October 1, 2025: Three Major State Privacy Law Updates and the Universal Opt-Out Revolution

Almost a month ago, October 1, 2025 marked a pivotal moment in American data privacy regulation. Not one, but three significant state privacy law developments took effect on this date, fundamentally reshaping the compliance landscape for businesses operating across the United States.

Maryland's groundbreaking new comprehensive privacy law (MODPA) went into effect, Montana's sweeping amendments to its existing privacy law became enforceable, and both states joined the growing coalition requiring universal opt-out mechanisms like Global Privacy Control (GPC)—a trend that began earlier in 2025 when New Hampshire's privacy law took effect on January 1.

Together, these developments represent a critical inflection point: state privacy laws are evolving beyond the business-friendly "Virginia model" toward more restrictive frameworks that prioritize substantive consumer protections over corporate flexibility. Let's break down what changed and what it means for your compliance program.

Maryland's MODPA: America's Strictest State Privacy Law?

Unlike most state privacy laws that have followed the business-friendly Virginia or Utah models, Maryland's Online Data Privacy Act (MODPA) represents a significant paradigm shift—establishing what many legal experts are calling one of the most restrictive privacy frameworks in the United States.

The Three-State October 1st Convergence

Maryland: A New Standard for Privacy Protection

While 16 other states already had comprehensive privacy laws on the books when MODPA went live, Maryland's approach stands apart in several critical ways. The law draws heavily from the failed federal American Data Privacy and Protection Act (ADPPA) and incorporates provisions that go well beyond what businesses have come to expect from state-level privacy legislation.

The most significant departure? MODPA doesn't just regulate how businesses use data—it fundamentally restricts what data they can collect in the first place.

Montana: Strengthening an Existing Framework

The same day MODPA took effect, Montana implemented sweeping amendments (Senate Bill 297) to its Consumer Data Privacy Act (MCDPA), which originally went into effect October 1, 2024. These aren't minor tweaks—they represent a substantial expansion and strengthening of Montana's privacy protections.

Key changes in Montana's October 1, 2025 amendments:

Lower applicability threshold: The law now applies to businesses processing personal data of just 25,000 Montana consumers (down from 50,000), making Montana the state with the lowest threshold in the nation—even lower than Maryland's 35,000.

Eliminated financial institution exemption: Previously, entities subject to the Gramm-Leach-Bliley Act (GLBA) were exempt at the entity level. That exemption is now gone, bringing banks, credit unions, and auto dealerships into scope (though GLBA-regulated data itself remains exempt).

Removed cure period: The 60-day cure period for violations has been eliminated as of October 1, 2025, allowing the Attorney General to proceed with enforcement actions immediately.

Duty of care for minors: Controllers offering online services to minors must now exercise "reasonable care to avoid a heightened risk of harm" when they know or willfully disregard that a consumer is under 18. This positions Montana alongside Connecticut and Colorado in adopting a duty-of-care framework.

Expanded profiling opt-out: Consumers can now opt out of profiling for "automated decisions" (not just "solely automated decisions"), broadening the scope of this right significantly.

Enhanced transparency requirements: Privacy notices must now include the last update date, an explanation of consumer rights, and a clear opt-out method outside the privacy notice for data sales and targeted advertising.

The Universal Opt-Out Momentum: New Hampshire's Role

While New Hampshire's Consumer Expectation of Privacy Act actually took effect earlier—on January 1, 2025—it's worth noting in this context because it represents the beginning of 2025's wave of universal opt-out requirements. New Hampshire, with its similarly low threshold of 35,000 consumers, required businesses to honor universal opt-out mechanisms from day one.

The universal opt-out landscape as of late 2025:

States requiring universal opt-out mechanisms now include California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Maryland, and Minnesota. The trend is clear: browser-based privacy signals like Global Privacy Control (GPC) are becoming table stakes for state privacy compliance.

Maryland's MODPA: Four Game-Changing Provisions

1. The Strictest Data Minimization Standard in the Nation

Most state privacy laws allow businesses to collect whatever personal data they want, as long as it's "reasonably necessary" for disclosed purposes. MODPA flips this permissive framework on its head.

Under Maryland's law, controllers may only collect personal data when it is "reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer." This isn't just semantic hairsplitting—the emphasis on "specific" and "requested" creates a much narrower scope for legitimate data collection.

But it gets even more restrictive for sensitive data.

For sensitive personal data—which MODPA defines broadly to include race, ethnicity, religious beliefs, sexual orientation, transgender or nonbinary status, national origin, citizenship status, consumer health data (including gender-affirming and reproductive healthcare), genetic data, biometric data, precise geolocation, and data about children under 13—controllers can only collect, process, or share this information when it is "strictly necessary" to provide or maintain a requested service.

The difference between "reasonably necessary" and "strictly necessary" isn't defined in the statute, but the intent is clear: if you can deliver your product or service without that sensitive data, you can't legally collect it in Maryland.

Real-world impact: Fast food loyalty apps that track your location 24/7? Not under MODPA. Gaming apps collecting Social Security numbers? Legally prohibited. The burden is now on businesses to justify every data point they collect, not on consumers to opt out of excessive collection.

2. An Absolute Ban on Selling Sensitive Data—No Exceptions

While states like California and Colorado allow businesses to sell sensitive personal data with opt-in consent, MODPA takes a hardline position: the sale of sensitive data is categorically prohibited, regardless of consumer consent.

This isn't a "give consumers a choice" framework—it's a complete market prohibition. The law defines "sale" broadly as the exchange of personal data for monetary or other valuable consideration, following the majority of states rather than the narrow "monetary consideration only" definitions used in states like Utah and Virginia.

However, MODPA does include several exceptions to what constitutes a "sale," including:

• Consumer-directed disclosures to third parties for services the consumer affirmatively requested
• Disclosures to processors who are contractually bound to act only on the controller's behalf
• Information a consumer made publicly available through mass media channels

The practical effect? Business models built on monetizing sensitive data—particularly in the adtech, data broker, and location intelligence sectors—face fundamental operational challenges in Maryland.

3. Comprehensive Protection for Minors: No Sales, No Targeted Ads

Perhaps MODPA's most striking feature is its approach to protecting young people online. The law establishes an absolute prohibition on two activities involving anyone under 18 years old:

1. No selling personal data of consumers the controller "knew or should have known" are under 18
2. No processing personal data for targeted advertising if the controller "knew or should have known" the individual is under 18

This "should have known" standard is significantly more demanding than the "actual knowledge" or "willful disregard" thresholds found in other state laws. It imposes what amounts to a proactive duty on businesses to identify potential minors, likely requiring age verification or age assurance mechanisms for many online services.

The age threshold itself is also notable. While most state laws define children as those under 13 or 16, MODPA extends protection to anyone under 18—covering the entire legal definition of a minor. This aligns Maryland with a handful of other states that have passed "age-appropriate design code" acts, though MODPA's protections are broader and apply to all covered businesses, not just those targeting minors.

Compliance consideration: The "should have known" standard creates significant risk. If your platform attracts substantial youth traffic, or if you market to families, you may need to implement age-gating, employ age estimation technologies, or fundamentally rethink your data practices around younger users.

4. Universal Opt-Out Mechanisms: GPC Required from Day One

Unlike some states that phased in universal opt-out requirements, MODPA mandated compliance with universal opt-out mechanisms (UOOMs) like the Global Privacy Control (GPC) from its October 1, 2025 effective date.

The GPC is a browser-based privacy signal that allows consumers to automatically communicate their opt-out preferences across all websites they visit. When a user enables GPC through a browser extension (such as Privacy Badger, DuckDuckGo Privacy Essentials) or a GPC-enabled browser (like Brave or Firefox), the browser sends a standardized signal to every website the user visits.

Under MODPA, businesses must honor these signals as valid opt-out requests for:

• The sale of personal data
• Processing for targeted advertising
• Certain types of profiling

This requirement eliminates the friction that has historically made opt-out rights largely theoretical. Rather than forcing consumers to navigate cookie banners and privacy settings on every website, GPC allows them to set their preferences once and have them automatically respected everywhere.

Recent enforcement context: California's record-breaking $1.3 million fine against Tractor Supply Co. in October 2025 centered partly on the company's failure to honor GPC signals. The message from regulators is clear: universal opt-out mechanisms aren't optional, and technical implementation must actually work.

Comparing Applicability: Who's Covered Under Each Law?

The October 1, 2025 updates brought some of the lowest applicability thresholds in the nation, potentially bringing mid-sized and even some smaller businesses into scope.

Maryland (MODPA)

The law applies to entities that conduct business in Maryland or provide products or services targeted to Maryland residents and that:

• Process personal data of 35,000 or more Maryland residents annually (excluding payment transaction data), OR
• Process personal data of 10,000 or more Maryland residents AND derive more than 20% of gross revenue from data sales

With Maryland's population of approximately 6.3 million, the 35,000 threshold means you're covered if you process data for just 0.58% of state residents.

Montana (MCDPA - Amended)

After the October 1 amendments, Montana now has the lowest threshold in the nation:

• Process personal data of 25,000 or more Montana consumers, OR
• Process personal data of 25,000 or more Montana consumers AND derive more than 25% of gross revenue from data sales

With Montana's population of about 1.1 million, this 25,000 threshold means coverage kicks in at just 2.3% of the state's population—but in absolute numbers, it's the lowest bar to clear.

New Hampshire (NHPA - For Context)

New Hampshire's law (effective January 1, 2025) uses the same 35,000 threshold as Maryland:

• Control or process personal data of at least 35,000 unique New Hampshire consumers, OR
• Control or process personal data of 10,000 unique New Hampshire consumers AND derive more than 25% of gross revenue from data sales

Notable Exemption Differences

MODPA (Maryland) lacks the broad nonprofit exemption found in most state laws, instead only exempting nonprofits that process data solely to assist law enforcement with insurance fraud investigations or to help first responders. It also doesn't exempt HIPAA-covered entities at the entity level.

Montana's amendments eliminated the GLBA entity-level exemption, meaning financial institutions like banks, credit unions, and auto dealerships are now covered (though GLBA-regulated data itself remains exempt). The nonprofit exemption was also narrowed to only cover those assisting with insurance fraud detection.

New Hampshire maintains broader exemptions for HIPAA-covered entities, GLBA financial institutions, and nonprofits.

The Universal Opt-Out Imperative: What October 1st Means for GPC Compliance

Both Maryland and Montana required compliance with universal opt-out mechanisms (UOOMs) like Global Privacy Control from their October 1, 2025 effective dates.

What is GPC?

The GPC is a browser-based privacy signal that allows consumers to automatically communicate their opt-out preferences across all websites they visit. When a user enables GPC through a browser extension (such as Privacy Badger or DuckDuckGo Privacy Essentials) or a GPC-enabled browser (like Brave or Firefox), the browser sends a standardized signal to every website.

What must businesses honor under Maryland and Montana?

Both states require businesses to recognize GPC signals as valid opt-out requests for:

• The sale of personal data
• Processing for targeted advertising
• Certain types of profiling (in Montana, now includes any "automated decisions," not just "solely automated" ones post-amendment)

These opt-out rights are part of a broader set of consumer privacy rights that include access, deletion, correction, and data portability.

Montana's enhanced opt-out requirements (October 1, 2025 amendments):

The amendments added more prescriptive requirements. Controllers that sell personal data or process it for targeted advertising must now:

• "Clearly and conspicuously" disclose such activities in their privacy notice
• Provide a "clear and conspicuous" opt-out method for consumers outside of the privacy notice (not buried in policy documents)
• Use labels such as "your opt-out rights" or "your privacy rights" that either directly effectuate the opt-out or link to a page where consumers can make the request

The GPC coalition continues to grow:

As of late 2025, twelve states require businesses to honor universal opt-out signals: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. Three more states (Indiana, Kentucky, and Rhode Island) will join this list when their laws take effect on January 1, 2026.

Recent enforcement warning: California's record-breaking $1.3 million fine against Tractor Supply Co. in October 2025 centered partly on the company's failure to honor GPC signals and provide functional opt-out mechanisms. The company's "Do Not Sell My Personal Information" link directed users to a non-functional web form. The message from regulators is clear: universal opt-out mechanisms aren't optional, and technical implementation must actually work.

Enforcement: Comparing the Three States' Approaches

Maryland (MODPA)

The Maryland Attorney General's Consumer Protection Division has exclusive enforcement authority, with violations treated as unfair, abusive, or deceptive trade practices under Maryland's Consumer Protection Act.

Penalties:

• $10,000 per violation
• $25,000 for repeated violations

Given that each affected consumer could potentially constitute a separate violation, exposure can escalate quickly for systemic compliance failures.

Cure period: Until April 1, 2027, the Attorney General has discretion to offer a 60-day cure period for first-time violations. However, this grace period is not mandatory, and after the sunset date, enforcement can proceed immediately.

Private right of action: None. Only the AG can bring enforcement actions, though the law doesn't prevent consumers from pursuing remedies under other applicable laws.

Montana (MCDPA - Amended)

The Montana Attorney General has enforcement authority, with violations considered breaches of Montana's Consumer Protection Act.

Critical change as of October 1, 2025: The 60-day cure period has been completely eliminated. Previously, it was set to sunset on April 1, 2026, but the amendments accelerated this significantly—Montana now has no cure period at all.

Enhanced AG powers: The amendments significantly expanded the Attorney General's investigatory authority:

• Can now issue civil investigative demands
• Can require controllers to submit data protection assessments relevant to investigations
• Immediate enforcement without any cure opportunity

Penalties: Unlike many states, Montana doesn't specify dollar amounts but allows the AG to take legal action under the Consumer Protection Act framework.

Enforcement presumption: If a controller complies with Montana's duty of care requirements for minors, it's entitled to a rebuttable presumption that it has used reasonable care in an enforcement action.

New Hampshire (NHPA - For Context)

The New Hampshire Attorney General has exclusive enforcement authority, with violations treated as violations of the state's deceptive trade practices law.

Penalties: Up to $10,000 per violation

Cure period evolution:

• Throughout 2025: Mandatory 60-day cure period before enforcement
• Starting January 1, 2026: Cure period becomes discretionary—the AG may consider factors like the number of violations, size and complexity of the entity, likelihood of public harm, and whether the violation was caused by human or technical error when deciding whether to grant an opportunity to cure

Private right of action: None.

The Bigger Picture: What October 1st Signals for Privacy Regulation

The convergence of Maryland's MODPA and Montana's strengthened MCDPA on October 1, 2025—following New Hampshire's January implementation—signals several critical trends in American privacy regulation:

1. The shift from "notice and choice" to substantive restrictions.

Maryland leads this trend most aggressively, imposing hard limits on what businesses can collect in the first place. Rather than giving consumers theoretical control through disclosures and opt-outs, MODPA restricts data collection at the source. Montana's amendments, particularly the duty of care for minors, follow this same philosophy.

2. Lowering the bar for applicability.

Montana now has the lowest threshold in the nation (25,000 consumers), with Maryland and New Hampshire close behind at 35,000. Compare this to early-generation laws in states like Colorado and Connecticut (100,000 consumers), and the trend is clear: more businesses are being brought into scope. The elimination of broad exemptions—particularly Montana's removal of the GLBA entity-level exemption—further expands coverage.

3. Eliminating cure periods and strengthening enforcement.

Montana's complete elimination of its cure period as of October 1, 2025, represents the most aggressive enforcement posture yet among state privacy laws. Maryland's discretionary cure period (sunsetting in 2027) and New Hampshire's transition to discretionary cures in 2026 show that regulators are moving away from the "soft landing" approach of early privacy laws.

4. Universal opt-out as table stakes.

With 12 states now requiring GPC recognition, and 3 more joining on January 1, 2026, browser-based privacy signals have transitioned from experimental to mandatory. The technical implementation requirements are real, and the $1.3 million Tractor Supply fine demonstrates that regulators will enforce these provisions aggressively.

5. Heightened scrutiny of sensitive data and youth privacy.

Maryland's absolute ban on sensitive data sales and both Maryland's and Montana's enhanced youth protections reflect federal regulatory priorities. The FTC has been increasingly focused on health data, location data, and children's information—exactly the categories these state laws regulate most strictly. Montana's duty of care for minors aligns with Connecticut and Colorado's frameworks, suggesting this approach may become the constitutional middle ground between aggressive regulation and First Amendment concerns.

6. The decline of the "Virginia model."

While most states since 2021 have followed Virginia's business-friendly approach, the October 1 updates represent a departure. Maryland's ADPPA-inspired framework and Montana's strengthened amendments show states are willing to go beyond the lowest-common-denominator model—and these stricter approaches are surviving legislative processes in both blue states (Maryland) and red states (Montana).

Practical Steps for Multi-State Compliance

For businesses subject to these October 1, 2025 updates (and the broader landscape of state privacy laws), here's where to focus your compliance efforts:

Immediate Priorities (If Not Already Implemented):

1. Enable GPC recognition on your website and configure systems to honor universal opt-out signals across all twelve states that require it
2. Update privacy notices to meet the most prescriptive requirements:
   • Include specific third-party recipients (Maryland) or categories of recipients
   • Add last update date and explanation of consumer rights (Montana)
   • Provide clear opt-out methods outside the privacy notice (Montana)
   • Ensure accessibility and multi-language support where you offer multilingual services (Montana)
3. Implement consumer rights request workflows for access, deletion, correction, portability, and opt-out requests with 45-day response timeframes
4. Configure opt-out mechanisms that:
   • Cannot be rejected based on suspected fraud (Maryland)
   • Are at least as easy to use as the mechanism for giving consent (all states)
   • Use clear labels like "your opt-out rights" or "your privacy rights"

Medium-Term Projects:

5. Conduct a comprehensive data inventory mapping all personal data collection, processing, and sharing—with special attention to:
   • Sensitive data under Maryland's broad definition
   • Data from or about minors
   • Third-party disclosures that might constitute "sales"
6. Perform Data Protection Assessments (DPAs) for high-risk processing activities, including:
   • Targeted advertising and data sales
   • Sensitive data processing
   • Profiling (including automated decisions in Montana)
   • Activities presenting heightened risk to minors (Montana)
7. Review and minimize data collection:
   • For Maryland: Ensure collection is "reasonably necessary and proportionate" (or "strictly necessary" for sensitive data)
   • For Montana: Confirm collection is "adequate, relevant, and reasonably necessary" for disclosed purposes
   • For all: Implement true data minimization, not just compliance documentation
8. Implement age assurance measures if your services:
   • Attract users under 18 (Maryland, Montana)
   • Are likely to be accessed by substantial numbers of minors (Montana's duty of care)
   • Could benefit from the duty of care safe harbor (Montana)
9. Audit and update vendor contracts:
   • Ensure data processing agreements are in place for all processors
   • Confirm vendors understand their obligations under these laws
   • Montana controllers should ensure they can conduct reasonable assessments of processors
   • Implement appropriate breach notification procedures as required under each state's data security laws
10. For Maryland specifically: Eliminate or restructure any sensitive data sales since these are categorically prohibited regardless of consent

Strategic Considerations:

11. Evaluate your data monetization strategy if it relies on sharing data with third parties for valuable consideration—Maryland's restrictions may require fundamental business model changes
12. Consider a high-water-mark compliance approach that applies Maryland's strict standards (the highest bar) across your entire operation, simplifying compliance with the growing patchwork of state laws
13. Monitor for potential amendments—Maryland's HB1365 proposes modifications to data minimization provisions
14. Assess whether Montana's duty of care applies to your business and implement safeguards to qualify for the enforcement presumption
15. Prepare for enforcement without cure periods—Montana offers no cure opportunity as of October 1, 2025, and Maryland's discretionary cure sunsets in 2027

If You're a Financial Institution or Auto Dealer:

16. Montana-specific action required: You're now covered under MCDPA as of October 1, 2025, even though you were previously exempt under the GLBA entity-level exemption. While GLBA-regulated data remains exempt, other personal data you process falls under MCDPA's requirements.

Critical Compliance Deadlines

Maryland's Grace Period: April 1, 2026

While MODPA took effect on October 1, 2025, the law includes a critical grace period: it will not apply to any personal data processing activities until April 1, 2026. This gives businesses six months to come into compliance.

However, this grace period should not be mistaken for breathing room. Implementing meaningful data minimization, restructuring data flows to eliminate sensitive data sales, building out age verification systems, and enabling GPC recognition are significant undertakings that require careful planning and execution.

Organizations that wait until Q1 2026 to begin their compliance work will find themselves seriously behind the curve—especially if the Maryland AG's office takes an aggressive enforcement posture once the grace period expires.

Montana: Immediate Enforcement (No Grace Period)

Montana's October 1, 2025 amendments are immediately enforceable with no cure period. The state originally provided a cure period sunsetting on April 1, 2026, but the amendments eliminated it entirely as of October 1, 2025. This means:

• Any violation can result in immediate enforcement action
• No opportunity to remedy issues before facing penalties
• The Attorney General has broad investigatory powers including civil investigative demands

For businesses newly brought into scope by the lower 25,000 threshold or the eliminated GLBA exemption, this creates significant risk. You should have been compliant on October 1, 2025—any delays in implementation now carry immediate enforcement exposure.

New Hampshire: Transitioning to Discretionary Cure

New Hampshire's mandatory 60-day cure period ended on December 31, 2025. As of January 1, 2026, the New Hampshire Attorney General has discretion to determine whether to grant a cure period based on:

• The number and nature of violations
• Size and complexity of the entity
• Likelihood of injury to the public
• Whether the violation was caused by human or technical error

This means that starting in 2026, first-time violators cannot count on receiving a cure opportunity—the AG may proceed directly to enforcement for egregious violations.

The Bottom Line: Three States, One Message

The October 1, 2025 convergence of Maryland's MODPA implementation and Montana's MCDPA amendments—following New Hampshire's January 2025 effective date—sends a clear message about the direction of American privacy regulation:

State privacy laws are getting stricter, not more uniform. While early adopters largely followed Virginia's business-friendly model, the 2025 wave represents a departure toward more substantive consumer protections. Maryland's ADPPA-inspired framework and Montana's significant amendments show that the "race to the bottom" theory—where states compete to be most business-friendly—hasn't materialized.

Lower thresholds mean broader applicability. Montana's 25,000-consumer threshold is the lowest in the nation, with Maryland and New Hampshire at 35,000. Combined with narrowing exemptions (Montana's elimination of the GLBA entity exemption, Maryland's limited nonprofit exemption), significantly more businesses are now covered by at least one state privacy law.

Enforcement is getting real. Montana's elimination of its cure period, Maryland's discretionary cure sunsetting in 2027, and California's $1.3 million fine for GPC violations in October 2025 all signal that the "soft landing" era of state privacy enforcement is ending. Attorneys General are gaining more investigatory tools and showing willingness to use them.

Universal opt-out is non-negotiable. With 12 states requiring GPC recognition as of late 2025 (and 15 by early 2026), browser-based privacy signals are now table stakes for national businesses. The technical implementation must actually work—non-functional opt-out mechanisms will draw enforcement attention.

Maryland sets a new ceiling. MODPA's combination of strict data minimization, absolute ban on sensitive data sales, comprehensive youth protections, and mandatory GPC recognition makes it arguably the most demanding state privacy law in America. Even if you're not specifically targeting Maryland residents, if you have users there and meet the thresholds, you're subject to requirements that may fundamentally challenge your data practices.

For businesses operating nationally, the question isn't whether your organization can afford to comply with these October 1 updates—it's whether you can afford not to. The compliance landscape continues to fragment, enforcement is intensifying, and the states that went into effect on October 1, 2025 represent a significant escalation in regulatory expectations.

Where Maryland, Montana, and New Hampshire lead, other states are likely to follow. Now is the time to build a privacy program that can scale with increasing regulatory demands—not one that merely checks boxes for today's requirements.

About the Author: This analysis is provided for informational purposes and does not constitute legal advice. Organizations should consult with qualified privacy counsel to assess their specific compliance obligations under MODPA, MCDPA, NHPA, and other applicable laws.

Related Resources:

Maryland MODPA:

• Full text of Maryland MODPA (HB 541/SB 541)
• Maryland Attorney General's Consumer Protection Division
• Maryland MODPA Overview - DLA Piper

Montana MCDPA:

• Montana SB 297 (MCDPA Amendments) - Full Text
• Montana Attorney General - Consumer Protection
• Montana Consumer Data Privacy - Official DOJ Page
• Montana MCDPA Statute (MCA 30-14-2801 et seq.)

New Hampshire NHPA:

• New Hampshire SB 255 (NHPA) - LegiScan
• New Hampshire Attorney General - Consumer Protection
• New Hampshire General Court - Bill Status

Universal Privacy Resources:

• Global Privacy Control (GPC) Official Site
• IAPP State Privacy Law Comparison

Compliance Tools from CISO Marketplace:

• Privacy Rights Checker - Understand consumer privacy rights across all state laws
• Biometric Data Privacy Guide - Navigate biometric data requirements under state privacy laws
• PII Classification Tool - Identify and classify personal data for compliance
• Breach Notification Guide - State-by-state breach notification requirements