The Evolving

State of U.S.
Privacy:
Navigating
U.S. Data
Protection
Legislation
in 2025

Author: Ani Nozadze

Senior Regulatory Compliance Specialist
Compliance & Risks

24 June, 2025

Further regulatory developments may have occurred

after publication. To keep up-to-date with the latest
compliance news, sign up to our newsletter
 Table of Contents

The Evolving State of U.S. Privacy: Navigating U.S. Data

Protection Legislation in 2025

01 About the Author

02 Unlocking Market Access

03 Introduction

04 Legislation in Force

05 Approved Legislation

06 Conclusion
Table with Effective Dates and ‘Notice
07 and Cureʼ Provision Details
01. About The Author

Ani Nozadze, Senior Regulatory

Compliance Specialist,
Compliance & Risks

Ani is a Senior Regulatory Compliance

Specialist and Team Lead with over 10 years
of experience working in various legal
positions.

Ani has a particular interest in personal data

protection and has previously managed a
department at the Georgian Data Protection
Authority. She keeps clients up to date on
global regulatory developments with a
special focus on privacy. Ani obtained her
Bachelor's degree in Law from Tbilisi State
University and also holds a Master of Laws
degree in International Business Law from
Central European University.

She is a qualified lawyer in Georgia, and with

her native Georgian language, she is fluent in
English and has intermediate knowledge of
Russian.
02. Unlocking Market Access
At Compliance & Risks, we help you keep on top of global regulatory changes and their
impact worldwide. We have the right technology, regulatory content and expertise to help
you unlock market access, protect revenue and elevate the role of compliance.

Our solution includes: Why choose C2P?

● C2P The most advanced product ✓ Stay ahead of regulatory changes with
compliance and ESG compliance the world's most comprehensive
software on the market, helping you regulatory database
streamline your compliance process and
unlock market access around the world. ✓ Avoid delays with alerts of changes to
regulations & requirements in real time
● Regulatory Content: We provide the
broadest and most comprehensive ✓ Improve efficiency with powerful
product compliance regulatory content collaboration and workflow tools to
on the market, monitoring 195+ countries, keep compliance evidence up-to-date &
20 industry sectors, 45 topics and live linked back to Regulations, Standards
100,000+ regulatory sources. & Requirements

● Ask our Experts: Direct access to our Contact us to speak to one of our team today
team of experts for support to learn how you can simplify your regulatory
compliance process.

For more information, please visit

Additionally, we offer: [Link]

✓ Market Access Services: Our Market

Access team helps you understand your
product compliance obligations by
transforming regulations into actionable
knowledge with tailored advice for you
and your business.

Important Notice: All information provided by Compliance & Risks Limited and its contributing researchers in this report is provided for strategic and informational purposes only and should
not be construed as company-specific legal compliance advice or counsel. Compliance & Risks Limited makes no representation whatsoever about the suitability of the information and
services contained herein for resolving any question of law. Compliance & Risks Limited does not provide any legal services.
© 2025 Compliance & Risks Limited. All rights reserved
The European Union EU In Vitro Diagnostic Regulation 2017/7461 IVDR, became applicable on 26 May 2022 and
introduced important changes to the regulation of in vitro diagnostic medical devices IVDs across the EU.

03. Introduction
With the advancement of connected devices, smart products, and the development of
artificial intelligence, the growing importance of privacy protection is undeniable.

As reported by the International Association of Privacy Professionals IAPP, as of January

2025, data protection laws are in force in 144 countries, covering more than 80% of the worldʼs
population by some form of national privacy protection law.

While many jurisdictions follow the EU General Data Protection Regulationʼs (GDPR) overarching
model with some adjustments, the U.S. has not been successful in adopting a comprehensive
federal consumer privacy law, despite some attempts. However, to fill the gap, more and more
U.S. states are adopting statewide data protection legislation.

This whitepaper lists overarching data protection acts adopted by U.S. state legislatures, which
affect personal data processing operations of companies established within, as well as outside,
these states.

The whitepaper covers enacted bills, some of which have already entered into force, and
others that take effect over the coming months/years.

Details are provided as to the applicability of the respective laws, their entry into force, the
applicability of data protection impact assessment obligations and the existence of “Notice and
Cureˮ provisions¹, if any.

¹ “Notice and Cureˮ provisions are important in terms of enforcement, as they allow data controllers/processors to remedy the violation
within a certain time frame after being notified by the relevant authority about the alleged breach. If the violation is not cured within the
period specified in the relevant provision, enforcement action may be initiated.
The European Union EU In Vitro Diagnostic Regulation 2017/7461 IVDR, became applicable on 26 May 2022 and
introduced important changes to the regulation of in vitro diagnostic medical devices IVDs across the EU.

04. Legislation in Force

California Colorado
California Consumer Privacy Act Colorado Privacy Act
CCPA (amended by the California
Privacy Rights Act CPRA and Colorado Privacy Act (Senate Bill 21190) was
approved on 7 July 2021.
California Consumer Privacy Act
Regulations It applies to data controllers that conduct
business in Colorado or produce or deliver
CCPA, as amended, applies to for-profit commercial products or services that are
entities that do business in California and intentionally targeted to residents of
satisfy at least one of the following Colorado and satisfy one or both of the
thresholds: following thresholds:
● Have annual gross revenue in ● Control or process personal data of
excess of USD 25,000,000 in the 100,000 or more consumers during a
preceding year; calendar year;
● Alone or in combination annually ● Derive revenue or receive a discount
buy, sell or share personal on the price of goods or services
information of 100,000 or more from the sale of personal data and
consumers or households; or processes or control the personal
● Derives 50% or more of its annual data of 25,000 or more consumers.
revenues from selling or sharing
consumersʼ personal information. Entry into force:
In force since 1 July 2023; data protection
Entry into force: assessment requirements apply to
CCPA is in force since 1 January 2020; processing activities created or generated
amended text in effect since 1 January 2023. after 1 July 2023 and are not retroactive.
Enforcement: Enforcement:
30-day Notice of Violation and Right to Cure 60-day Notice of Violation and Right to Cure
provision will remain in effect indefinitely for provision in effect until 1 January 2025.
security breach violations.
Connecticut Delaware

Connecticut Personal Data Privacy Delaware Personal Data Privacy Act

and Online Monitoring Act
House Bill 154, approved on 11 September
On 10 May 2022, the Connecticut Personal 2023 establishes the Delaware Personal Data
Data Privacy and Online Monitoring Act was Privacy Act.
approved Senate Bill 6, Public Act No.
2215. It applies to persons that conduct business in
Delaware or produce products or services
The Act applies to persons that conduct that are targeted to residents of Delaware,
business in Connecticut or persons that and that during the preceding calendar year:
produce products or services that are
targeted to residents of Connecticut and that ● Controlled or processed personal
during the preceding calendar year: data of not less than 35,000
residents of Delaware, excluding
● Controlled or processed the personal personal data controlled or
data of not less than 100,000 processed solely to complete a
consumers, excluding personal data payment transaction; or
controlled or processed solely for the ● Controlled or processed personal
purpose of completing a payment data of not less than 10,000
transaction; or Delaware residents and derived
● Controlled or processed the personal more than 20% of gross revenue
data of not less than 25,000 from the sale of personal data.
consumers and derived more than
25% of their gross revenue from the Entry into force:
sale of personal data. 1 January 2025; data protection impact
assessment requirements will apply to
Entry into force: processing activities created or generated on
In force since 1 July 2023; data protection or after 1 July 2025 and are not retroactive.
assessment requirements apply to
processing activities created or generated Enforcement:
after 1 July 2023 and are not retroactive. 60-day Notice of Violation and Right to Cure
provision in effect until 31 December 2025;
Enforcement: from 1 January 2026, the Attorney General
60-day Notice of Violation and Right to Cure may grant a controller or processor the
provision in effect until 31 December 2024; opportunity to cure an alleged violation
from 1 January 2025, the Attorney General based on various considerations.
may grant a controller or processor the
opportunity to cure an alleged violation
based on various considerations.
Iowa Montana

Iowa Consumer Data Protection Act Montana Consumer Data Privacy Act

On 28 March 2023, the Iowa Consumer Data Approved on 19 May 2023, this Act Senate
Protection Act Senate File 262) was Bill 384) applies to persons that conduct
approved. business in Montana or persons that produce
products or services that are targeted to the
It applies to persons that conduct business in residents of Montana, and:
Iowa or produce products or services that
are targeted to consumers who are residents ● Control or process personal data of
of Iowa, and that during a calendar year do not less than 50,000 consumers,
either of the following: excluding personal data solely for
the purpose of completing a
● Control or process personal data of payment transaction; or
at least 100,000 consumers; or ● Control or process personal data of
● Control or process personal data of not less than 25,000 consumers and
at least 25,000 consumers and derive more than 25% of gross
derive over 50% of gross revenue revenue from the sale of personal
from the sale of personal data. data.

Entry into force: Entry into force:

1 January 2025. 1 October 2024; data protection impact
assessment requirements apply to
Enforcement: processing activities created or generated
90-day Notice of Violation and Right to Cure after 1 January 2025 and are not retroactive.
provision will remain in effect indefinitely.
Enforcement:
60-day Notice of Violation and Right to Cure
provision in effect until 1 April 2026.
Nebraska New Hampshire

Nebraska Data Privacy Act An Act Relative to the Expectation of

Privacy
On 17 April 2024, the Nebraska Data Privacy
Act was approved. The New Hampshire Act relative to the
Expectation of Privacy Senate Bill 255) was
The Act applies to a person that: approved on 6 March 2024.

● Conducts business in Nebraska or It applies to persons that conduct business in

produces a product or service New Hampshire or produce a product or
consumers by residents of service targeted to residents of New
Nebraska; Hampshire that during a one-year period:
● Processes or engages in the sale of
personal data; and ● Controlled or processed personal
● Is not a small business as defined data of 35,000 or more unique
under the federal Small Business consumers, excluding solely for the
Act, except if such person engages purpose of completing a payment
in the sale of sensitive data without transaction; or
receiving prior consent from the ● Controlled or processed personal
consumer. data of 10,000 or more unique
consumers and derived more than
Entry into force: 25% of their gross revenue from the
1 January 2025. sale of personal data.

Enforcement: Entry into force:

30-day Notice of Violation and Right to Cure 1 January 2025; data protection assessment
provision will remain in effect indefinitely. requirements apply to processing activities
created or generated after 1 July 2024 and
are not retroactive.

Enforcement:
60-day Notice of Violation and Right to Cure
provision mandatorily applies between 1
January and 31 December 2025; from 1
January 2026, it becomes optional and will
depend on the decision of the Attorney
General in each case.
New Jersey Oregon

An Act Concerning Online Services, An Act Relating to Protections for the

Consumers, and Personal Data Personal Data of Consumers

Approved on 16 January 2024, this Act Adopted in July 2023, the scope of this Act
applies to controllers that conduct business applies to persons that conduct business in
in New Jersey or produce products or Oregon or that provide products or services
services that are targeted to the residents of to residents of Oregon and satisfy one of the
New Jersey, and that during a calendar year following conditions during a calendar year:
either:
● Control or process personal data of
● Control or process personal data of 100,000 or more consumers, except
at least 100,000 consumers, for the purpose of completing a
excluding personal data processed payment transaction;
solely for the purpose of completing ● Control or process personal data of
a payment transaction; or 25,000 or more consumers while
● Control or process personal data of deriving 25% or more of their annual
at least 25,000 consumers and the gross revenue from selling personal
controller derives revenue or data.
receives a discount on the price of
any goods or services from the sale Entry into force:
of personal data. 1 July 2024; data protection impact
assessment requirements apply to
Entry into force: processing activities occurring on and after 1
15 January 2025; data protection impact July 2024 and are not retroactive.
assessment requirements apply to
processing activities involving personal data Enforcement:
acquired on or after 15 January 2025. 30-day Notice of Violation and Right to Cure
provision will be in force until 1 January
Enforcement: 2026.
30-day Notice of Violation and Right to Cure
provision in force until July 2026.
Texas Utah

Texas Data Privacy and Security Act Utah Consumer Privacy Act

Approved on 18 June 2023, the Texas Data Approved on 24 March 2022, Senate Bill 227
Privacy and Security Act House Bill 4 enacts the Utah Consumer Privacy Act,
applies to a person that: which applies to controllers or processors
who cumulatively meet requirements (a), (b)
● Conducts business in Texas or and (c):
produces a product or service
consumed by the residents of Texas; A. Conduct business in Utah or
● Processes or engages in the sale of produce a product or service that is
personal data; and targeted to consumers who are Utah
● Is not a small business as defined by residents;
the U.S. Small Business B. Have annual revenue of USD
Administration. 25,000,000 or more; and
C. Satisfy one or more of the following
Entry into force: thresholds:
1 July 2024; data protection assessment I. Control or process personal
requirements apply to processing activities data of 100,000 or more
created or generated after 1 July 2024 and consumers during a
are not retroactive. calendar year; or
II. Derive over 50% of the
Enforcement: entityʼs gross revenue from
30-day Notice of Violation and Right to Cure the sale of personal data and
provision without any sunset date. control or process personal
data of 25,000 or more
consumers.

Entry into force:

In force since 31 December 2023.

Enforcement:
30-day Notice of Violation and Right to Cure
provision does not have a sunset date.
Virginia
Virginia Consumer Data Protection
Act

Virginia Consumer Data Protection Act was

adopted in March 2021.

It applies to persons that conduct business in

Virginia or produce products or services that
are targeted to residents of Virginia and that:

● During a calendar year, control or

process personal data of at least
100,000 consumers; or
● Control or process personal data of
at least 25,000 consumers and
derive over 50% of gross revenue
from the sale of personal data.

Entry into force:

In force since 1 January 2023; data
protection impact assessment obligation
applies to processing activities created or
generated after 1 July 2023 and are not
retroactive.

Enforcement:
30-day Notice of Violation and Right to Cure
provision is to remain in effect indefinitely.
The European Union EU In Vitro Diagnostic Regulation 2017/7461 IVDR, became applicable on 26 May 2022 and
introduced important changes to the regulation of in vitro diagnostic medical devices IVDs across the EU.

05. Approved Legislation

Tennessee Minnesota
Tennessee Information Protection Minnesota Consumer Data Privacy
Act Act

The Tennessee Information Protection Act Minnesota Consumer Data Privacy Act
House Bill 1181) was approved in May 2023. Chapter 121, 2024; HF 4757) was signed
The Act applies to persons that conduct into law on 24 May 2024.
business in Tennessee producing products
or services that are targeted to the residents The Act applies to legal entities that conduct
of Tennessee, and that: business in Minnesota or produce products
or services targeted to residents of
● Exceed USD 25,000,000 in revenue; Minnesota, and that satisfy one or more of
and these thresholds:
● (a) Control or process personal
information of at least 25,000 ● During a calendar year, controls or
consumers and derive more than processes personal data of 100,000
50% of gross revenue from the sale or more consumers, excluding
of personal information; or personal data controlled or
(b) During a calendar year, control or processed solely for the purpose of
process personal information of at completing a payment transaction; or
least 175,000 consumers. ● Derives over 25% of gross revenue
from the sale of personal data and
Entry into force: processes or controls personal data
1 July 2025; data protection impact of 25,000 or more consumers.
assessment requirement applies to
processing activities created or generated Entry into force:
after 1 July 2024 and is not retroactive. 31 July 2025

Enforcement: Enforcement:
60-day Notice of Violation and Right to Cure 30-day Notice of Violation and Right to Cure
provision is to remain in effect indefinitely. provision in effect until 31 January 2026.
Maryland Indiana

Maryland Online Data Privacy Act Indiana Consumer Data Protection

Act
Maryland Online Data Privacy Act Senate Bill
541) was approved on 9 May 2024. Approved on 1 May 2023, the Indiana
Consumer Data Protection Act Senate Bill 5,
The Act applies to a person that conducts Public Law 94) applies to a person that
business in Maryland or provides products or conducts business in Indiana or produces
services that are targeted to residents of products or services that are targeted to
Maryland, and that during the preceding residents of Indiana, and that during a
calendar year met any of the following calendar year:
thresholds:
● Controls or processes personal data
● Controlled or processed the personal of at least 100,000 Indiana residents;
data of at least 35,000 consumers, or
excluding personal data controlled or ● Controls or processes personal data
processed solely for the purpose of of at least 25,000 Indiana residents
completing a payment transaction; or and derives more than 50% of gross
● Controlled or processed the personal revenue from the sale of personal
data of at least 10,000 consumers data.
and derived more than 20% of its
gross revenue from the sale of Entry into force:
personal data. 1 January 2026; data protection impact
assessment requirements will apply to
Entry into force: processing activities created or generated
1 October 2025 after 31 December 2025 and are not
retroactive to processing activities created or
Enforcement: generated before 1 January 2026.
Although the Act takes effect on 1 October
2025, it will not have “effect on or application Enforcement:
to any personal data processing activitiesˮ 30-day Notice of Violation and Right to Cure
before 1 April 2026; 60-day Notice of provision does not have a sunset date and is
Violation and Right to Cure provision in effect to remain in effect indefinitely.
until 1 April 2027.
Kentucky Rhode Island

Kentucky Consumer Data Protection Rhode Island Data Transparency and

Act Privacy Protection Act

Approved in April 2024, the Kentucky This Act House Bill 7787) became law in
Consumer Data Protection Act House Bill 15 June 2024 as per legislative rules in the state
applies to persons that conduct business in of Rhode Island.
Kentucky or produce products or services
that are targeted to residents of Kentucky It applies to controllers (those who determine
and that during a calendar year control or the purpose and means of personal data
process personal data of at least: processing) that conduct business in Rhode
Island or produce products or services
● 100,000 consumers; or targeted to Rhode Island residents and that
● 25,000 consumers and derive over during the preceding calendar year met at
50% of gross revenue from the sale least one of the following thresholds:
of personal data.
● Controlled or processed personal
Entry into force: data of not less than 35,000
1 January 2026; data protection assessment customers (excluding data controlled
requirements will apply to processing or processed solely for completing
activities created or generated on or after 1 payment transactions);
June 2026. ● Controlled or processed personal
data of not less than 10,000
Enforcement: customers and derived more than
30-day Notice of Violation and Right to Cure 20% of their gross revenue from the
provision does not have a sunset date. sale of personal data.

Entry into force:

1 January 2026; data protection assessment
requirements will apply to processing
activities created or generated after 1
January 2026 and are not retroactive.

Enforcement:
No “Notice and Cureˮ provision in the Act.
06. Conclusion
Personal data protection legislation impacts a variety of sectors and products, and in
recent years the U.S. states have been quite active in proposing overarching privacy bills.

There have been attempts to adopt federal privacy legislation (e.g., H.R.8152 - the American Data Privacy and
Protection Act ADPPA) proposed in 2022, and the discussions around the draft American Privacy Rights Act
APRA) of 2024. However, in the absence of a comprehensive federal privacy act, the states are taking the lead in
regulating consumer privacy protection.

With thirteen state privacy laws in effect as of the date of publication of this whitepaper, three coming into force in
2024 and nine taking effect over 20252026, companies falling under the scope of the respective legislation
should make efforts to ensure compliance to avoid not only enforcement action and potential penalties, but also
reputational risks.

It is worth noting that, other than omnibus bills, there has been an increasing number of industry-specific or
relatively narrowly scoped bills proposed and adopted in various U.S. states, which are not discussed in this
whitepaper.

We monitor U.S. regulatory developments on the federal as well as state level on a daily basis, and capture
regulatory updates in C2P, our corporate compliance platform.

Want to find out how you can stay ahead of your Data Protection compliance obligations in the U.S. and beyond?
Start a conversation now!
 07. Table with Effective Dates and ‘Notice and
Cureʼ Provision Details
Name of the law Entry into force date ‘Notice and Cureʼ provision

California Consumer Privacy Act CCPA 1 Jan 2020 For security breach notifications.
30 days.

Virginia Consumer Data Protection Act 1 Jan 2023 30 days.

Colorado Privacy Act 1 Jul 2023 60 days until 1 Jan 2025.

Connecticut Personal Data Privacy and Online Monitoring 1 Jul 2023 60 days until 31 Dec 2024; from 1
Act Jan 2025, up to AG to decide.

Utah Consumer Privacy Act 31 Dec 2023 30 days.

Oregon Act Relating to Protections for the Personal Data of 1 Jul 2024 30 days until 1 Jan 2026.
Consumers

Texas Data Privacy and Security Act 1 Jul 2024 30 days.

Montana Consumer Data Privacy Act 1 Oct 2024 60 days until 1 Apr 2026.

Delaware Personal Data Privacy Act 1 Jan 2025 60 days until 31 Dec 2025; from 1
Jan 2026, up to AG to decide.

Iowa Consumer Data Protection Act 1 Jan 2025 90 days.

Nebraska Data Privacy Act 1 Jan 2025 30 days.

New Hampshire Act relative to the Expectation of Privacy 1 Jan 2025 60 days until 31 Dec 2025; from 1
Jan 2026, up to AG to decide.

New Jersey Act Concerning Online Services, Consumers, 15 Jan 2025 30 days until July 2026.
and Personal Data

Tennessee Information Protection Act 1 Jul 2025 60 days.

Minnesota Consumer Data Privacy Act 31 Jul 2025 30 days until 31 Jan 2026.

Maryland Online Data Privacy Act 1 Oct 2025 60 days until 1 Apr 2027.
(will not have “effect on or
application to any personal
data processing activitiesˮ
before 1 April 2026

Indiana Consumer Data Protection Act 1 Jan 2026 30 days.

Kentucky Consumer Data Protection Act 1 Jan 2026 30 days.

Rhode Island Data Transparency and Privacy Protection Act 1 Jan 2026 None.
OUR NUMBERS

300
CUSTOMERS WORLDWIDE

195
COUNTRIES COVERED

100,000
REGULATIONS