U.S. Privacy Laws – Recent Updates

The U.S. state privacy landscape continues to evolve quickly, with 2025 and 2026 bringing new statutes, amendments, and regulations that reshape what businesses must do to comply. A summary of some of the notable developments are below, with a focus on requirements that may deviate from the “standard” obligations that already exist under the majority of state comprehensive privacy laws.

1) Formalized Governance and Recordkeeping Requirements in Minnesota

The Minnesota Consumer Data Privacy Act took effect on July 31, 2025, and includes more robust governance and recordkeeping requirements than other state comprehensive privacy laws. For example, businesses subject to the law must document and maintain a description of the policies and procedures that have been put in place for compliance with Minnesota’s law. This includes data inventories, data subject request procedures, security policies, data retention policies, and data minimization policies. Covered businesses must also appoint an individual with primary responsibility for privacy compliance, such as a Chief Privacy Officer.

Subject to certain exclusions, the Minnesota Consumer Data Privacy Act applies to entities doing business in Minnesota that either: (i) control or process personal data of at least 100,000 Minnesota consumers in a calendar year, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) control or process personal data of at least 25,000 Minnesota consumers and derive more than 25% of their gross revenue from the “sale” of personal data. In Minnesota, a “sale” is defined to include exchanges of personal data for monetary or other valuable consideration.

2) Right to Question Profiling Outcomes

Under the Minnesota Consumer Data Privacy Act and recent amendments to the Connecticut Data Privacy Act, which will go into effect on July 1, 2026, consumers have a right to question the result of profiling used for automated decisions that have legal or similarly significant effects. Additional rights may also include the right to be informed of the reason the profiling resulted in a particular decision, actions that the consumer could have taken that would have resulted in a different outcome (and what steps could be taken in the future to reach a different result), and a review of data used.

In other states, such as California and Colorado, consumers also have rights to obtain specific information relating to the use of certain automated decision-making tools. For example, regulations issued pursuant to the Colorado Privacy Act require controllers involved in certain types of profiling to disclose clear information about the logic used in the profiling process and the role of any human involvement, if any.

3) Requirement to Disclose List of Third-Party Data Recipients

Minnesota joined Oregon this year in requiring controllers to provide requesting consumers with a list of specific third parties who have received personal data. Controllers may choose whether that list is tailored to the requesting consumer or is a global list of all third-party recipients. Connecticut’s amendments also address this requirement, but limit the disclosure obligation to only a list of the third parties to whom the controller has sold the consumer’s personal data. All three laws include an exception for the protection of trade secrets.

4) Stronger Protections for Children’s Data

Numerous state comprehensive privacy laws now include heightened protections for data relating to children, particularly with respect to targeted advertising and “sales” of personal data. For example, Maryland’s Online Data Privacy Act, which took effect October 1, 2025, prohibits targeted advertising to an individual who the controller “knows or should know” is under the age of 18, regardless of whether the minor has provided consent. Connecticut’s amendments similarly set bright lines for targeted advertising to minors and sale of minors’ data, with no consent workaround, effective July 1, 2026. These requirements are stricter than requirements in other states that permit targeted advertising to children with opt-in consent.

In addition, Colorado’s recent amendments to the Colorado Privacy Act, which took effect on October 1, 2025, impose additional requirements on controllers that target online services to an individual whom the controller knows or willfully disregards is under the age of 18. These obligations, which apply regardless of whether a business meets the volume thresholds for broader application of the Colorado Privacy Act, include requirements to avoid heightened risks of harm to minors, and require opt-in consent for targeted advertising, “sales” of personal data, and profiling in furtherance of decisions that produce legal or similarly significant consequences.

5) Maryland’s Strict Purpose Limitation

Under the Maryland Online Data Privacy Act, controllers must limit their collection of personal data only to what is reasonably necessary and proportionate to provide or maintain a specific service or product requested by the consumer. This language may narrow secondary uses, particularly concerning advertising, analytics, R&D, and model training that are not essential to the consumer’s requested product or service.

7) Connecticut’s LLM Training Disclosure

By July 1, 2026, controllers subject to the Connecticut Data Privacy Act must state in their privacy notices whether they collect, use, or sell personal data for training large language models. This is broad and not limited to “high risk” AI or solely automated decisions. Companies that rely on vendors for model development should assess whether vendor processing uses personal data for training and ensure the controller’s disclosures remain accurate.

8) California’s Annual Cybersecurity Audits

The California Privacy Protection Agency (CPPA) recently finalized regulations related to requirements under the California Consumer Privacy Act to conduct annual cybersecurity audits completed by a “qualified, objective, independent professional.” Phased compliance for submitting a written certification of completion of the audit to the CPPA is based upon revenue and will begin April 1, 2028.

Takeaway for Businesses

As state privacy laws continue to diverge, the compliance landscape is becoming increasingly nuanced and complex. Businesses operating across multiple jurisdictions will need to track these emerging requirements closely—particularly as states introduce new governance standards, expand consumer rights, and impose unique obligations related to data use, AI, and minors. Companies that proactively update their privacy programs, data mapping, and disclosures to account for these differences will be best positioned to stay compliant and build trust with consumers in this evolving regulatory environment.

Erin Locker is a commercial partner whose practice focuses on privacy, cybersecurity and data protection. She helps companies at every stage navigate the rapidly evolving landscape of global privacy regulation and develop strategic approaches to compliance. Erin counsels clients on a range of data privacy and protection issues involving product design and development, digital marketing and advertising, compliance programs, and data licensing transactions.