Navigating the U.S. State Privacy Law Patchwork Post-October 2025: A Nationwide Compliance Analysis

Compliance Hub

Compliance Hub

26 min read
Navigating the U.S. State Privacy Law Patchwork Post-October 2025: A Nationwide Compliance Analysis
Photo by Pin Adventure Map / Unsplash

October 1, 2025 marked a critical inflection point in American data privacy regulation as Maryland's groundbreaking privacy law took effect, joining seven other new state laws that became active throughout 2025. With 18 states now enforcing comprehensive privacy legislation and aggressive enforcement actions intensifying—including Texas AG's landmark letters to over 100 data brokers—businesses face an unprecedented compliance challenge that demands strategic adaptation.

Executive Summary

The American privacy landscape fundamentally transformed throughout 2025 as eight new state comprehensive privacy laws took effect: Delaware, Iowa, Nebraska, and New Hampshire (January 1), New Jersey (January 15), Tennessee (July 1), Minnesota (July 31), and Maryland (October 1). This seismic shift created a complex regulatory patchwork that varies significantly across jurisdictions in applicability thresholds, consumer rights, data minimization requirements, and enforcement mechanisms.

Key developments shaping the post-October 2025 landscape:

  • Maryland's paradigm shift: The Maryland Online Data Privacy Act (MODPA) establishes one of the nation's strictest frameworks, prohibiting the sale of sensitive data regardless of consent and requiring data collection be "strictly necessary" for requested services
  • Minnesota's profiling rights revolution: The Minnesota Consumer Data Privacy Act (MCDPA) grants unprecedented consumer rights to contest profiling decisions, review underlying data, and understand alternative outcomes
  • Data inventory mandates: Minnesota explicitly requires businesses to maintain comprehensive data inventories—the only state to mandate this at the statutory level
  • Aggressive state-level enforcement: Texas AG Ken Paxton's issuance of warning letters to over 100 companies for data broker registration failures signals a new era of proactive enforcement
  • Universal opt-out adoption: Twelve states now require recognition of universal opt-out mechanisms like Global Privacy Control, making browser-based privacy signals table stakes
  • Cure period sunset provisions: Multiple states are phasing out cure periods, allowing immediate enforcement without grace periods for violations

For businesses operating nationwide, these developments demand comprehensive data mapping, enhanced documentation of data processing necessities, robust consumer request infrastructure, and strategic assessment of data monetization models.

The October 2025 Milestone: Maryland's Entry and Montana's Evolution

Maryland's Revolutionary Framework

October 1, 2025 witnessed the implementation of Maryland's Online Data Privacy Act (MODPA), a law that privacy experts consider one of the most restrictive state privacy frameworks in the United States. Unlike the business-friendly "Virginia model" adopted by many states, MODPA draws heavily from the failed federal American Data Privacy and Protection Act (ADPPA) and incorporates provisions that fundamentally restrict not just how businesses use data, but what data they can collect in the first place.

The "Strictly Necessary" Standard

MODPA's most significant departure from other state laws is its prohibition on collecting, processing, or sharing sensitive data unless such collection is "strictly necessary" to provide or maintain a specific product or service requested by the consumer. This goes beyond consent-based frameworks—businesses must justify processing with documented business necessity, regardless of whether consumers consent.

The law defines sensitive data broadly to include:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health diagnosis, condition, or treatment
  • Sex life or sexual orientation
  • Citizenship or immigration status
  • Status as transgender or nonbinary
  • Genetic or biometric data processed for identification purposes
  • Personal data of known children under 13
  • Precise geolocation data

💡 Biometric Compliance: Maryland's inclusion of biometric data in sensitive personal information requires heightened protections. Track state-specific biometric privacy requirements using the Biometric Privacy Tracker, which covers biometric laws across multiple states including Illinois' BIPA, Texas' CUBI, and emerging state frameworks.

Until regulators or courts provide guidance on what "strictly necessary" means in practice, businesses face significant uncertainty. Legal teams must prepare for regulatory inquiries by thoroughly documenting why each sensitive data processing activity is essential to delivering the specific service a consumer has requested.

Absolute Prohibition on Sensitive Data Sales

Unlike other state laws that allow sensitive data sales with opt-in consent, MODPA prohibits the sale of sensitive data outright—even with consumer consent. The only exception is consumer-directed disclosures where the consumer has intentionally used the controller to interact with a third party.

This creates compliance challenges for businesses whose models depend on data monetization. Consider a health and wellness app that collects health information: under MODPA, the app cannot sell this data to advertisers, insurers, or data brokers, regardless of whether users consent. The app can only disclose health data to third parties when strictly necessary to provide the wellness services the user requested.

Enhanced Protections for Minors

MODPA prohibits selling or processing personal data of anyone under 18 for targeted advertising if the controller "knew or should have known" the person was a minor. This "should have known" standard is more stringent than the "willful disregard" threshold found in most other state privacy laws and raises the age threshold from 13 or 16 to 18.

The law provides no guidance on what factors demonstrate "should have known," creating uncertainty for businesses operating general-audience websites and apps. Unlike California or Oregon, MODPA contains no opt-in provision that would permit use of minor data for advertising with parental consent.

Data Minimization as Core Principle

MODPA restricts the collection of personal data (not just sensitive data) to what is "reasonably necessary and proportionate" to provide or maintain a specific product or service requested by the consumer. This data minimization requirement is more restrictive than most state laws, which typically allow processing for any disclosed purpose.

Businesses must audit their data collection practices to ensure they're not collecting data "just in case" it might be useful later. Each data element must be tied to a specific, consumer-requested function.

Applicability Thresholds

MODPA applies to persons that conduct business in Maryland or target products/services to Maryland residents and, during the prior calendar year, either:

  • Controlled or processed personal data of at least 35,000 Maryland residents, or
  • Controlled or processed personal data of at least 10,000 Maryland residents and derived more than 20% of gross revenue from the sale of personal data

The 35,000 threshold is relatively low given Maryland's population of approximately 6 million, bringing many mid-sized businesses into scope.

Montana's Dramatic Amendments

The same day MODPA took effect, Montana implemented sweeping amendments (Senate Bill 297) to its Consumer Data Privacy Act (MCDPA), which originally went into effect October 1, 2024. These amendments represent substantial expansion and strengthening of Montana's privacy protections:

For comprehensive analysis of Montana's privacy framework and how it compares to other states, see our in-depth article: In-Depth Analysis of the Montana Consumer Data Privacy Act (MCDPA).

Read more

Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates