State Cybersecurity Law Updates in 2025 — and What’s Coming in 2026

Data breach notification laws have existed in the United States for more than two decades, and for the past four years every U.S. state has had some form of breach notification statute. These laws are far from static; states continue to amend them to reflect new technologies, new categories of sensitive data, and evolving expectations around transparency and accountability after a security incident.

In 2025, two states made particularly important amendments to their cybersecurity and data breach notification laws: New York and Oklahoma. These changes highlight broader national trends that organizations should keep in mind as additional state privacy laws take effect in 2026.

 

New York: Expanded definition of “personal information” and Notification Deadline

 

Medical and health insurance information

New York significantly broadened its data breach notification law for 2025 by adding “medical information” and “health insurance information” to the definition of personal information, under General Business Law § 899-aa. For entities not already covered by HIPAA, this will have meaningful consequences.  

New 30-Day Notification Deadline

 

New York also added a 30-day deadline to notify affected individuals following a data breach. Previously, the statute required notification only as “expediently as possible and without unreasonable delay,” leaving room for interpretation. The new deadline removes that ambiguity and places added pressure on incident response teams to investigate, assess scope, and prepare notices quickly.  

For HIPAA covered entities, individual breach notifications must be delivered within 30 days rather than the 60-day period required by HIPAA, and covered entities must still notify the Attorney General within five business days of notifying the US Secretary of Health and Human Services, plus the NY State Police and NY Department of State.

 

Oklahoma: Modernized Breach Law for Emerging Data Risks

 

Oklahoma’s lawmakers also made notable amendments to its data breach notification statute in the past year, bringing it more in line with modern cybersecurity realities.

 

Expanded Categories of Personal Information

 

Oklahoma expanded its definition of “personal information” to include:

• Biometric identifiers, such as fingerprints or other biometric data used for identification or authentication; and
• Unique identifiers associated with a financial account, when combined with a required security code, password, or passcode

These additions reflect the growing use of biometrics and digital credentials — and the serious risks posed when they are compromised.

New Attorney General Notification Requirement

Like many states, Oklahoma now requires organizations to notify the state Attorney General when a breach affects more than a certain number of residents (in this case 500). Deadline: Notice must be provided to the Attorney General within 60 days. This change ensures state authorities have visibility into large-scale incidents.

Clarifying the Encryption Safe Harbor

Many state breach laws do not treat encrypted data as “breached” unless the encryption keys are also compromised. Oklahoma has formally adopted this approach. Under the amended law, encrypted data triggers breach notification obligations only if the encryption keys are accessed or obtained as well. This aligns Oklahoma with the majority of states and reinforces the importance of strong encryption and key-management practices.

A New Safe Harbor

In 2023, Oklahoma created an affirmative defense to tort claims if the breached entity has a cybersecurity program that meets certain criteria. Starting in January 2026, it has added a further safe harbor against statutory civil penalties, which cuts the penalty in half (from $150K to $75K) if the entity has “reasonable safeguards” and gives notice as required by the statute.

Oklahoma’s reasonable safeguards include risk assessments, technical and layered defenses, employee training and incident response plan. 

New Small Business Safe Harbor in Texax

Everything’s bigger in Texas, except this: A new safe harbor from punitive damages in a cybersecurity lawsuit applies only for businesses with fewer than 250 employees. In order to take advantage of it, a company must adopt a recognized cybersecurity framework like NIST or ISO.

These safe harbors are in addition to other states that have safe harbors already: Ohio (Safe harbor from tort claims if a recognized cybersecurity framework is used, e.g., NIST, 2018); Connecticut (defense against punitive damages, 2021); Tennessee (safe harbor from class actions (May 2024); and Utah (2021). On a side note: Tennessee is the only state I’m aware of with safe harbors for privacy and cybersecurity claims. Tennessee has a safe harbor against a cybersecurity class actions as long as the incident was not caused by willful/wanton conduct or gross negligence. Tennessee also has a safe harbor against privacy violations if the entity has adopted and implemented the NIST privacy framework.

 

Broader Trends and Looking Ahead to 2026

 

These amendments underscore several nationwide trends:

• States are expanding what counts as protected personal information, especially health data, biometrics, and digital identifiers.
• Legislatures continue to move away from flexible standards toward clear notification deadlines.
• Attorney General notification requirements are becoming more ubiquitous.
• Encryption remains a critical safeguard — but only if keys are properly protected.

Looking ahead to 2026, several states will implement comprehensive data protection laws that go beyond breach notification and regulate how personal data is collected, used, shared, and retained. Together with ongoing amendments to breach statutes, this means organizations must track not only new laws, but also incremental changes to existing ones.

 

 

 

New State Privacy Laws Coming In 2026

 

New State Privacy Laws to Watch in 2026 

As we saw in Part 1 of this series, 2025 brought several important changes to state privacy laws, but more will arrive in the new year.  In 2026, three more state privacy laws take effect, and two states will roll out sweeping amendments. Here’s what to expect:

New laws effective January 1, 2026: Indiana, Kentucky, and Rhode Island

Each of these three states will add to the growing patchwork of comprehensive state privacy laws. If these laws will apply to your organization, and you have not already begun preparing, you should do so now. Below are the highlights:

• The Indiana Consumer Data Protection Act will apply if 100,000 residents' personal information is collected by a company (or just 25,000, if 50% of the company's revenues come from selling data).  The consumers' rights include the right to know various things including what information has been collected and shared, the right to access the consumer's information, the right to correct inaccuracies, the right to instruct the company to delete the consumer's information, and the right to opt-out of (i) the sale of the consumer's information, (ii) targeted advertising, and (iii) profiling.  Sensitive personal information can only be handled based on affirmative consent (opt-in).  It becomes effective January 1, 2026, and will be enforced by the Attorney General (with a 30 day cure period available). 

• The Kentucky Consumer Data Privacy Act applies if 100,000 residents' personal information is collected by a company (or just 25,000, if 50% of the company's revenues come from selling data).  The consumers' rights include the right to know various things including what information has been collected and shared, the right to access the consumer's information, the right to correct inaccuracies, the right to instruct the company to delete the consumer's information, the right to have data deleted, and the right to opt-out of (i) the sale of the consumer's information, (ii) targeted advertising, and (iii) profiling.  Sensitive personal information and children’s information can only be handled based on affirmative consent (opt-in).  It becomes effective January 1, 2026, and will be enforced by the Attorney General (with a 30 day cure period available). 

• The Rhode Island Data Transparency and Privacy Act applies if just 35,000 residents' personal information is collected by a company (or just 10,000, if 20% of the company's revenues come from selling data).  The consumers' rights include the right to know various things including what information has been collected and shared, the right to access the consumer's information, the right to correct inaccuracies, the right to instruct the company to delete the consumer's information, the right to have data deleted, and the right to opt-out of (i) the sale of the consumer's information, (ii) targeted advertising, and (iii) profiling.  Sensitive personal information and children’s information can only be handled based on affirmative consent (opt-in).  It becomes effective January 1, 2026, and will be enforced by the Attorney General (with no right to cure). 

Upcoming Amendments: Connecticut

The Connecticut Data Privacy Act was amended in a variety of important ways.

• The Act’s applicability threshold will be reduced to just 35,000 residents, but there is no minimum threshold when it comes to processing sensitive data or selling consumer personal data.
• The exemption for financial institutions subject to the Gramm-Leach-Bliley Act (federal financial law) is removed and replaced with a data-level exemption for personal financial information subject to GLBA.
• Connecticut expanded the definition of "consumer health data“ to include “health status.” The definition of sensitive data now includes disability or treatment, status as nonbinary or transgender, information derived from genetic or biometric information, neural data, certain financial account and payment card data, and government ID numbers (like SSN). Sensitive personal data processing will require consent. Consumers will have the right to obtain a list of third parties to whom personal data was sold.
• Consumers will have the right to question profiling results, be informed of the reasons for profiling decisions, review personal data used for profiling, and correct incorrect data used in profiling decisions about housing.
• Consent will be required for processing or selling sensitive data.
• Minors under 18 will be treated as children for purposes of the sale of data or targeted advertising.
• Impact assessments will be required for processing related to profiling.
• Privacy notices will require detailed information, such as categories of personal data sold and disclosures about targeted advertising. Importantly, companies must give notice if they are collecting personal data for the purpose of training an LLM.

Amendments to the Oregon Consumer Data Privacy Act (effective January 1, 2026) focus on minors and automobiles: 

• The covered age for a minor increases to 15.
• It prohibits processing personal data for targeted advertising, sale, or profiling used for legally significant decisions when the controller knows that the consumer is a minor (or willfully disregards age).
• Motor‑vehicle manufacturers and affiliates are specifically covered for personal data collected from the use of a vehicle or any vehicle component. Automakers must honor a consumer's request to (i) delete personal data, (ii) provide a copy of their data, and (iii) stop selling their data or using it for targeted advertising.
• The amendments also prohibit "selling" data about a person's precise geolocation without consent.
• These five state law changes in particular will affect the privacy law landscape in the U.S. in ways that will have meaningful effects on many companies.  

In the next post in this series, we'll look at state cybersecurity law changes in 2025 and 2026. 

2025 in Cybersecurity and Privacy Law - New State Privacy Laws

2025 has been an eventful year in privacy and cybersecurity law, with many changes at the state, federal and international levels, affecting almost every sector of the economy.  If you haven't been paying very close attention throughout the year, you may have missed some important changes.  In a series of blog posts (beginning with this one), I'll summarize the key changes you need to know.

Part 1 - State Privacy Laws

State privacy laws have been trickling out over the past five years, and by this time last year, comprehensive privacy laws were already in effect in several states, such as California, Colorado, Connecticut, Florida, Montana, Texas, Utah, Virginia and Washington.

Over the course of the year, laws in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee have become effective (shown in green below), as well as significant amendments to existing privacy laws in California, Colorado and Virginia.  

At a very high level, the key provisions of these new laws are as follows: 

• Delaware's Personal Data Privacy Act applies if a mere 35,000 residents' personal information is collected by a company (or just 10,000, if 20% of the company's revenues come from selling data).  The consumers' rights include the right to know various things including what information has been collected and shared, the right to access the consumer's information, the right to correct inaccuracies, the right to instruct the company to delete the consumer's information, the right of data portability, and the right to opt-out of (i) the sale of the consumer's information, (ii) targeted advertising, and (iii) profiling.  It became effective January 1, 2025. 
• Iowa's statute applies if 100,000 residents' personal information is collected (or 25,000 if 50% of the company's revenues come from selling data).  The consumer rights include the right to know, access, correct, delete, portability, and to opt-out of sale/ads/and sensitive personal information (not an opt-in structure, unless the consumer is known to be a child.)  There is no right to correct.  It became effective January 1, 2025. 
• Maryland's statute also applies if a mere 35,000 resident's personal information is collected (or 10,000 if 20% of the company's revenues come from selling data).  The consumer rights include the right to know, access, correct, delete, portability, and to opt-out of sale/ads/profiling (not an opt-in structure.)  It became effective October 1, 2025. As we'll explore later, Maryland's law has some other unique provisions. 
• Minnesota's statute applies if 100,000 residents' personal information is collected (or 25,000 if 25% of the company's revenues come from selling data).  The consumer rights include the right to know, access, correct, delete, portability, and to opt-out of sale/ads/profiling (not an opt-in structure.) An opt-in is required for collecting sensitive personal information or information about a known child.  It became effective July 31, 2025. 
• Nebraska's statute applies to any company doing business in Nebraska that isn't a small business as defined by the SBA.  The consumer rights include the right to know, access, correct, delete, portability, and to opt-out of sale/ads/and sensitive personal information (not an opt-in structure, unless the consumer is known to be a child.)  It became effective January 1, 2025. 
• New Hampshire's statute is triggered if just 35,000 residents' personal information is collected (or 10,000 if 25% of the company's revenues come from selling data).  The consumer rights include the right to know, access, correct, delete, portability, and to opt-out of sale/ads/profiling.  An opt-in is required for sensitive personal information or for collecting information about a child.  It became effective January 1, 2025.
• New Jersey's statute applies if 100,000 residents' personal information is collected (or 25,000 if the company earns revenues or discounts from selling data).  The consumer rights include the right to know, access, correct, delete, portability.  An opt-out is required for the sale of information, profiling, and targeted ads, but an opt-in is required for sensitive personal information, and for the sale of information, profiling, or targeting ads to teens.  It became effective January 15, 2025.
• In Tennessee, the law applies if the company's revenues exceed $25,000,000 and at least 175,000 residents' personal information is collected, or if 25,000 residents' information is collected and 50% of the company's annual gross revenues come from selling personal information.  The consumer rights include the right to know, access, correct, delete, portability.  An opt-out is required for the sale of information, profiling, and targeted ads, but an opt-in is required for sensitive personal information, or to collect information about a child.  It became effective July 1, 2025.

Beyond these basic contours, a few state privacy statutory changes stand out:

In a clear reaction to the US Supreme Court's decision in Dobbs, Virginia amended its privacy law effective July 1, 2025 to make it unlawful to obtain, disclose, sell or disseminate any personally identifiable reproductive or sexual health information (other than health information under HIPAA) without the consent of the consumer.  Other states (e.g., California, Washington, Maryland) are also amending their laws to provide more protections for reproductive and sexual health data. 

California amended the California Consumer Privacy Act effective January 1, 2025, to create a new subcategory of "sensitive data" called "neural data," which means “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”  It's interesting to see California looking ahead to provide privacy protections as neural implants and brain scans are quickly developing. 

Colorado amended its privacy law in two important ways:  First, the age of a minor was increased from 13 to 18 (effective October 1, 2025). Data collection from minors requires a special data protection assessment, and the company must take reasonable care to avoid harming a minor's privacy.  In addition, there are prohibitions on processing minor’s data for certain purposes, such as targeted advertising, profiling, sale, or processing precise geolocation data, with limited exceptions.  Like some of the Age-Appropriate Design Code laws we've seen recently, the Colorado amendments prohibit using any design feature to significantly increase, sustain, or extend a minor’s use.  The other key change to Colorado law involves biometric data (effective July 1, 2025).  It requires consent for collecting biometric data, including from employees for most purposes), as well as a data protection impact assessment.  There must be a written, publicly-available policy, with retention requirements, limits on collection of biometric identifiers, among other things. Companies cannot refuse to provide a service to a person who does not agree to provide their biometric data unless the biometric data is necessary to provide the service. The biometric data requirements apply without regard to thresholds, but a consumer's right of access to biometric data only applies to companies that meet the general thresholds of the Colorado Privacy Act (100,000 consumers or 25,000 consumers/earn revenue or receive a discount on goods or services from the sale of personal data).

Finally, the most impactful state privacy law change this year might be Maryland's new Online Data Privacy Act (MODPA).  First, the threshold is low--just 35,000 consumers or 10,000 consumers if 20% of gross revenue comes from the sale of personal data.  There is also a prohibition on processing personal data of minors for targeted advertising or selling personal data if the company knew or should have known that the consumer was under the age of 18 years old.  Consumer health data receives special protections in Maryland, and that term includes data regarding reproductive or sexual healthcare, both of which are broadly defined. There is also a restriction on geofencing (using technology to establish a virtual boundary) within 1,750 feet of a mental health facility or sexual or reproductive health facility for the purpose of tracking, identifying, collecting data from or sending a notification to the consumer regarding the consumer’s health data.  Perhaps most remarkable of all is Maryland's enhanced data minimization requirement. The statute limits collection of personal data to what is reasonably necessary and proportionate “to provide or maintain a specific product or service requested by the consumer."  This seems more restrictive than the phrase used in other comprehensive state privacy laws (“in relation to the specified purposes for which the data are processed”). When it comes to sensitive personal data, the statute prohibits processing unless it is strictly necessary.  Sensitive Data includes consumer health data, genetic and biometric data, personal data of a child, precise geolocation data, and data revealing racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as transgender or nonbinary, national origin, or citizen or immigration status. It will be very interesting to see how Maryland's Attorney General and courts enforce this strict new data minimization requirement.

Stay tuned for Part 2....

(Thanks to Karin McInnis of Moore & Van Allen for partnering with me on a recent continuing legal education seminar summarizing 2025 and 2026 changes in privacy and cybersecurity law.  This series is based on that CLE and her excellent contributions.)