more about the NHCEP

New Jersey Consumer Privacy Act (NJCPA)

Effective date: January 1, 2025

Highlights:

• Enhanced disclosures: Requires businesses to notify consumers about data sales and targeted advertising practices in detail.
• Opt-out obligations: Businesses must provide accessible, user-friendly mechanisms for opt-outs.

Learn more about the NJCPA

Nebraska Data Privacy Act (NDPA)

Effective date: January 1, 2025

Highlights:

• Data minimization: Emphasizes limiting data collection to what is necessary for specific purposes.
• Secure processing: Focus on bolstering data security practices.

Learn more about the NDPA

Tennessee Information Protection Act (TIPA)

Effective date: July 1, 2025

Highlights:

• High applicability thresholds: Covers businesses processing data of 100,000+ consumers or deriving significant revenue from data sales.
• Consumer request security: Mandates robust systems for handling consumer requests.

Learn more about the TIPA

Minnesota Consumer Data Privacy Act (CDPA)

Effective date: July 31, 2025

Highlights:

• Profiling protections: First state to grant rights to contest profiling decisions and review data used in profiling.
• Unique requirements: Mandates a data inventory and requires consent for pseudonymous data reidentification.
• Data Protection Officer: Implicitly requires appointing a chief privacy officer to oversee data compliance.

Learn more about CDPA

Maryland Online Data Privacy Act (MODPA)

Effective date: October 1, 2025

Highlights:

• Expanded definitions: Broadens “data sale” to include transfers by processors or affiliates.
• Sensitive data restrictions: Prohibits the sale of sensitive data.
• Geofencing limits: Prohibits geofencing near sensitive health facilities without consent.
• Data minimization: Raises the bar, requiring a stricter data minimization principle.

Learn more about MODPA

Common ground: What these laws share

While each law has unique elements, they share foundational principles that reflect a broader trend in consumer privacy protection:

Consumer Rights

Access, correction, deletion, data portability, and opt-out rights are common across most laws. Some, like Minnesota, expand these individual rights to include contesting profiling results.

Transparency

Privacy notices must be clear, accessible, and detailed, covering data collection, usage, and sharing practices.

Applicability Thresholds

These laws generally apply to businesses meeting certain thresholds, such as processing data for a specific number of consumers or deriving revenue from data sales, with the exception of Nebraska’s Data Privacy Act, which applies to any business conducting certain activities.

Data Protection Assessments (DPAs)

Many laws require assessments for high-risk processing activities to evaluate risks and mitigation strategies.

Non-Discrimination

Consumers exercising their rights cannot be discriminated against, such as being denied services or charged higher prices.

Looking for a broader perspective to complement your state-specific strategy? The Data Privacy Professionals’ Guide to Thriving in 2025 offers a panoramic view of regulatory shifts, AI governance, and operational best practices to help your team stay ahead.

What makes each law stand out?

Some of the new 2025 data privacy laws have unique elements that differentiate it from others, reflecting the diverse approaches states are taking to protect consumer privacy:

Iowa Consumer Privacy Act (ICPA): Iowa stands out with its extended 90-day response timeline for consumer requests—double the standard 45 days found in most other state laws. It also limits opt-out rights to data sales, excluding profiling and targeted advertising.

Delaware Personal Data Privacy Act (DPDPA): Delaware’s low thresholds for applicability (10,000 consumers if over 20% of revenue comes from data sales) make it more likely to apply to small and medium-sized businesses than other laws. It also has a broad definition of sensitive data, being the only one that explicitly includes pregnancy as a health condition, and one of the few that includes the status as transgender or nonbinary. Finally, Delaware is one of the few states with the right to obtain third-party lists.

New Jersey Consumer Privacy Act (NJCPA): New Jersey’s focus is on enhanced disclosure requirements, obligating businesses to provide comprehensive notifications about data sales and targeted advertising practices. It requires businesses to disclose if personal data is processed for profiling, which may generate legal effects on the consumer.

Tennessee Information Protection Act (TIPA): Tennessee sets high applicability thresholds, covering businesses processing data for 100,000+ consumers or deriving significant revenue from data sales. As Delaware, it includes the right to obtain third-party lists and is one of the states that do not require organizations to recognize universal opt-out signals. Finally, Tennessee mandates organizations to maintain a privacy program that aligns with the NIST privacy framework.

Minnesota Consumer Data Privacy Act (CDPA): Minnesota breaks new ground by granting consumers rights to challenge profiling decisions and understand the data used. It also introduces requirements like prohibiting unlawful discrimination against consumers during data processing and requiring express consent before reidentifying pseudonymous data. Organizations must also maintain a data inventory for transparency and demonstrate compliance with the regulations. Additionally, appointing a Chief Privacy Officer (CPO) is necessary to oversee data compliance and protect consumer information.

Maryland Online Data Privacy Act (MODPA): Maryland imposes strict data minimization requirements, including prohibiting certain geofencing practices near health facilities. The collection, processing, and sharing of sensitive data are limited to situations where it is strictly necessary to provide or maintain a specific product or service requested by the consumer. Additionally, the sale of sensitive data is generally prohibited. Organizations are not allowed to sell or process a consumer’s personal information for targeted advertising if they know or should have known that the consumer is under 18 years old.

These distinctive features reflect the varying priorities of states as they balance consumer rights, business obligations, and enforcement mechanisms.

How to prepare your business for new U.S. privacy laws in 2025

1. Assess applicability

Map out which laws apply to your organization based on factors like consumer thresholds and revenue sources. This is critical for prioritizing compliance efforts.

2. Conduct data protection assessments (DPAs)

Evaluate high-risk activities such as profiling, data sales, or processing sensitive data. Ensure these assessments align with the specific requirements of each applicable law.

3. Update privacy notices

Your privacy notice is your compliance cornerstone. Include clear information on:

• Data categories collected
• Processing purposes
• Consumer rights
• Opt-out mechanisms

For example, Minnesota requires businesses to disclose their data retention policies and the last update date of their privacy notices.

4. Strengthen consumer rights management

Develop streamlined processes to handle consumer rights requests efficiently. Ensure compliance with specific deadlines (e.g., Iowa’s 90 days vs.

Delaware’s 45 days). Use secure, user-friendly systems for submitting and tracking requests.

5. Bolster data security practices

Regularly review and update your data security protocols. Focus on protecting sensitive information and preventing unauthorized access or breaches.

6. Train your team

Educate employees across all departments about privacy requirements and their roles in compliance. From IT to marketing, everyone plays a part in safeguarding consumer data.

7. Stay agile

Regulatory landscapes are evolving. Keep an eye on amendments, emerging laws, and enforcement actions to adapt your compliance strategies proactively.

Key takeaways: Building trust through compliance in 2025

The new 2025 privacy laws signal a shift toward enhanced consumer protections and greater accountability for businesses. While navigating this evolving landscape can seem daunting, preparation is your best defense.

Here’s what to remember:

Start now: Early compliance efforts reduce risks and ease transitions.

Leverage tools: Privacy management software and automated workflows can streamline compliance.

Stay educated: Knowledge is power—keep up with new regulations and trends in data privacy laws.

Like assembling a LEGO masterpiece, compliance requires patience, precision, and planning. By laying each piece carefully, you’ll build a privacy program that’s as resilient as it is effective.

While the new privacy laws present challenges, they also allow businesses to earn customer trust. By prioritizing data protection, organizations can strengthen relationships, enhance reputations, and thrive in the privacy-first era.

In a heavily digital era, children’s online privacy has never been so crucial due to the ease of accessibility to the Internet. Children’s data is usually considered sensitive because they are a vulnerable demographic. They may not understand the risks of data processing and the impacts on their online privacy and, therefore, be unable to provide informed consent.

The federal Children’s Online Privacy Protection Act (COPPA), set the standard for protecting children’s privacy by providing them and their parents with safeguards to maintain their privacy online. While additional federal legislation is currently in the works, several states are busy drafting and enacting state-specific legislation to bolster children’s protections, such as consumer privacy laws that include provisions relating to children’s data, Age Appropriate Design Codes, and laws exclusively concerning children.

With so many state-specific laws, it’s paramount to keep track of and be aware of your obligations across states. This article compares and contrasts children’s privacy laws and highlights key privacy requirements to help you stay on top of your children’s data responsibilities.

Federal children’s privacy requirements

COPPA

COPPA specifically applies to operators of online websites and services oriented for children under the age of 13 who collect, use, and/or share their personal information, including operators with actual knowledge that they are processing data from children under the age of 13.

Some key requirements for operators include providing a privacy notice on their website and directly to parents explaining their activities of children’s data processing, developing procedures to obtain verifiable parental consent, and providing parents the right to review their child’s personal information in their possession, including the opportunity to refuse further data collection/processing.

However, as technologies become increasingly advanced, operators are finding new ways to collect information from children and teens. In response, proposed amendments are being made to COPPA through the Children’s and Teens Online Privacy Act (COPPA 2.0). This act passed the Senate on July 29, 2024.

COPPA 2.0 adds a new definition of ‘teens,’ which is defined as an individual over the age of 12 and under the age of 17. The amendments require the exercise of standard data processing principles, such as data and purpose limitation. They prohibit operators from disclosing to third parties or collecting children’s and teens’ personal information for targeted advertising. Operators are also required to develop a mechanism that enables users or their parents to erase personal information of a child or teen from their website.

The Kids Online Safety Act (KOSA)

KOSA is another federal bill that’s highly anticipated, which recently passed the Senate on July 29, 2024. The main difference between COPPA and KOSA is that KOSA focuses on governing the use of algorithms and displaying certain content to children by social media providers.

Key requirements under KOSA mandate that providers offer mechanisms for parents to flag harmful content on the platform. Providers must also supply tools that allow parents to monitor their child’s online activity. They are required to disclose information to parents about how children’s data is processed within their algorithms. Additionally, KOSA prohibits advertising products or services to children that are illegal to sell to them.

Navigating state children’s privacy requirements

Consumer privacy laws

More and more states are proposing consumer privacy laws, while 20 have already signed their laws. Most state laws have several overlapping requirements related to children. Including:

• defining the age of children under 13,
• enabling parents/guardians to exercise consumer rights on behalf of a child,
• strictly allowing the processing of childrens’ sensitive information only when COPPA requirements are met,
• and establishing consent requirements for processing children’s data for marketing purposes.

However, there are nuances in some state laws that are worth flagging.

Colorado is a unique state as it’s the only state whose consumer privacy law includes a separate definition of ‘minor’, defined as any consumer under the age of 18. It also provides an exclusive definition of ‘heightened risk of harm to minors’ and an impact assessment must be performed in the event of such risk on the online product or service.

The law prohibits certain activities when providing online products, services, or features, such as prohibiting:

• processing without consent from the child or parent for secondary purposes,
• processing data for longer than necessary,
• using deceptive design patterns to extend a child’s online activity,
• and deploying direct messaging features without applying safeguards to limit an unconnected adult from sending messages to a child.

Colorado and Virginia prohibits the collection of childrens’ precise geolocation data, unless the data is necessary to provide the online service and is collected/retained for a limited time, a child is provided a signal informing them about geolocation data collection, and consent from the child or parent has been obtained.

Similar to Colorado, some states provide their own definition of a ‘minor’, also defined as an individual under 18, including in:

• California’s Protecting Our Kids from Social Media Addiction Act;
• Tennessee’s Protecting Children from Social Media Act;
• Utah’s Social Media Regulation Act; and
• New York’s Children’s Data Protection Act and Stop Addictive Feeds Exploitation Act.

Florida’s, Minnesota’s, and Rhode Island’s consumer privacy laws, and Delaware’s Online Privacy and Protect Act, provides a different requirement for processing children’s sensitive data. It is prohibited to process such data unless consent has been obtained from a parent/guardian and processing requirements, including consent requirements, under COPPA are met.

NetChoice lawsuits

The need for more children’s privacy laws is gaining momentum, and seven states have stepped-up their commitment to do so. Notably, proposals for Age Appropriate Design Codes (AADC) are garnering popularity after California was the first to propose and enact its AADC, followed by Maryland in enacting its AADC, and other states such as Illinois, Oregon, and New Mexico who have already put their draft AADC on the table.

While the ultimate goal for pumping out these laws is for the best interest in protecting children on the internet, there have been debates whether these laws are unconstitutional.

In 2022, NetChoice, an association consisting of large media companies that promote online speech, hit California’s Attorney General with a lawsuit for its AADC, as well as Utah for its SMRA in 2023, alleging that the fundamentals of these laws that regulate childrens’ access to online services contravene the U.S. First and Fourth Amendments, concerning freedom of speech.

The aftermath of these lawsuits resulted in an approved preliminary injunction on California’s AADC, effective July 1, 2024, and a pushback of Utah’s SMRA effective date from March 2024 to October 1, 2024.

State-specific laws governing children’s online privacy

Most states don’t have exclusive laws concerning children’s privacy, except for:

• California’s AADC, Protecting Our Kids from Social Media Addiction Act (POKSMAA), and Act relating to Minors Online (AMO);
• Maryland’s Age Appropriate Design Code;
• Florida’s Protection of Children in Online Spaces Act (PCOSA) and Act relating to Technology Transparency (ATT);
• Delaware’s Online Privacy and Protection Act (OPPA);
• Tennessee’s Protecting Children from Social Media Act (PCSMA);
• Utah’s Social Media Regulation Act (SMRA); and
• New York’s Children’s Data Protection Act (CDPA) and Stop Addictive Feeds Exploitation (SAFE) Act

These children’s privacy laws provide additional protections not contained in the consumer privacy laws, which establishes more stringent safeguards, as shown in the table below:

	Key Regulation	Details
Provision of Parental Controls	California POKSMAA	Allow parents to prevent children from accessing or receiving notifications at specific hours. Limit the time children spend on addictive feeds. Limit children’s visibility of feedback such as likes on addictive feeds. Set child’s account to private mode.
Provision of Parental Controls	Tennessee PCSMA	Allow parents to view account privacy settings. Set time restrictions for social media access. Enforce breaks from social media.
Provision of Parental Controls	Utah SMRA	Allow parents to view child’s posts, responses, and messages. Set curfew restrictions, typically from 10:30 PM to 6:30 AM.
Restrictions on Sending Notifications	California POKSMAA	Notifications are prohibited from being sent to minors between 12 AM to 6 AM and 8 AM to 3 PM without parental consent.
Restrictions on Sending Notifications	New York SAFE	Prohibits sending notifications to minors between 12 AM and 6 AM without parental consent.
Data Protection Impact Assessments (DPIA)	California AADC	Requires DPIA every two years to assess risks to children and develop mitigation plans.
Data Protection Impact	Maryland AADC	Conduct DPIA to assess data use and ensure it’s in the best interest of children. Review material changes every 90 days.
Age Verification	California AADC	Estimate the age of children and do not use their data for secondary purposes.
Age Verification	New York SAFE	Do not use age verification data for secondary purposes and delete it after use.
Age Verification	Florida ATT & DBR	Similar to California and New York, age verification data must not be used for secondary purposes.
Age Verification	Tennessee PCSMA	Verify the age of new account holders and seek parental consent. Allow parents to revoke consent if needed.
Prohibitions on Marketing and Advertising	California & Delaware	Prohibit marketing of harmful products like alcohol to children on online services.

 

There are so many more nuances and requirements in the field of children’s privacy. Find everything you need to know and the hottest developments in Nymity Research’s new Privacy Simplified: U.S. Children’s Privacy page.

Join the premier regulatory database with digestible legal summaries covering 244+ global jurisdictions written by trusted privacy and legal experts. 

Start your free trial

Maryland’s Online Data Privacy Act (MODPA) is a groundbreaking Consumer Privacy Act that adds new complexities to the constantly evolving privacy landscape. We will explore the key points of the law, highlighting the unique requirements that distinguish it from other state laws.

Whether you’re a savvy business owner, a mindful consumer, or a curious observer, our goal is to equip you with the knowledge needed to understand Maryland’s online data privacy laws and help you navigate this digital privacy era.

The law will come into effect on October 1, 2025, providing businesses and consumers with a clear timeline to prepare for the changes.

The basics of Maryland’s Online Data Privacy Act

Scope

MODPA applies to businesses operating in the state or offering products or services to residents of the state. It pertains to those that, in the previous year, controlled or processed the personal data of at least 35,000 consumers (excluding pure payment transactions) or at least 10,000 consumers while deriving more than 20% of their gross revenue from the sale of personal data.

These thresholds are relatively low compared to Maryland’s population, covering businesses processing personal data from a lower percentage of the population than other states’ Consumer Privacy Acts.

This Act has exemptions similar to those in other Consumer Privacy State Acts, including entity-level and data-level exemptions for organizations covered by the GLBA and data covered by HIPAA. Some notable exemptions-related details include:

• There is no entity level exemption for organizations covered by HIPAA or higher education.
• The entity-level exception for non-profit organizations only applies to non-profits exclusively helping law enforcement to investigate insurance fraud or assist first responders during major incidents.
• MODPA exempts personal data collected by a regulated organization in the insurance sector or its affiliate to further the insurance business.

Consumer’s Rights

MODPA provides various individual rights for consumers in U.S. states with similar data privacy laws. These rights include:

• Right to know: Consumers can confirm whether a company is processing their personal data.
• Access: Consumers have the right to obtain a copy of their personal data.
• Rectification: Consumers can request the correction of any inaccurate personal data.
• Deletion: Consumers can request the deletion of their personal data unless data retention is required by law.
• Data portability: If the data processing is done by automatic means, consumers can obtain their personal data in a commonly used format.
• Third-party disclosure: Consumers can request a list of the categories of third parties to which the company has disclosed their data.
• Opt-out: Consumers can opt out of processing for targeted advertising, the sale of personal data, or profiling that involves automated decisions that significantly affect the consumer.

General requirements

MODPA shares a structure similar to other U.S. State Consumer Privacy Acts and includes essential consumer rights, procedures for responding to consumer requests (with a 45-day timeframe, extendable by an additional 45 days), authentication processes, and more. Additionally, MODPA requires organizations to provide consumers with a privacy notice and imposes vendor management requirements.

Novel requirements

Data minimization and purpose limitation

In several states with similar laws, organizations are required to minimize the collection of personal information to what is necessary, relevant, and reasonably needed to accomplish specific collection purposes, as communicated to the consumer. Maryland sets itself apart by mandating that organizations limit the collection and processing of personal information to what is reasonably necessary to provide or maintain a specific product or service requested by the consumer.

Additionally, it imposes a stricter requirement for minimizing the collection and processing of sensitive information to only what is strictly necessary to provide or maintain a specific product or service requested by the consumer. This emphasis on data minimization protects consumers and ensures responsible handling of their personal information.

The principle of purpose limitation under this law is consistent with other US State Consumer Privacy Acts. Organizations are prohibited from processing information for a purpose that is not reasonably necessary or compatible with the processing purposes disclosed to the consumer unless the consumer provides consent.

The relationship between data minimization and purpose limitation principles can be confusing because collecting is considered part of processing, which could imply that consumers can consent to less stringent data minimization standards.

Health data

Consumer Health Data under MODPA refers to personal data that controllers use to identify a consumer’s physical or mental health status, including gender-affirming treatment, reproductive, or sexual healthcare. This type of data is considered sensitive under MODPA, which means it has enhanced protections and specific processing requirements.

The Act prohibits the sale of Sensitive Data, including Consumer Health Data, without any exceptions such as opt-in consent. Additionally, there are specific prohibitions related to Consumer Health Data, some of which have exceptions. These prohibitions include:

• Providing access to Consumer Health Data to an employee or contractor unless there is a contractual or statutory duty of confidentiality, or confidentiality is required as a condition of employment.
• Providing access to a processor (vendor) without complying with vendor management requirements under MODPA, such as contract requirements.
• Using geofencing within 1,750 feet of any mental health facility or reproductive or sexual health facility to identify, track, collect data, or send notifications to a consumer regarding their health data.

Sensitive and children information

As stated earlier, under MODPA, the sale of sensitive data is strictly prohibited in all circumstances and without exceptions. The law also imposes a strict requirement to minimize the collection and processing of sensitive information to only what is absolutely necessary to provide or maintain a specific product or service requested by the consumer. Sensitive information, as defined by the Act, includes children’s data, and the processing of this type of data is further restricted under MODPA.

The Act generally prohibits the sale of personal data and the processing of personal data for targeted advertising purposes for consumers who are known or should have been known to be under 18, with no exceptions.

Notice of inconsistent data

MODPA includes new requirements for third parties that use or share consumers’ personal data in a way that doesn’t align with the promises made to the consumers when their personal information is collected. Before implementing, third parties must inform affected consumers about any new or changed practices. This notice should be provided within a reasonable timeframe to allow consumers to exercise their rights if they choose to do so.

Data Protection Assessments

Under the requirement to perform Data Protection Assessments (DPAs), MODPA includes an exhaustive list of the activities that present a heightened risk of harm to consumers. These activities are the sale of personal data, the processing of sensitive data, the processing of personal data for targeted advertisement, and the use of profiling when it presents the reasonably foreseeable risks listed in the Act.

This differs from the approach taken by the U.S. state Consumer Privacy Acts enacted so far with DPA requirements, which include non-exhaustive lists encompassing these activities.

In line with the data minimization principle, controllers must weigh the necessity and proportionality of processing in relation to its purpose. Additionally, the Act requires performing and documenting, on a regular basis, a DPA for each algorithm used during processing activities that pose a heightened risk of harm to consumers.

Other requirements

The Act incorporates several additional details that strengthen the consumer protections established by laws in other US states. These details include:

• Maryland is the only state with an established deadline (30 days) for organizations to stop processing personal information after a consumer has withdrawn consent.
• Prohibition to collect, process, or transfer publicly available data to unlawfully discriminate unavailable the equal enjoyment of goods or services based on discriminatory biases, unless exceptions apply.

Additionally, the Act does not include private rights of action. However, it states that consumers can pursue any other remedy provided by law.

Adapting to MODPA: Key considerations for businesses and consumers in the evolving privacy landscape

The Maryland Online Data Privacy Act represents a significant advancement in safeguarding consumer privacy in today’s rapidly changing digital landscape. Its unique requirements enable businesses to proactively adapt to evolving privacy laws. By gaining an understanding and grasping the key elements of MODPA, all stakeholders can effectively navigate the complexities of online data privacy, thereby promoting a more secure and empowered digital environment for all.

One crucial consideration when preparing for MODPA is to determine whether your organization processes personal data with specific requirements or processing limitations under this Act, such as consumer health data, children’s information, or other sensitive data. This will help ascertain if your organization needs to cease processing activities prohibited by this act or if it must limit them.

Lastly, data minimization will be a significant issue in this state with its innovative and restrictive approach, as well as in other states like California, where regulators have already emphasized the importance of complying with this principle.