US states are strengthening their privacy laws: A look at Connecticut, Colorado, and Oregon

While the US seems unlikely to pass federal privacy legislation, the states are continuing to build on the protections afforded to consumers via comprehensive state privacy laws.

In late May 2025, several states passed or enacted amendments to their state privacy laws that broaden their applicability or impose new obligations on controllers.

Here’s a look at three particularly significant moves to improve consumer privacy standards in Connecticut, Colorado, and Oregon:

• Connecticut
• Colorado
• Oregon

Connecticut

The Connecticut Data Privacy Act (CTDPA) is among the stricter state privacy laws, and amendments passed by the state’s legislature late last month are set to make it even tougher.

Among other amendments, SB 1295:

• Substantially broadens the CTDPA’s scope, making the law applicable to entities that:
  • Control or process personal data about just 35,000 Connecticut consumers (originally 100,000)
  • Sell personal data
  • Process sensitive personal data
• Provides consumers with new rights to:
  • Obtain a list of third parties to whom a controller sells personal data
  • Contest significant decisions based on profiling, under certain conditions
• Provides a set of conditions under which controllers must obtain consent to use personal data for secondary purposes.

Colorado

The Colorado Privacy Act (CPA) was among the earliest wave of “Virginia-style” laws passed in 2021, and it has since been reinforced by regulations issued by the state’s Attorney General.

On 7 May 2025, the Colorado Governor signed SB 276, amending the CPA to add “precise geolocation data” (accurate to within 1,750 feet) to the law’s categories of “sensitive data” and prohibit controllers from selling sensitive data without consent.

These amendments formed part of a broader civil rights bill intended to protect consumers’ immigration status, and they bring the CPA closer in line with other states’ rules on sensitive data.

It’s worth noting, however, that the CPA already prohibited the “processing” of sensitive data without consent, and that the definition of “processing” already included the sale of sensitive data. As such, this amendment makes no practical difference.

Oregon

Oregon’s governor signed HB 3875 on 27 May, 2025, enacting an amendment to the Oregon Consumer Privacy Act (OCPA) that impacts the automotive industry.

The law broadens the OCPA’s scope, meaning that motor vehicle manufacturers and affiliates of motor vehicle manufacturers must comply with the law’s requirements if they collect personal data about Oregon consumers’ use of motor vehicles.

The bill arose out of concerns about the monetization of location and other data by car brands and means that consumers will now be allowed to opt out of the sale of personal data about their driving habits (among other rights).

On the same day, Oregon’s legislature also passed HB 2008. If signed by the governor, this bill would ban certain online activities relating to 13-15-year-olds (profiling, selling personal data, targeting ads) and prohibit the sale of precise geolocation data.