Who's data is it anyway?
The ubiquitous cookie banner has become the defining symbol of our digital privacy reckoning. Since Europe's General Data Protection Regulation (GDPR) came into force in 2018, cookie banners have become an integral part of the digital user experience, with users now encountering these pop-ups almost everywhere, from websites to apps and even smart TVs. While many US news websites simply block European visitors rather than comply with GDPR requirements, the broader impact has been transformative: companies worldwide have been forced to reckon with user consent, data transparency, and the fundamental question of who controls personal information in the digital age. This has been reflected in a wave of legislation across the U.S.
The surge in privacy legislation reflects profound shifts in both consumer expectations and corporate data practices following a cascade of high-profile data breaches and increasing concerns around how our data is used and misused by the websites and social media apps that we use every day. The European framework, enacted in 2018, established a rights-based approach that is reflected in a lot of the American state legislation. Unlike traditional sector-specific privacy laws, these comprehensive frameworks grant consumers fundamental rights over their personal information, including the ability to access, correct, delete, and control how their data is used. For American consumers, this legislative wave represents the most significant expansion of privacy protections in decades, offering rights that mirror those enjoyed by Europeans under GDPR while addressing the uniquely American challenge of a fragmented federal system where organizations that collect and use data have traditionally faced a patchwork of federal and state regulations rather than a unified national standard.
Since the enactment of the California Consumer Privacy Act in 2018, comprehensive U.S. state privacy legislation has become more robust and dynamic with each passing year. According to data from the International Association of Privacy Professionals (IAPP), there were just two bills introduced in 2018, with one becoming law in California, but seven states enacted comprehensive data privacy statutes throughout the year in 2024. With laws currently enacted in approximately nineteen states and more taking effect throughout 2025, data privacy legislation continues to proliferate across American statehouses.
Legislation in 2025
So let's take a look at the most important bills currently making their way through legislatures across the country. The map below shows the key bills attempting to create comprehensive data privacy acts. Click a state to see the bills, and click 'Detail' to see the actual bill text.
Only two bills have achieved full enactment so far this year - Kentucky's HB 473 and Montana's SB 297- though five others made it out of the originating chamber. What's notable is the sheer quantity of such bills this session, which indicates a growing realization that states do need to tackle the issue.
A lot of the bills bear striking similarities, enough for them to be viewed as almost model bills. Alabama's HB 283, known as the Alabama Personal Data Protection Act, is a good example of these often Republican-led privacy initiatives across the nation. Sponsored by Republican Mike Shaw, the bill establishes comprehensive data privacy regulations for businesses operating in Alabama or targeting Alabama residents and applies to companies processing data from more than 50,000 consumers or deriving over 25% of revenue from data sales. It provides consumers with significant rights regarding their personal information, including the ability to confirm what data is being processed, correct inaccuracies, delete their data, obtain a copy of their data, and opt out of targeted advertising, data sales, and certain automated profiling.
This is reflected in states like Georgia, where SB 111 mirrors many of its key provisions. Georgia's Consumer Privacy Protection Act, follows a remarkably similar structure with slight variations in enforcement mechanisms. Both bills notably do not create a private right of action, meaning only the Attorney General can enforce violations - a provision that distinguishes them from California's more consumer-friendly approach. And they provide a 60-day cure period to allow businesses to correct identified issues before fines are levied - up to $10,000 in AL and $7,500 in GA - a business-friendly approach that has been replicated in multiple states.
Oklahoma's SB 546 represents another close variation of this model. The bill establishes comprehensive data privacy protections for Oklahoma residents, creating a framework for how businesses process personal data while maintaining the characteristic Republican preference for attorney general enforcement over private litigation. It also includes carve outs for certain sectors such as financial institutions and healthcare providers, another feature common to all these bills.
The Winners - So far
Let's take a look at the two bills to make it to the finish line thus far in 2025. Kentucky's HB 473 was sponsored by Republican Josh Branscum with Democratic co-sponsor Pamela Stevenson, demonstrating rare bipartisan consensus. The bill amends Kentucky's consumer data privacy law to make two key changes including expanded exemptions for certain organizations while strengthening core privacy protections.
Montana's SB 297 is more ambitious. Sponsored by Daniel Zolnikov, the bill comprehensively updates Montana's privacy laws, focusing on protecting consumer and minor data privacy rights and notably expands protections beyond the typical business-focused approach to include specific safeguards for minors.
Notably, both of these bills are amending existing privacy laws rather than creating new frameworks, which may explain their success.
The Artificial Intelligence Frontier
While comprehensive privacy acts dominate the legislative landscape, artificial intelligence regulation represents an emerging frontier with distinct partisan characteristics. Only two bills in the dataset specifically target AI systems, both from Democratic sponsors and both facing significant headwinds.
Arkansas's SB 258, which has died in committee, represented one of the most ambitious attempts at AI regulation. The bill creates the Arkansas Digital Responsibility, Safety, and Trust Act, a comprehensive privacy and artificial intelligence legislation designed to protect consumers' personal data and regulate the use of high-risk artificial intelligence systems. Sponsored by Republicans Clint Penzo and Stephen Meeks, the bill required developers and deployers to conduct impact assessments, disclose potential risks of algorithmic discrimination, and provide consumers with specific rights such as the ability to opt out, receive explanations for decisions, and appeal adverse outcomes.
California's SB 468, sponsored by Democrat Josh Becker and currently in committee, takes a different approach by focusing specifically on businesses that deploy high-risk artificial intelligence systems processing personal information. The bill requires covered entities to develop, implement, and maintain a detailed information security program with extensive safeguards tailored to their business size, resources, and data volume.
Healthcare Data: The Next Battleground
Healthcare data protection has emerged as a significant subset within the broader privacy landscape, with twelve bills specifically targeting health information protections. This focus reflects growing concerns about reproductive health data following recent Supreme Court decisions and the proliferation of health tracking technologies.
Illinois leads this charge with multiple competing approaches. HB 3494, the Health Data Privacy Act sponsored by Democrat Ann Williams, establishes comprehensive protections for individual health data privacy in Illinois, requiring regulated entities to be transparent about their data collection practices. The parallel SB 2273, sponsored by Democrat Celina Villanueva, creates the Protect Health Data Privacy Act with similar goals. Both prohibit discriminatory practices and restrict businesses from using geofencing technologies around healthcare facilities to track or collect data about individuals seeking health services. They also provide legal recourse, allowing individuals to sue for damages and empower the Attorney General to enforce the act.
Massachusetts has also prioritized health data protection with H 461, sponsored by Democrat Lindsay Sabadosa, which establishes the Consumer Health Data Act in Massachusetts, creating comprehensive privacy protections for consumers' health-related personal information."The bill specifically targets regulated entities that collect, process, use, or share consumer health data and includes provisions for both traditional healthcare providers and technology companies offering health-related services.
Minnesota's approach through HF 2700 demonstrates how health data protection can be integrated into existing privacy frameworks. The bill modifies the Minnesota Consumer Data Privacy Act to enhance protections for consumer health data and sensitive information by making consumer health data a form of sensitive data requiring additional protections beyond standard personal information.
The Emerging Focus on Minor Privacy Rights
Beyond comprehensive adult privacy frameworks, a distinct legislative movement has emerged targeting the unique vulnerabilities of children and teenagers in digital spaces. This specialized area of privacy law reflects growing concern about social media addiction, online predators, and the long-term impacts of data collection on developing minds.
The trend represents a significant expansion beyond the federal Children's Online Privacy Protection Act, which has regulated data collection from children under 13 since 2000. See our 2024 post for an in depth look at COPPA. New state laws are extending protections to teenagers up to 18 years old while addressing modern digital threats that COPPA's two-decade-old framework never anticipated. Oklahoma's HB 1762 exemplifies this approach, requiring comprehensive data protection regulations for online products, services, and features that are likely to be accessed by children and mandating that covered entities conduct impact assessments specifically analyzing potential harm to minors.
Iowa's HF 503 demonstrates how states are strengthening existing frameworks by expanding the definition of 'child' from under 13 to under 18 years of age within comprehensive privacy legislation. This age expansion reflects recognition that teenagers face unique digital risks requiring legal protection beyond traditional parental oversight. Montana's SB 297 takes a comprehensive approach by focusing on protecting consumer and minor data privacy rights within a broader privacy framework, suggesting that minor protections are becoming integral rather than supplementary to state privacy legislation.
The most aggressive state interventions target social media platforms directly. As of January 2025, 19 states have passed laws requiring age verification to access potentially harmful content, while states like Florida, Georgia, Mississippi, and Tennessee have each passed legislation requiring covered platforms to implement restrictions on minors' social media accounts. Florida's approach is particularly stringent, requiring social media platforms to terminate accounts of individuals under the age of 14 and seek parental consent for accounts of individuals 14 or 15 years of age. These measures go far beyond traditional privacy protections to actively limit platform access based on age. Read our deep dive into age gating legislation here.
The enforcement landscape for minor privacy protections varies significantly from adult privacy frameworks. While most comprehensive state privacy laws rely on attorney general enforcement without private rights of action, several minor-focused laws include provisions for individual lawsuits. This reflects the unique harm that privacy violations can cause to developing children and recognizes that parents may need direct legal recourse when platforms fail to protect their children.
Looking ahead, the intersection of artificial intelligence and minor privacy protections represents an emerging frontier. As AI systems become more sophisticated at profiling and targeting users, the potential for harm to children increases exponentially. The minor privacy bills currently advancing through state legislatures will likely need updating to address AI-specific risks, from algorithmic manipulation designed to increase engagement to sophisticated behavioral profiling that could influence children's development in unprecedented ways.
Success Factors and Implementation Challenges
The bills achieving the greatest legislative success share several common characteristics that offer insights for future privacy legislation. Attorney general enforcement mechanisms appear more politically palatable than private rights of action. Kentucky's successful HB 473 and the crossed-over bills in Alabama, Georgia, and Oklahoma all rely primarily on state enforcement rather than individual lawsuits. This approach addresses business concerns about litigation exposure while maintaining regulatory oversight.
Bipartisan sponsorship significantly improves passage prospects, as you'd expect. Kentucky's HB 473 includes both Republican and Democratic sponsors. This broad coalition approach helps navigate partisan divisions that have stalled other privacy initiatives.
Looking Forward
State privacy legislation in 2025 represents a maturing field where initial experimentation is giving way to more systematic approaches. The emergence of model bills, the focus on specific sectors like healthcare, and the development of enforcement mechanisms acceptable to both parties suggest that comprehensive privacy protection is becoming a bipartisan priority, even as the specific approaches continue to evolve. The success of bills like Kentucky's HB 473 and the advancement of Alabama's HB 283 demonstrate that effective privacy legislation is achievable when lawmakers balance consumer protection with business practicalities.
About BillTrack50 – BillTrack50 offers free tools for citizens to easily research legislators and bills across all 50 states and Congress. BillTrack50 also offers professional tools to help organizations with ongoing legislative and regulatory tracking, as well as easy ways to share information both internally and with the public.