As we progress deeper into the 2025 legislative season, comprehensive privacy law proposals continue to progress through the legislative process. In the weeks since our last update, Kentucky amended its comprehensive data privacy law with the passage of HB 473 and Texas introduced a bill (HB 5495) to amend its Data Privacy and Security Act to require controllers to recognize global privacy controls—a meaningful alignment with other states like California, Colorado, and Connecticut. Additionally, Maine introduced a consumer data privacy law (LD 1088/HP 710) after the Senate voted down a House-passed consumer data privacy law last year.

While comprehensive privacy law proposals in Arkansas (SB 258), Georgia (SB 111), and West Virginia (HB 2987) continue to make movement, we anticipate several proposals elsewhere won’t make it out of chambers before the end of the legislative session. We’ve already seen bills in Washington and Hawaii fail to make it out of chambers before their respective crossover deadlines. We’re also watching Massachusetts closely, as Massachusetts’ Data Privacy Act (S. 45, S.29, H. 104), Consumer Data Privacy Act (H. 78), and Information Privacy and Security Act (S. 301) have been sitting with Committees since late February.

This blog posts summarizes the most notable updates with regard to state comprehensive privacy law proposals. Please follow the WilmerHale Privacy and Cybersecurity Blog to stay up to date on these developments and others.

NEW PROPOSALS

Unless otherwise noted, all the newly introduced comprehensive privacy bills share some common features, such as the creation of consumer privacy rights and requirements for privacy notice. The consumer privacy rights proposed in these bills typically include the right to confirm whether a controller is processing a consumer’s personal information; the rights to access, correct, or delete personal information; and the right to data portability. Although it may be phrased differently, these bills typically create a right to opt-out of the processing of personal information for purposes of selling data or targeted advertising. These introduced bills also require controllers to provide consumers with information (often via a privacy notice) that includes the categories of personal information processed; the purposes for the data processing; a description of how to exercise data rights; and information regarding any data that is sold to third parties.

The summaries below detail additional key components found in the newly introduced bills:

Maine

1. Bill Title: Maine Consumer Data Protection Act (LD 1088/HP 710)

2. Date of Introduction: March 14, 2025.

3. Current Status: As of March 21, 2025, LD 1088/HP 710 has been referred to the Judiciary Committee (3/14/25).

4. Key Provisions:

• From July 1, 2026, to December 31, 2027, this bill will apply to persons that conduct business in Maine or persons that produce products or services targeted to Maine residents and either: a) control or process the personal data of at least 100,000 consumers, excluding controlling or processing for the purpose of completing a transaction; or b) control or process the personal data of at least 25,000 consumers and derive more than 25 percent of gross revenue from the sale of personal data.
• Beginning January 1, 2028, this bill will apply to businesses that control or process the personal data of at least 50,000 consumers.
• In addition to the exemptions typically found in these comprehensive privacy bills,* this bill also exempts information governed by the Airline Deregulation Act.
  • Entities that comply with COPPA’s verifiable parental consent requirements are deemed to comply with the Act’s parental consent requirements.
• Exempts individuals “acting in a commercial or employment context” from its definition of “consumer.”
• Defines “sale of personal information” to include exchanges of personal information “for monetary or other valuable consideration.”
• Defines “sensitive data” to include consumer health data, data concerning an individual’s status as a victim of a crime, and precise geolocation data.
• Creates individual rights for consumers as articulated at the beginning of this section, including the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
• Prohibits controllers from processing sensitive data without a consumer’s consent.
• Uniquely, the Act prohibits a person from using a geofence to establish a virtual perimeter within 1,750 feet of any facility that provides in-person health care services for the purpose of identifying, tracking, or collecting data from or sending any notification regarding the consumer’s health data to a consumer that enters the virtual perimeter.
• Requires that controllers provide consumers with a privacy notice that includes: categories of personal information processed; purposes for said processing; description of how consumers may exercise their data rights; categories of personal information the controller sells to third parties; and categories of third parties to which controller sells personal information.
  • If controller sells personal information or processes personal information for purposes of targeted advertising, it must “clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.”
• Imposes requirements on processors, such as requiring that a contract govern the processor’s execution of data processing activities on behalf of the controller.
• Requires that controllers conduct data protection assessments for processing activities involving targeted advertising, sale of personal information, certain types of profiling, the processing of sensitive data, and other processing posing a “heightened risk of harm to consumers.”
• Grants exclusive enforcement authority to the Maine Attorney General.
• Declares that a violation of the Act constitutes an unfair trade practice under the Maine Unfair Trade Practices Act.
• Requires the State AG to provide notice of an intended action at least 30 days before the commencement of the action and grants businesses an opportunity to confer with the State AG as to the intended action.

KEY AMENDMENT PROPOSALS TO EXISTING STATE LAWS

Texas

1. Bill Title: House Bill 5495

2. Date of Introduction: March 14, 2025

3. Current Status: As of March 21, 2025, HB 5495 has been filed (3/14/25).

4. Key Provisions: 

• Updates the “Consumer Rights” and “Enforcement” sections of Texas’ comprehensive data privacy law.
• Defines a “global privacy control” as “a browser plug-in, privacy setting, device setting, or other mechanism that communicates or signals a consumer’s decision not to have the consumer’s data sold, shared, or disclosed.”
• Requires controllers to enable web browsers to automatically recognize and comply with a consumer’s global privacy control choices.
• Continues to recognize the law’s 30-day cure period before the Attorney General takes action.
• Imposes a $5,000 fine for each violation of the global privacy control requirement, but provides the court discretion to impose a higher amount “if a person repeatedly violates” the requirement.
• This amendment would take effect on September 1, 2025.

UPDATES ON EXISTING PROPOSALS

As noted above, Kentucky Governor Andy Beshear signed HB 473 into law on March 15 after the bill unanimously passed the Kentucky Senate on March 12. The bill amends Kentucky’s Consumer Data Protection Act to create an exemption for information governed by HIPAA and require data protection impact assessments for profiling that presents “a reasonably foreseeable risk” of “unlawful, disparate impact on consumers.” Prior to the passage of HB 473, Kentucky’s Consumer Data Protection required data protection impact assessments for certain profiling activities, including “unfair or deceptive treatment” as well as “disparate impact on consumers,” with HB 473 only adding “unlawful” to the pre-existing profiling activities outlined.

Committee Referrals

• An amended version of Arkansas SB 258 was re-referred to the Arkansas Senate Transportation, Technology, and Legislative Affairs Committee after the amendment was read for a second time and adopted on March 13, 2025. To date, SB 258 has been amended twice.
• Georgia SB 111 was referred to the Georgia House Technology & Infrastructure Innovation Committee on March 4, 2025, after the Georgia Senate passed and adopted the bill with a 53-2 vote split between the “yea’s” and “nay’s.”

Hearings, Meetings, and Work Sessions

• On March 7, 2025, West Virginia HB 2987 underwent a markup discussion in the West Virginia House Energy and Public Works Committee. HB 2987 was previously referred to the West Virginia House Energy and Public Works Committee on February 26, 2025.

Bill Deaths

• Hawaii’s Consumer Data Protection Act (SB 1037) died after it failed to make it out of the Hawaii Senate before Hawaii’s crossover deadline on March 6, 2025.
• Washington HB 1671 died after it failed to make it out of the Washington House before Washington’s crossover deadline on March 12, 2025.

* Unless otherwise noted in the summaries above, the following entities and data types are typically exempted from compliance with these comprehensive privacy laws: government entities; higher education institutions; nonprofit organizations; covered entities, business associates, and protected health information subject to HIPAA; financial institutions and data governed by the GLBA; personal data governed by the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act (FERPA), and the Driver’s Privacy Protection Act (DPPA); and certain employment-related information.