Advertising Law Tool Kit 13th Edition 2025

Venable / 63 62 / Venable Privacy and Data Security — State Privacy Laws State privacy laws continue to evolve rapidly, challenging businesses to keep pace. In 2024, new omnibus privacy laws went into effect in Florida, Montana, Oregon, and Texas, while seven additional states enacted similar laws. Eight omnibus state privacy laws will come into effect in 2025—in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee. Along with existing laws in California, Colorado, Connecticut, Utah, and Virginia, businesses should be prepared to comply with up to 17 comprehensive state privacy laws in 2025, with more laws slated to come into force in 2026. To date, all such laws draw inspiration from both the first comprehensive state privacy law—the California Consumer Privacy Act (CCPA)—and the European Union General Data Protection Regulation (GDPR). For example, all of the state laws give individuals certain rights with respect to “personal information” or “personal data” that “businesses” or “controllers” maintain about them. Similarly, all of the laws impose certain obligations related to “service providers” or “processors.” However, the state privacy laws differ from the CCPA, GDPR, and each other in a range of ways. For instance, while all of the state omnibus laws have requirements related to “sensitive” personal data, the specific requirements and the types of data considered to be “sensitive” vary. Additionally, while the CCPA and GDPR can apply to personal data collected in an employment context, other laws exclude such data. Variation among state privacy laws is increasing as states continue to enact both omnibus statutes and more Kelly DeMarchis Bastide kabastide@Venable.com Julia Tama jktama@Venable.com Katelyn R. Asmus krasmus@Venable.com Tara Sugiyama Potashnik tspotashnik@Venable.com targeted measures focused on areas like health data, children and teens, and social media. The first step is to assess what laws, if any, apply to your business. Smaller businesses are generally exempt. The thresholds for being subject to the state laws vary, and businesses may be subject to some laws but not others, depending on practices. Businesses subject to one or more laws should then take steps to drive compliance. Experienced privacy counsel can help businesses to develop a practical compliance program that harmonizes many different laws. The following steps will help your business to comply with state privacy laws effective in 2025: • Determine which, if any, of the laws going into effect will apply, given your business’s size and practices. To be subject to such laws, a business typically must do business in the state, control or process personal data about consumers in such state, and meet certain thresholds relating to revenue and/or data processing activities. • Assess your practices regarding personal data collection, use, and disclosure, noting exemptions that may apply. For example, pseudonymous data (like device identifiers) faces more limited requirements in many states. • Create or update your data map. Consider assessing processing purposes to help comply with new data minimization requirements in Maryland. • Conduct a gap analysis to determine whether your practices meet the requirements of applicable laws, then develop a compliance checklist based on the gaps identified. For instance, health data may be subject to new obligations. • As applicable, ensure that your compliance strategy aligns with regulations issued under the Colorado Privacy Act and the CCPA, and keep an eye on ongoing rulemaking developments in these states. • Conduct written data protection impact assessments if your business engages in activities that require such assessments, like sales or targeted advertising. • Determine what categories of sensitive data are collected. If sensitive data is collected in states that require opt‑in consent to process such data (e.g., CO, CT, DE, FL, MD, MN, MT, NE, NH, NJ, OR, TN, TX, VA), develop and implement processes to comply. Implement opt‑out rights relating to sensitive data in CA, IA, and UT. • Review your privacy policy to meet state privacy law requirements. Create internal policies to document your compliance processes.