• |

    Jul. 2, 2025

State Privacy Law in 2025: Eight Practical Articles for Navigating the Compliance Landscape

With eight new state privacy laws taking effect in 2025, and the introduction of amendments to existing laws, the U.S. privacy landscape continues its rapid evolution in the absence of a federal framework. For legal counsel and compliance professionals, it is a challenge to operationalize compliance across jurisdictions with diverging definitions, rights and enforcement mechanisms. This retrospective roundup curates a selection of the Cybersecurity Law Report’s 2025 content that addresses the complexities of managing state privacy law developments and offers lessons from key regulatory settlements. Topics include cookie compliance, handling sensitive data classifications that now include neural and biometric data, and integrating universal opt-out mechanisms across multiple states.

Saddling Up for Montana’s Broad Privacy Law Update

In May 2025, Montana’s Legislature introduced the broadest state privacy law amendment enacted this year. It is the first state to impose its requirements for protecting minors on all companies, regardless of size, and the fourth state to apply its privacy law to regulated financial companies. State officials made multiple changes that signal seriousness about enforcing the privacy law, including hiking penalties and boosting multiple requirements to the strictest standard among states. Enforcement starts in October 2025. This article discussed the amendment’s top impacts, highlighted open questions, and provided practical analysis and concrete considerations for companies, with insights from experts at BakerHostetler; Ballard Spahr; Bass, Berry & Sims; Business Software Alliance; and Miller Nash.

Cookie Compliance Lessons From the Todd Snyder Settlement

Clothing Retailer Todd Snyder agreed to pay $345,178 and modify its CCPA compliance program to resolve an enforcement action brought by the California Privacy Protection Agency (CPPA). The CPPA targeted the company’s consumer opt-out settings and unlawful methods for verifying opt-out requests – issues that mirror those seen in other recent cases and state enforcement updates. This article, with insights from Kelley Drye, Manatt, Clark Hill and Baker McKenzie partners, examined the allegations and settlement terms in the Todd Snyder case, discussed CPPA enforcement themes, and offered compliance lessons from the case and other recent developments.

Texas AG’s Billion-Dollar Settlement With Google Highlights Biometric Data Use Compliance Considerations

Make room, Biometric Information Privacy Act. In May 2025, the Texas AG used the state’s biometric law (CUBI) to help secure a $1.375‑billion settlement with Google, resolving two privacy complaints centered on the tech giant’s use of individuals’ biometric, geolocation and incognito-mode search data. CUBI allows $25,000 in damages per violation. The settlement, which echoes the billion-dollar settlement with Meta in 2024, highlights the AG’s broad interpretation of CUBI’s provisions. With insights from experts at Baker Botts, Blank Rome, Carter Ledyard & Milburn and Haynes Boone, this article examined the circumstances surrounding the settlement, offered four biometric law compliance considerations, and discussed regulatory and litigation risk factors highlighted by the case.

Compliance Takeaways From the CPPA’s Enforcement Action Against Honda

The California Privacy Protection Agency (CPPA) flexed its CCPA enforcement muscle in March 2025 when it entered into a stipulated settlement (Order) with American Honda Motor Co. The CPPA’s inaugural enforcement action, which required the automobile distributor to pay a $632,500 fine, signaled the agency’s stance on CCPA compliance – one that balances a strict reading of the statute with, perhaps, a more practical focus on readily provable violations. This article, with insights from Kelley Drye & Warren, Manatt and ZwillGen, examined the Order and its implications, evaluated the CPPA’s enforcement approach and offered practical compliance lessons for companies.

Connecticut AG’s Report Reveals Privacy Enforcers Reaching Deeper Into Their State Laws

State privacy enforcement is maturing beyond the policing of privacy notices. The Connecticut AG’s April 2025 enforcement report (Report) details the office’s compliance expectations and enforcement priorities that go beyond the privacy notice to other issues, including those around opt-out rights and cookie banners. The Report also proposed changes to the law, many of which were in an amendment that passed in early June 2025. The proposal also provided a snapshot of harmonization efforts by enforcers in seven states, who announced a coalition one day before the Report’s release. This article analyzed the Report’s extended criticism of companies’ performances in breach reporting, drafting of privacy notices and possible use of dark patterns in their opt-out mechanisms, with comments from privacy leaders in Connecticut’s and Oregon’s AG offices and insights from experts at Cooley, Holland & Knight, Manatt and Orrick.

California’s Delete Act Enforcement Sweep Takeaways

Since the California Privacy Protection Agency (CPPA) announced an enforcement sweep in October 2024, it has settled a handful of actions with data brokers for violating the Delete Act. The cases have focused on data brokers’ failures to register with the state and pay the required annual fee. This article, with input from Ben Isaacson, a principal at In‑House Privacy, Inc., and Julie Rubash, GC and CPO at Sourcepoint, assessed commonalities in the CPPA’s Delete Act settlements, identified takeaways for data brokers, and offered advice on preparing to comply with Data Broker Requests and Opt-Out Platform requirements.

Navigating Global Privacy Control’s Not-So-Simple Implementation

Before the end of 2025, 10 states will require websites to honor consumers’ broadcasted requests to opt out of all sharing of their personal data with the global privacy control (GPC) or a similar universal opt-out mechanism. GPC, a browser-based setting for consumers to automatically opt out, is said to be simple for consumers to use, simple for companies to implement and simple for regulators to check. But it turns out to have several complexities for companies, underscored by a study of 11,000 sites revealing that many of them did not translate GPC into opt-out signals. This article went behind the study’s findings and looked at GPC’s pitfalls, including misconfigurations, privacy signal system glitches, the ease of consent fraud and issues in due diligence, with insights from an original developer of GPC and experts at Moritt Hock, Neal Gerber & Eisenberg, the Network Advertising Initiative, Orrick and Raptive.

Data Clean Rooms and De-Identified Data Are Among Concerns in Navigating State Privacy Laws

Organizations may incorrectly believe they can avoid compliance with state data privacy laws by de-identifying data or running it through so-called “data clean rooms” (DCRs), according to the speakers at a program dissecting the results of the 2025 State Privacy Law Survey by the Interactive Advertising Bureau (IAB). In addition to DCRs and de-identification, the survey also assessed privacy professionals’ views on, and experiences with, inferring sensitive PI, private suits under wiretapping statutes, treatment of minors’ data, data minimization, issues involving consent and disclosures, and third-party due diligence. This article synthesized the associated survey findings and related insights from industry experts at Frankfurt Kurnit Klein & Selz, IAB, Kelley Drye & Warren, and Ketch.

Most-Read Articles

Women to Watch: Contributions, Achievements and Observations of Outstanding Female Professionals

To mark International Women’s Day, women editors and reporters at ION Analytics interviewed outstanding women in the industries and jurisdictions we cover. In this part, Law Report Group editors Jill Abitbol, Robin L. Barton and Megan Zwiebel profile notable women in data privacy, cybersecurity, private funds and anti-corruption law, including Anne-Gabrielle Haie, Jessica Lee, Micaela McMurrough, Laura Perkins, Amanda Raad, Madelyn Calabrese, Ranah Esmaili and Genna Garver. Enjoy reading their inspiring remarks here.

Celebrating Data Privacy Day 2025

Read the full brief here.

Cybersecurity Awareness Month

Read the full brief here.