The latest in US privacy regulations: A detailed look at state-level legislation updates

The landscape of data privacy laws in the United States is continually evolving, and staying up-to-date with the latest regulatory changes has become crucial for businesses. Despite the variances in state laws, there is a clear trend towards increased privacy regulations, which is a positive step for future improvements and potential federal privacy laws. Let’s take a closer look at the recent updates in US state-level privacy legislation, including bills to pay attention to in various states.

Iowa and Indiana have recently joined the ranks of states that have enacted comprehensive consumer online privacy laws, becoming the sixth and seventh states to do so; it is expected that other states will follow suit later this year. These new laws largely follow the Washington Privacy Act (WPA) model used by Colorado, Connecticut, and Virginia, and are considered to be weaker compared to California’s CCPA framework. 

The My Health, My Data Act, recently passed by the Washington state legislature, includes a provision for a private right of action that is similar to the Biometric Information Privacy Act (BIPA) enacted in Illinois. The Act provides broad definitions of health data and covered entities, which makes it a noteworthy development that may serve as a catalyst for similar legislation in other states.

In addition, Arkansas has joined Utah in implementing age-verification restrictions for social media use, while Montana has advanced a complete ban on TikTok, which is currently pending the Governor’s approval. Similar social media age-verification proposals are also gaining traction in other states like Ohio, Connecticut, and Minnesota. 

While some states have passed privacy legislation that is viewed as relatively weak and generic, it is still seen as a positive trend toward future improvement and increased pressure on Congress to establish higher standards for eventual Federal privacy laws. However, the current age-verification regulations are viewed as negative developments for online privacy and may face constitutional challenges in the future.

Data privacy is a pressing concern in today’s digital world, and as a result, various US states continue to propose privacy bills that could significantly impact the way sensitive data is handled, making these developments crucial for businesses. In this section, we provide an up-to-date list of the most recent privacy bill proposals covering a wide range of topics, including consumer data protection, disclosure and accountability requirements for personally identifiable information, and more.

• Georgia – GA HB798 – The Georgia Data Privacy Act.
• Hawaii – HI SB1110/HB1497, HI SB 974 – The Hawaii Consumer Data Protection Act.
• Illinois – IL HB3385 – The Illinois Data Privacy and Protection Act.
• Indiana – IN SB5, IN HB 1554 – A new article in the Indiana Code concerning consumer data protection, to take effect January 1, 2026.
• Iowa – IA House Study Bill 12  – An Act relating to consumer data protection, providing civil penalties, and including effective date provisions.
• Kentucky – KY S 15 – An Act relating to consumer data privacy.
• Maryland – MD HB807 – An Act Concerning Consumer Protection – Online and Biometric Data Privacy.
• Massachusetts – MA HD2281/SB745  – An Act to establish the Massachusetts data privacy protection act.
• Massachusetts – MA HD3263/SD1971 - An Act establishing the Massachusetts information privacy and security act.
• Mississippi – MS SB 2080 – The Mississippi Consumer Data Privacy Act.
• Minnesota – MN SF950 – A bill for an act relating to consumer data privacy, requiring a consumer’s consent prior to collecting personal information.
• Montana – MT DB1086 – An Act Establishing the Consumer Data Privacy Act.
• New Hampshire – NH SB255 – An Act relative to the consumer expectation of privacy.
• New York – NY S2277 – The Digital Fairness Act that requires any entity that conducts business in New York and maintains the personal information of 500 or more individuals to provide meaningful notice about their use of personal information; establishes unlawful discriminatory practices relating to targeted advertising.
• New York – NY SB365 – The New York privacy act that requires companies to disclose their methods of de-identifying personal information, to place special safeguards around data sharing, and to allow consumers to obtain the names of all entities with whom their information is shared.
• New York – NY SB3162 – An Act that grants a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
• New Jersey – NJ S 332 – An Act that requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out.
• New Jersey – NJ A505 – The New Jersey Disclosure and Accountability Transparency Act (NJ DaTA) that establishes certain requirements for the disclosure and processing of personally identifiable information; establishes the Office of Data Protection and Responsible Use in the Division of Consumer Affairs.
• Oklahoma – OK HB1030 – The Oklahoma Computer Data Privacy Act.
• Tennessee – TN SB73 – The Tennessee Information Protection Act.
• Pennsylvania – PA HB708 – An Act that provides for the protection of certain personal data of consumers; imposes duties on controllers and processors of personal data of consumers; provides for enforcement; prescribes penalties; and establishes the Consumer Privacy Fund.
• Washington – WA HB1616 – An Act that relates to creating a charter of people’s personal data rights.
• West Virginia – WV HB3453 – The West Virginia Consumer Data Protection Act.
• Vermont – VT HB121 – An act relating to enhancing consumer privacy.