By alphacardprocess September 14, 2025
With the introduction of new data privacy regulations in different states, companies must be proactive in their compliance efforts. The rules mandate companies to re-examine the way they gather, retain, and secure customer information. An understanding of the major requirements and adoption of best practices will help to prevent fines and keep customers’ trust intact.
Florida Digital Bill of Rights (FDBR): Key Highlights
Florida’s Digital Bill of Rights (FDBR), which goes into effect on January 1, 2025, mainly focuses on large tech companies with international revenues of over $1 billion. Even though it does not touch small businesses, the legislation is important since it resolves some contentious issues involving technology and privacy.
The legislation has the goal of securing the power of large online platforms by fostering algorithmic transparency as well as ensuring that users of these platforms have greater authority over what they see online. The legislation also contains provisions for safeguarding consumers from unjustified government surveillance and compelling platforms to make parental controls and algorithmic decision-making transparent.
The Growing Complexity of U.S. Data Privacy Laws
In contrast to the European Union’s General Data Protection Regulation (GDPR), having a defined, single standard for protecting data, the United States has embarked on a more varied path. After California enacted its California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), other states have also begun implementing their own data privacy acts.
By early 2025, 20 states will have implemented robust privacy laws, of which 14 are already effective, three will begin later this year, and a few others will come into effect in 2026. This state-by-state approach can make things tricky for businesses operating in multiple states, as each jurisdiction has its own set of rules.
Companies must stay on top of the latest updates to avoid non-compliance and potential penalties. For those navigating this complex landscape, it’s important to be aware of how these regulations differ, what steps you need to take to stay compliant, and how to manage the challenges of this evolving legal environment.
What This Means for Your Business
If your company does business or has customers or employees in states with new data privacy legislation, it’s worth considering your privacy practices today. Begin by examining your data collection procedures—make sure you’re honest about what information you’re collecting, why, and that you’ve got consent from consumers.
Also examine your data retention policies—how much time are you holding onto consumer information, and are you retaining it only for the amount of time you need to? Check up on your data protection controls—is your security procedures current, and have you performed a risk assessment recently?
Finally, look at individual rights under these legislations—are you ready to process consumer demands such as access to their information or erasure? Although some legislations are limited to companies over certain levels, others, such as Texas’s, lack such exemptions. Therefore, it’s important to get in front of the updates so that your business remains compliant.
Who Needs to Comply with Consumer Data Privacy Laws?
Consumer data privacy legislation is not only for physical businesses—infact, it impacts all types of businesses, particularly those that collect or process personal information. The legislation generally applies to businesses that operate over certain thresholds, such as processing information of state residents or meeting certain revenue thresholds.
If your business is in, or does business with, a state with its own data privacy act, you should reconsider how you process personal data. For instance, if you gather personal data from websites, utilize the data to generate income ( through targeted advertising), or process sensitive data like biometric data, you need to pay very close attention. Every state has its regulations, and the benchmarks for compliance will differ.
Tennessee, for example, mandates that firms generate at least $25 million in revenue, while Nebraska applies its law to any firm that is not defined as a “small business.”
In other states, firms are required to comply if they deal with between 10,000 and 175,000 consumer records. If any of these scenarios apply to your business, it’s time to review your data privacy practices and make sure you’re following the appropriate regulations for each state where you do business.
Key Compliance Obligations for Businesses
New state privacy regulations are introducing some significant updates on how companies must manage data privacy. While fundamental requirements such as giving notice of privacy, performing data protection audits, and taking security measures for data stay the same, companies also need to remain cautious about state-related requirements in order to stay compliant in 2025.
Stricter data minimization requirements are also emerging, especially in Maryland. Their privacy law demands that businesses only collect data that is “reasonably necessary and proportionate” for the product or service offered. This means businesses can’t collect data for things like consumer research if it’s not directly tied to their product.
For sensitive personal information, such as health or biometric data or payment processing data, Maryland goes a step further by limiting collection to only what’s “strictly necessary” and prohibiting the sale of sensitive data altogether.
A new trend is the standardization of opt-out mechanisms. Delaware, Nebraska, and New Jersey are all trending toward universal opt-out mechanisms, so companies should be ready to embrace standardized approaches to respecting consumer privacy. This could involve technical guidance to make clear how opt-out mechanisms will function.
In terms of children’s privacy, new legislation treats data for minors (under 13 years) as sensitive, yet there are even more strict rules for data from minors aged 13-17. For example, in New Jersey, companies need to obtain detailed consent to process data from minors for purposes such as targeted advertising. Maryland also prohibits processing or selling data from minors under the age of 18 for targeted advertising.
Lastly, states such as Minnesota have an inherent mandate to have a Chief Privacy Officer (CPO) appointed. Just like how the GDPR mandates in the EU, there is a privacy officer appointed specifically to guarantee adherence to privacy legislation. As these new legislations come into effect, companies must keep themselves informed and change their privacy practices accordingly in order to be compliant and safeguard consumer information.
Comprehensive Privacy Bills: Key Exemptions
Not all companies are required to comply with the same privacy regulation rules. Certain organizations are exempt from rules based on the type of information they deal with or the industry. For instance, the majority of states, with the exception of California, do not enforce privacy laws on employee information, thus HR-related data is generally exempt.
Healthcare organizations are usually regulated by HIPAA compliance, and the majority of states provide business exemptions for companies that work with healthcare data, although the specific rules differ by the state. Companies in the financial services sector are governed by the Gramm-Leach-Bliley Act (GLBA), which has varying privacy regulations that may not be the same from state to state.
Nonprofits are generally not subject to state privacy laws, but Colorado, Delaware, New Jersey, and Oregon do extend these laws to nonprofits, with varying application. If your company is in one of these categories, it’s important to know the exceptions that are relevant and ensure you are adhering to the pertinent laws.
Special Focus: Data Protection Impact Assessments
A Data Protection Impact Assessment, or DPIA, is a mechanism that assists firms in recognizing and addressing privacy threats prior to initiating the use of sensitive personal information in new ways. It is a checklist-type mechanism to ensure data is used securely and responsibly.
Most states currently mandate that businesses do DPIAs when they’re engaging in high-risk practices like targeted advertising, selling people’s data that could result in monetary loss or discrimination.
It’s also required when handling sensitive data, such as health information or biometric data, in accordance with recommendations from bodies like the FTC. Conducting a DPIA benefits businesses by safeguarding customers’ privacy and preventing future problems.
Privacy Policy Statements
In most data privacy legislation, companies are mandatorily required to maintain a privacy policy outlining how personal data is processed, used, and protected. Such policies must further indicate to consumers whether their personal data is shared with third parties, utilized for targeted advertising, or profiling.
For example, Oregon’s statute mandates that companies specifically state if personal data is being processed for advertising or profiling intentions. Likewise, companies subject to Florida and Texas laws have to add a special notice in case they sell sensitive personal information, and it should read:
“NOTICE: We may sell your sensitive personal data.”
If the company processes biometric information, there should be an additional notice:
“NOTICE: We may sell your biometric personal data.”
Data Subject Rights
Consumer privacy laws also establish individuals with a number of fundamental rights regarding their personal data. These rights generally comprise the right to know and view the data gathered, amend any inaccuracies, erase personal data, and port data to another service (data portability).
Most laws, such as Oregon’s, provide consumers with the right to obtain a list of third parties to whom their data has been transmitted. Florida’s law also permits consumers to opt out of the collection or processing of sensitive information, such as information collected through voice or facial recognition features.
Definition of "Sensitive Data"
The definition of “sensitive data” is broad and can change according to the state. In general, sensitive data covers personal information that discloses a person’s racial or ethnic origin, religious beliefs, health status, sexual orientation, and so on. It also protects items such as genetic and biometric information that can be used to identify someone.
In a few states, sensitive information involves more particular categories, including national origin, transgender or non-binary status, or even crime victim status. Oregon, for instance, has these added categories included in its definition of sensitive data, rendering it one of the most sensitive when it comes to privacy.
As privacy regulations change, companies must make sure that their policies are aligned with these requirements and adequately disclose their practices so customers can easily comprehend how they are treating and safeguarding their information.
State Privacy Laws
|
Law |
Effective Date |
|
California Consumer Privacy Act |
January 1, 2020 |
|
Virginia Consumer Data Protection Act |
January 1, 2023 |
|
Colorado Privacy Act |
July 1, 2023 |
|
Connecticut Data Privacy Act |
July 1, 2023 |
|
Utah Consumer Privacy Act |
December 31, 2023 |
|
Florida Digital Bill of Rights |
July 1, 2024 |
|
Oregon Consumer Privacy Act |
July 1, 2024 |
|
Texas Data Privacy and Security Act |
July 1, 2024 |
|
Montana Consumer Data Privacy Act |
October 1, 2024 |
|
Delaware Personal Data Privacy Act |
January 1, 2025 |
|
Iowa Consumer Data Protection Act |
January 1, 2025 |
|
Nebraska Data Privacy Act |
January 1, 2025 |
|
New Hampshire Consumer Expectation of Privacy (NHCEP) |
January 1, 2025 |
|
New Jersey Data Privacy Act |
January 15, 2025 |
|
Tennessee Information Protection Act |
July 1, 2025 |
|
Minnesota Consumer Data Privacy Act |
July 31, 2025 |
|
Maryland Online Data Privacy Act |
October 1, 2025 |
|
Indiana Consumer Data Protection Act |
January 1, 2026 |
|
Kentucky Consumer Data Protection Act |
January 1, 2026 |
|
Rhode Island Data Transparency and Privacy Protection Act |
January 1, 2026 |
Conclusion
As data privacy regulations in the states continue to change, staying current is key to safeguarding your company and your customers. Just review your data practices, refresh policies, and educate employees, and you’ll be equipped to handle the regulations with confidence.
FAQs
What is the Florida Digital Bill of Rights?
The Florida Digital Bill of Rights (FDBR) is a new state law that seeks to regulate Big Tech firms. It addresses concerns such as algorithmic transparency and prohibiting warrantless government surveillance.
When does the Florida Digital Bill of Rights take effect?
The Florida Digital Bill of Rights took effect from January 1, 2025.
Who does the Florida Digital Bill of Rights cover?
The legislation aims at Big Tech with more than $1 billion in international revenue, with a focus on algorithmic control, parental rights, and digital surveillance.
What are the main elements of the Florida Digital Bill of Rights?
It mandates businesses to disclose algorithmic procedures and parental controls and prohibits warrantless government surveillance.
How does this law impact my business?
If you are based in Florida or work with major tech firms, an examination of data privacy procedures and compliance with these new policies will be important to your business.