States Focus on Sensitive Data Amid Swift Enforcement Increase, Sidley Lawyers Say
So far in 2025, state lawmakers and regulators have focused on data related to health, children, geolocation and biometrics, said Sidley privacy attorneys Colleen Theresa Brown, Sheri Porath Rockwell and Sasha Hondagneu-Messner in a blog post Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
States' “efforts reflect key themes such as increased regulation of teen data and social media platforms, enhanced restrictions on the collection and sale of geolocation and biometric data, simplified opt-out mechanisms for tracking technologies, and broader obligations concerning consumer health data and data minimization,” the lawyers wrote. Also, they noted increasing AI regulatory activity, such as with recently approved California Privacy Protection Agency (CPPA) rules on automated decision-making technology (see 2507250027 and 2507240049).
Plus, lawmakers expanded the scope of some existing privacy laws, such as by “lowering thresholds of applicability, removing exemptions for specific entity types broadly subject to federal privacy laws such as the Gramm-Leach-Bliley Act (GLBA).” Connecticut and Montana made such changes to their comprehensive privacy laws this year (see 2506260005 and 2505120005).
“Enforcement activity has continued apace,” added the Sidley lawyers. “California regulators have issued several instructive enforcement actions within the last six months, focusing on the need to audit cookie classifications, pressure test opt-out links, and scrutinize the user experience as consumers exercise their privacy rights.”
The state is starting to enforce the California Consumer Privacy Act’s purpose-limitation requirements, especially related to sensitive data, they added. That issue arose in an enforcement against Healthline (see 2507030026). “Enforcement reports from [other] state attorneys general mirror these concerns and stress the importance of clear privacy policy disclosures that clearly apprise state residents of their rights.”