U.S. Privacy and Data Protection Updates | Insights | Q1 2025 (State Law)

The United States continues to see exponential growth in privacy and data protection laws, and while we are already three months into 2025, businesses and privacy professionals should continue to anticipate incoming privacy and security laws; some are already in effect and others are soon to become enforceable.

State Privacy Law Updates

Comprehensive state privacy laws are already existing in California, Virginia, Connecticut, Colorado, Utah, Texas, Montana, Nevada, Oregon, Delaware, Iowa, Nebraska, New Hampshire, and New Jersey. There are also industry or topic specific privacy laws and legislation in various states, including Illinois, Vermont, Florida, and on issues like biometrics, data brokers, and AI.

Moreover, states that have laws that will be effective later in 2025 or 2026 include: Tennessee, Minnesota, Maryland, Indiana, Kentucky, and Rhode Island.

For data brokers in particular, both California and Vermont have data broker registration updates in 2025, with the California Privacy Protection Agency (CPPA) requiring annual registration by January 31st and reporting of certain privacy metrics by July 1st (with other requirements in 2026), and Vermont's House Bill 211 that would mandate registration with the Secretary of State. Texas and other states also have privacy laws that impact data brokers.

In addition, companies using automated decision-making technology (ADMT), which may include artificial intelligence, processing sensitive data, or collecting or using data certain ways (including data “sales” or “sharing”) should take note of California’s rulemaking efforts involving risk assessments, ADMT notices, and cybersecurity audits (see our prior blog post here).

State Enforcement Trends and Texas Examples

States are cracking down and enforcing these privacy laws, with no intention in slowing down.

For example, the California Attorney General and CPPA have been enforcing the California Consumer Protection Act (CCPA) through public and private investigations and actions.

Furthermore, Texas has established a privacy enforcement team within the Consumer Protection Division of the Texas Attorney General. Their sole objective is to enforce Texas’ privacy laws such as:

• The Texas Data Privacy and Security Act (TDPSA)

• The Texas Data Broker Act

• The Capture or Use of Biometric Identifier Act (CUBI)

Some notable enforceable actions from Texas include:

• A $1.4 billion settlement with Meta over its alleged unauthorized capture of biometric data, which was the largest settlement to date brought by an individual U.S. state

• A lawsuit against General Motors involving claims of unlawfully collecting and selling the private driving data of over 1.5 million Texans without their consent.

• Notifying over one hundred companies that they showed purported failure to comply with the Texas Data Broker Law and lacked measures to protect data of consumers.

• A legal action against Allstate and its subsidiary, Arity, for allegedly unlawfully collecting and selling sensitive geolocation and behavioral data from 45 over million consumers through disguised and integrated software to insurance companies.

Conclusion

As shown by proactive enforcement actions, businesses should not underestimate how critical it is to stay up to date and maintain their data compliance measures. There seems to be no indication that California, Texas, and others will be slowing down efforts and interest in taking legal action.

Kronenberger Rosenfeld, LLP regularly advises clients regarding data and privacy compliance. Contact our firm using our online case submission form.