New state omnibus privacy laws becoming effective in the next six months include quirks when compared with the typical trends in such laws. Amendments to existing privacy laws and a wave of regulatory proposals add another layer of complexity to the regulatory environment nationwide.
Businesses will need to level up their privacy compliance programs to satisfy the novel requirements imposed by these laws. Other than these notable provisions, the state laws becoming effective in the next six months are largely consistent with existing laws, which is good news for organizations that are already compliant.
Maryland’s 2025 Law: Data Minimization and Impact Assessments
Maryland’s omnibus privacy law, effective October 1, 2025, requires a data protection assessment for any processing that poses a “heightened risk” to consumers (including sales, targeted advertising, sensitive data, and profiling that presents certain reasonably foreseeable effects). This includes a required assessment for each algorithm used. The law also imposes a strict data minimization standard not seen in other states.
The law requires that personal data collection be limited to what is “reasonably necessary and proportionate” for a specific product or service requested by the consumer. This provision has raised questions about companies’ ability to make secondary uses of data or to use third-party data, even if disclosed in privacy policies. The law also restricts sensitive data collection and processing to “strictly necessary” purposes and flatly bans sales of such data, including precise geolocation data.
Rhode Island’s 2026 Law: Third Party Disclosure Requirements
Rhode Island’s privacy law, effective January 1, 2026, contains a unique disclosure requirement. Controllers of commercial websites or internet service providers that collect, store, and sell “personally identifiable information” must publicly identify all third parties to whom such information has been or may be sold. The disclosure may appear in a customer agreement, an addendum, or a conspicuous online location. Notably, the law does not define personally identifiable information or provide an explicit trade secrets exemption to this obligation, unlike similar requirements elsewhere.
Amendments Alter Compliance Obligations
Montana, Connecticut, and Oregon enacted notable amendments to their omnibus privacy laws in 2025, including some obligations that are outliers among state laws.
Montana’s privacy law amendment, effective October 1, 2025:
- Lowers applicability thresholds
- Creates a novel definition for “heightened risk of harm to minors,” impacting existing assessment and duty of care requirements under the law
- Eliminates the cure period, among other changes
Connecticut’s privacy law amendment, effective July 1, 2026, alters applicability thresholds and creates impact assessment obligations for profiling that result in legal or similarly significant effects on consumers that are comparable to outlier requirements for profiling impact assessments contained in Minnesota’s privacy law. The Connecticut amendment, unlike any other omnibus state law, also requires privacy policies to disclose whether a controller collects, uses, or sells personal data for training large language models.
An Oregon privacy law amendment, effective January 1, 2026, bans the sale of precise geolocation data, making Oregon the second state after Maryland to do so.
States Continue to Pursue Rulemaking Efforts
Regulatory initiatives in various states are adding complexity as authorities use rulemaking to adopt requirements that do not exist in other states. The California Privacy Protection Agency (CPPA) developed new regulations for automated decision-making technology, privacy risk assessments, cybersecurity audits, and insurance companies, while also revising existing rules.
The new and revised rules will take effect on January 1, 2026, if filed with the California secretary of state by the end of November. The CPPA is also advancing regulations to stand up a centralized deletion mechanism under the California Delete Act, intended to enable consumers to submit deletion requests to all registered data brokers through a single, state-run portal beginning in January 2026.
Colorado has launched a pre-rulemaking effort focused on minors’ privacy. In July, the Colorado attorney general solicited public input on topics such as willful disregard of a minor’s age, age verification processes, and system design features that may extend a minor’s use of digital services.
New Jersey, meanwhile, is moving forward with implementing its comprehensive privacy law, the New Jersey Data Protection Act. In June, the state’s Division of Consumer Affairs released draft regulations that would impose heightened transparency requirements on controllers and mandate affirmative consent before personal data is used to train artificial intelligence systems.
Act Now to Stay Ahead of Evolving State Privacy Requirements
Developments in 2025 highlight a clear trend: state privacy obligations continue to become more complex and varied. Organizations handling personal data across jurisdictions should take proactive steps to adapt to new requirements as they emerge.
To navigate this changing landscape, companies should:
- Stay abreast of key changes in state laws, including amendments and rulemakings
- Review and revise privacy policies to reflect current requirements
- Evaluate and update internal compliance programs regularly
- Engage in strategic planning to align privacy practices with evolving laws
- Test to ensure that consumer rights requests, including all opt-out tools, are functioning
Our dedicated Privacy and Data Security team is here to support your compliance journey with tailored assessments, policy guidance, and strategic advice. Contact the authors to ensure your organization is prepared.