Since the passage of the California Consumer Privacy Act (CCPA) in 2018, many other U.S. states have followed suit by enacting comprehensive consumer data privacy laws of their own in rapid succession. While these state consumer privacy laws tend to have similar themes and address comparable topics, there are also important differences among them — meaning a one-size-fits-all data privacy program will not suffice. Given that the federal government has yet to pass a comprehensive consumer data privacy law, organizations must make it a priority to monitor this rapidly evolving regulatory environment and ensure they comply with the law of each applicable state.

While the privacy law landscape has been relatively quiet over the past few months, our latest chart update reflects three notable changes: (1) Montana and Connecticut revamped their privacy laws; (2) Kentucky expanded its Health Insurance Portability and Accountability Act (HIPAA)-related exemptions; and (3) Utah granted consumers the right to correct their personal information.

Montana recently passed legislation amending the Montana Consumer Data Privacy Act (MTCDPA), which will go into effect October 1, 2025. A high-level overview of some of the key changes include:

• Applicability Thresholds: This amendment lowers the processing thresholds that trigger applicability of the MTCDPA. In addition, any person who conducts business in Montana or delivers commercial products or services intentionally targeted to minors under the age of 18 in Montana will be in scope for the MTCDPA’s provisions related to minors.
• Exemptions: This amendment narrows the exemptions for nonprofit organizations and entities subject to the Gramm-Leach-Bliley Act. It also adds an exemption for insurers, insurance producers, and third-party administrators.
• Opt-Out Mechanism: Following the lead of some other states, Montana will require businesses to provide consumers with an opt-out mechanism outside the privacy notice, such as via a “Your Opt-Out Rights” or “Your Privacy Choices” link, to enable consumers to exercise an opt-out of a sale or targeted advertising request.
• Restrictions Related to Minors: Montana added new requirements for controllers that offer an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor under age 18. Such controllers may not, without consent: (i) sell the minor’s data or process the minor’s data for purposes of targeted advertising or profiling; (ii) process the data for any processing purpose other than the purpose disclosed at the time the controller collected the minor’s personal data or that is reasonably necessary for and compatible with that processing purpose; or (iii) process the data for longer than is reasonably necessary. There are also restrictions on collecting the minor’s precise geolocation.
• Enforcement: Montana no longer has a cure period for violations and permits the Attorney General to request a data protection assessment as part of a civil investigative demand. Further, this amendment also specifies that violations of the law are subject to civil penalties up to US$7,500 per violation.

Kentucky also recently passed legislation amending its consumer data privacy law, which will go into effect January 1, 2026. The amendment clarifies and expands the existing HIPAA exemption to exempt: (i) information collected by a HIPAA covered entity health care provider that maintains protected health information in accordance with HIPAA; and (ii) information included in a HIPAA limited data set to the extent used, disclosed, and maintained as specified in HIPAA. These are added to the already existing exceptions that apply broadly to HIPAA covered entities and business associates as well as HIPAA protected health information.

Similar to Montana, Connecticut recently passed substantive amendments to the Connecticut Data Privacy Act (CTDPA), which will go into effect on July 1, 2026. We provide a high-level overview of some of the key changes below:

• Applicability Thresholds: This amendment lowers the processing thresholds that trigger applicability of the CTDPA. In addition, any person that controls or processes Connecticut consumers’ sensitive data or offers consumers’ personal data for sale will now be in scope of this CTDPA.
• Exemptions: The amendments remove the entity-level exemption for entities subject to the Gramm-Leach-Bliley Act and replaces it with a narrower exemption for certain financial institutions. It also adds an exemption for insurers and insurance producers.
• Definition of Sensitive Data: This amendment expands the definition of sensitive data to include data revealing a consumer’s disability or medical treatment, status as nonbinary or transgender, information derived from genetic or biometric data, neural data, government identification numbers, and financial information (including account number, account login information, etc.) that grants access to a consumer’s financial account.
• Increased Transparency Regarding Profiling: This amendment grants consumers additional rights to access their personal data used for the purposes of profiling, review the personal data used for profiling, and to correct inaccurate data if profiling is based on such data.
• Additional Obligations for Controllers: Connecticut’s amendment adds new obligations for controllers, including additional privacy notice requirements (e.g., a list of the categories of the third parties personal data is shared with), a requirement to provide an opt-out mechanism (i.e., a link that contains the word “privacy”) similar to Montana’s opt-out mechanism requirement below, and new data privacy impact assessment obligations regarding profiling (e.g., whether such profiling presents a foreseeable risk of harm to a consumer).

Further, starting July 1, 2026, consumers in Utah will have the right to correct their personal information, which aligns with comprehensive consumer privacy laws in most other states.