State Opt-Out Requirements for 2025

Expanding State Data Privacy Laws

Privacy regulations in the United States have expanded dramatically by 2025. What began as a single state law in California has grown to include 15 states with varying requirements. Each state has created its own approach to consumer opt-out rights.

This expansion reflects growing public concern about data privacy. It also shows increasing regulatory attention to how businesses handle consumer information. Understanding the differences between these regulations is crucial for effective compliance.

Table of Contents

Established Privacy Frameworks

California
Virginia
Colorado
Connecticut
Utah
Texas
Nevada

New Privacy Laws in 2025

Delaware
Iowa
Nebraska
New Hampshire
New Jersey

Additional States Coming Later in 2025

Tennessee
Minnesota
Maryland

Understanding Key Privacy Concepts and Definitions

Definition of Personal Information
Definition of "Sale"
Definition of Targeted Advertising
Definition of Profiling
Definition of Sensitive Data

Types of Privacy Opt-Out Requirements

Data Sale Opt-Out Requirements
Targeted Advertising Opt-Out Requirements
Data Sharing Opt-Outs (California-Specific)
Profiling Opt-Outs

Consumer Opt-Out Mechanism Requirements

Website Mechanisms
Universal Opt-Out Signals
Timing Requirements
Anti-Deceptive Interface Provisions

Established Privacy Frameworks

California (CCPA/CPRA)

California pioneered comprehensive consumer privacy rights in the United States. The California Consumer Privacy Act (CCPA), enhanced by the California Privacy Rights Act (CPRA), created a robust framework. Many other states have used it as inspiration.

Key features of California's framework include:

• Broad definition of "sale" covering both monetary and non-monetary exchanges
• Required "Do Not Sell or Share My Personal Information" link
• Mandatory recognition of Global Privacy Control (GPC) signals
• Regulatory oversight shared between the Attorney General and the California Privacy Protection Agency
• Specific rules against deceptive design patterns that impair privacy choices

The California model has influenced other states while maintaining unique elements. This makes compliance particularly important for businesses operating in the nation's largest state economy.

Virginia (CDPA)

Virginia's Consumer Data Protection Act took effect in January 2023. It differs from California in several key aspects:

• Narrower definition of "sale" limited to monetary exchanges
• More business-friendly exemptions
• Consumer rights structured in a way that many subsequent state laws have copied
• No requirements for browser-based universal opt-out signals
• Specific protections for sensitive data categories

Virginia's approach balances consumer privacy with business practicality. It has created a framework that many other states have followed.

Colorado (CPA)

Colorado implemented a privacy framework with several distinctive features:

• Universal opt-out signal recognition, required as of July 2024
• Consumer right to opt out of profiling for significant decisions
• A broader definition of "sale" similar to California
• Phased implementation, allowing businesses to adapt
• Rules requiring the minimum amount of personal data collection

Colorado's requirement that businesses recognize universal opt-out mechanisms presents a significant technical challenge. This requirement has influenced how many businesses approach privacy compliance across all states.

Connecticut (CTDPA)

Connecticut closely follows Colorado's model with these key elements:

• Universal opt-out signal requirements, effective in 2025
• Enhanced protections for sensitive data categories
• Consumer rights to opt out of targeted advertising
• Profiling restrictions similar to Colorado
• Comprehensive consent requirements

Connecticut's approach combines elements from several other state frameworks while adding unique protections for state residents.

Utah (UCPA)

Utah's Consumer Privacy Act takes a more business-friendly approach:

• Applies to fewer businesses because it requires higher revenue and data processing volumes to trigger compliance obligations
• Limited definition of "sale" similar to Virginia
• Streamlined consumer rights framework
• Fewer compliance burdens for smaller businesses
• Simplified consumer request process

Texas (TDPSA)

Texas adopted a hybrid approach with the Texas Data Privacy and Security Act:

• Elements from both Virginia and Colorado frameworks
• Industry-specific exemptions
• Sale and targeted advertising opt-out requirements
• Customized approach reflecting Texas business interests
• Phased implementation timeline

Texas exempts specific industries from certain requirements to protect consumers while supporting business growth.

Nevada

Nevada implemented a narrower law focused specifically on online sales:

• Limited to online operators
• Narrow focus on sales of personal information
• Predates most comprehensive state frameworks
• Simplified compliance requirements
• Less extensive consumer rights compared to newer laws

Nevada's early entry into privacy regulation focuses primarily on online data sales rather than comprehensive privacy protections.

New Privacy Laws in 2025

January 2025 marked a significant expansion of privacy regulations with five new state laws taking effect:

Delaware

Delaware's Personal Data Privacy Act closely follows Virginia's model with:

• Enhanced protections for sensitive data categories
• Virginia-style framework for consumer rights
• Similar exemptions to the Virginia model
• A balanced approach to regulatory requirements
• Rules requiring businesses to collect only the minimum amount of personal data

Iowa

Iowa implemented a business-friendly approach to privacy:

• Higher thresholds for businesses subject to the law
• Required opt-out mechanisms for sales and targeted advertising
• More limited consumer rights compared to California
• Focus on transparency in data practices
• Streamlined compliance requirements

Nebraska

Nebraska's Consumer Data Privacy Act features:

• Comprehensive opt-out framework
• Specific provisions targeting data brokers
• Consumer rights modeled after Virginia
• Clear guidelines on business responsibilities
• Reasonable security requirements

New Hampshire

The New Hampshire Information Privacy Act implemented:

• Comprehensive opt-out requirements effective January 1
• Substantial consent requirements for sensitive data
• Clear disclosure obligations
• Consumer rights to access and delete personal information
• Rules requiring businesses to collect only the minimum amount of personal data

New Jersey

New Jersey's privacy law became effective January 15, featuring:

• Broad requirements for honoring consumer privacy choices
• Robust enforcement mechanisms
• Comprehensive definition of personal information
• Detailed compliance obligations
• Specific security requirements
•  

Additional States Coming Later in 2025

Later in 2025, three more states will implement privacy laws:

Tennessee (effective July 1, 2025)

Tennessee's law employs a tiered approach to business compliance based on data processing volume. This balances regulatory requirements with business capabilities.

Minnesota (effective July 31, 2025)

Minnesota combines opt-out rights with specific data security requirements. It emphasizes both consumer choice and data protection.

Maryland (effective October 1, 2025)

Maryland's approach emphasizes transparency and consumer choice through comprehensive opt-out mechanisms and clear disclosure requirements.

Understanding Key Privacy Concepts and Definitions

Definition of Personal Information

Most state privacy laws define personal information broadly. Personal information includes any data that names a person, describes them, or connects to them or their home.

This includes:

• Direct identifiers (names, email addresses, government IDs)
• Indirect identifiers (IP addresses, device IDs, cookies)
• Geolocation data (precise location information)
• Biometric information
• Professional or employment information
• Education information
• Internet activity information
• Inferences drawn from other personal information

The broad definition covers more than traditional personally identifiable information (PII). This creates broader compliance obligations.

Definition of "Sale"

How states define "sale" creates significant differences in compliance requirements:

California's Broad Definition

California considers it a 'sale' when businesses exchange personal information for money or other benefits.

Virginia and Utah's Narrow Definition

These states limit "sale" to exchanges of personal information for monetary consideration only, excluding many data-sharing arrangements.

Colorado, Connecticut, and Texas

These states follow California's broader approach. They include valuable non-monetary considerations, capturing more data-sharing activities.

These definitions require businesses to carefully track how they share consumer data and implement state-specific compliance measures.

Definition of Targeted Advertising

Targeted advertising generally refers to displaying advertisements based on personal data obtained from a consumer's activities over time and across different websites or applications.

Key elements include:

• Cross-context tracking
• Building consumer profiles
• Personalization based on browsing behavior
• Ad selection based on inferred interests or characteristics

All major state privacy laws now allow consumers to opt out of targeted advertising. The specific definitions and implementation requirements vary by state.

Definition of Profiling

Profiling involves the automated processing of personal data to evaluate, analyze, or predict aspects of an individual's behavior, preferences, interests, or characteristics.

Colorado and Connecticut let consumers stop automated decisions about important matters like:

• Employment eligibility
• Financial services opportunities
• Housing eligibility
• Educational opportunities
• Healthcare access

Definition of Sensitive Data

State laws generally define sensitive data as categories requiring special protection, including:

• Racial or ethnic origin
• Religious beliefs
• Health data
• Sexual orientation
• Genetic or biometric data
• Precise geolocation
• Children's data
• Financial account numbers
• Government identifiers

Most state privacy laws require explicit consent for processing sensitive data. This creates additional compliance obligations beyond standard opt-out requirements.

Types of Privacy Opt-Out Requirements

Data Sale Opt-Out Requirements

All comprehensive state privacy laws provide consumers the right to opt out of sales of their personal information. Practical implementation varies based on how each state defines "sale."

Example scenarios affected by varying definitions:

• Data appending services: Paying a company to enhance your customer data is a "sale" in all states.
• Advertising partnerships: Trading customer data for ad space is a "sale" in CA, CO, CT, and TX, not in VA and UT.
• Analytics services: Sharing data with tools that analyze it might be a "sale" in some states.

These differences significantly impact compliance strategies across states.

Targeted Advertising Opt-Out Requirements

All major state laws let consumers stop companies from using their data for targeted ads.

Implementation typically requires:

• Providing an explicit opt-out mechanism
• Communicating opt-out preferences to third-party advertising partners
• Halting data collection or sharing for advertising purposes
• Updating ad technology configurations
• Honoring opt-out preferences across platforms and devices

California addresses targeted advertising within its "sharing" concept. Other states make it a distinct opt-out category.

Data Sharing Opt-Outs (California-Specific)

California's CPRA uniquely established "sharing" as a specific opt-out category:

• Targets cross-context behavioral advertising specifically
• This applies even when no money changes hands
• Requires a "Do Not Sell or Share My Personal Information" link
• Closes loopholes in the original CCPA
• Represents an enforcement priority for California regulators

Sephora paid $1.2 million because they ignored customer opt-out requests. This shows regulatory seriousness about this requirement.

Profiling Opt-Outs

States like Colorado and Connecticut extend opt-out rights to include automated decision-making:

• Allows consumers to opt out of profiling for significant decisions
• Covers decisions affecting financial opportunities, employment, housing
• Requires implementation of technical mechanisms to honor these requests
• Involves reviewing automated decision systems
• Necessitates documentation of profiling activities and opt-out mechanisms

Consumer Opt-Out Mechanism Requirements

State privacy laws specify how businesses must implement opt-out mechanisms:

Website Mechanisms

Most states require:

• Clear, conspicuous links or buttons for opt-out requests
• Preference centers, allowing granular choices
• Simple forms for submitting requests
• Privacy policy disclosures about available opt-out rights
• Multiple methods for submitting requests

California specifically requires that business home pages prominently display a "Do Not Sell or Share My Personal Information" link.

Universal Opt-Out Signals

A significant trend is the requirement to honor universal opt-out mechanisms:

• California already requires recognition of Global Privacy Control (GPC) signals
• Colorado mandated compliance with universal opt-out signals as of July 2024
• Connecticut requires compliance in 2025
• Other states may follow this approach

These requirements mean businesses must automatically implement technical solutions to detect and honor browser-based privacy signals.

Timing Requirements

State laws specify how quickly businesses must honor opt-out requests:

• Most states require implementation within 45 days
• Extensions are sometimes available with notice
• Businesses must inform consumers when their requests have been processed
• Records of opt-out requests must be maintained
• Verification processes must not unduly burden consumers

Anti-Deceptive Interface Provisions

Several states prohibit using deceptive interfaces to undermine privacy choices:

• California explicitly bans practices that impair consumer choice
• Colorado includes similar provisions
• Other states have general prohibitions on deceptive practices
• User interfaces must not confuse or mislead consumers
• Companies cannot make opting out difficult or confusing for users.

Disclaimer: This guide provides general information about privacy regulations and does not constitute legal advice.