META DESCRIPTION: State legislatures advanced major privacy regulations from May 20-27, 2025, with Oregon, New Jersey, and California moving key data protection bills forward.

Privacy Regulations on the Move: State Legislatures Advance New Data Protection Measures

As state legislatures race to strengthen consumer privacy protections, the last week of May has seen significant movement on bills that could reshape how companies handle your personal data.

The digital privacy landscape is shifting beneath our feet, and if you blinked last week, you might have missed some critical developments. From Oregon's push to protect teens from targeted advertising to California's committee marathon ahead of key deadlines, state legislatures across the country are advancing a wave of privacy regulations that could fundamentally alter how businesses collect and use your personal information. These changes aren't just bureaucratic shuffling—they represent the front lines in the ongoing battle for digital rights in an age where data has become the new oil.

Oregon Takes Stand Against Teen Data Exploitation

In a significant move to protect younger internet users, the Oregon Senate passed House Bill 2008 on May 21, taking aim at how companies can use teenagers' personal information[1]. The bill specifically prohibits targeted advertising, profiling, and the sale of personal data when companies have actual knowledge or willfully disregard that the data belongs to consumers between 13 and 15 years old.

Think of it as a digital age restriction, similar to how we prevent teens from purchasing certain products in physical stores. The difference? This protection extends to their digital footprints, which can be far more revealing than their shopping habits at the mall.

The legislation also includes a notable ban on selling precise geolocation data for these young users—a particularly important protection in an era where location tracking has become ubiquitous. For parents concerned about their teenagers' digital privacy, this represents a meaningful step toward giving families more control over how tech companies monetize young people's online activities.

The bill had already cleared the House but was amended in the Senate, meaning it will need to return to the House for final approval before it can become law[1]. This back-and-forth legislative process highlights the careful balancing act lawmakers face when crafting privacy regulations that protect consumers without creating unworkable compliance burdens for businesses.

New Jersey Refines Its Privacy Framework

While Oregon focused on teen privacy, New Jersey took steps to fine-tune its existing privacy framework with unanimous Assembly passage of A 5017[1]. This amendment to the state's consumer data privacy law creates targeted exemptions for national securities associations and adds a data-level exemption specifically for insurance fraud detection activities.

These adjustments reflect the complex reality of implementing comprehensive privacy laws—sometimes legitimate business functions require careful carve-outs to ensure that privacy protections don't inadvertently hamper necessary services like fraud prevention. The unanimous vote suggests broad bipartisan recognition that privacy frameworks need ongoing refinement as their real-world impacts become clearer.

For New Jersey residents, these changes likely won't be immediately visible in their day-to-day digital experiences, but they represent important calibrations to ensure the state's privacy regime works as intended without creating unintended consequences for specific industries.

California's Privacy Legislation Marathon

May 23 marked a critical deadline in California's legislative calendar, as fiscal committees faced their last day to hear and report bills introduced in their respective chambers[1]. This deadline triggered significant movement on several privacy-related bills that could further cement California's position as the nation's leader in consumer data protection.

In the Senate, three notable bills cleared the Appropriations committee hurdle and advanced to the Senate floor:

• SB 690, which would amend the California Information Privacy Act
• SB 771, addressing social media regulations
• SB 354, the Insurance Consumer Privacy Protection Act of 2025

Meanwhile, SB 44, which would have regulated neural data from brain-computer interfaces, was held in committee—effectively stalling its progress for this legislative session[1].

California's privacy legislation often serves as a bellwether for national trends, as companies frequently implement California-compliant practices nationwide rather than maintaining different standards for different states. This means that even if you don't live in California, the privacy protections being debated in Sacramento could eventually benefit you as well.

The Bigger Picture: A Privacy Patchwork Taking Shape

The flurry of legislative activity last week is part of a broader trend that has been building momentum throughout 2025. With eight new data privacy laws scheduled to take effect over the course of this year[5], we're witnessing the continued evolution of a state-by-state approach to privacy regulation in the absence of comprehensive federal legislation.

This state-level activity creates both protections and challenges. On one hand, states are serving as laboratories of democracy, testing different approaches to privacy protection that can inform future efforts. On the other hand, the resulting patchwork of regulations creates compliance headaches for businesses operating across multiple states and confusion for consumers trying to understand their rights.

For businesses, the key challenge is staying ahead of these rapidly evolving requirements. Companies that have already adapted to existing privacy frameworks like the GDPR or California's earlier privacy laws have a head start, but even they must remain vigilant as new state laws introduce variations in requirements and enforcement mechanisms.

What This Means For You

As these privacy laws continue to advance through state legislatures, the practical impact for consumers will be increasingly visible in your daily digital interactions. You'll likely notice more detailed privacy notices, additional options to opt out of data collection practices, and potentially fewer instances of the most invasive tracking technologies.

However, the effectiveness of these protections will depend largely on how well they're implemented and enforced. State attorneys general will play a crucial role in ensuring compliance, and many will be eager to demonstrate that these new laws have real teeth[5].

For the average person, the most important takeaway is that your digital privacy rights are expanding, even if the process is happening in fits and starts across different states. The legislative developments of the past week represent incremental but meaningful progress toward giving you more control over your personal information in an increasingly data-driven world.

As we move forward, the key question remains whether this state-by-state approach will eventually give way to comprehensive federal legislation that could provide consistent protections nationwide. Until then, the privacy landscape will continue to evolve through the kind of state-level activity we saw last week—a complex but necessary process of defining digital rights for the 21st century.

REFERENCES

[1] Proposed State Privacy Law Update: May 27, 2025. Byte Back. (2025, May 27). Retrieved from https://www.bytebacklaw.com/2025/05/proposed-state-privacy-law-update-may-27-2025/

[2] US State Privacy Legislation Tracker. International Association of Privacy Professionals (IAPP). Retrieved from https://iapp.org/resources/article/us-state-privacy-legislation-tracker/

[5] 2025 State Privacy Laws: What Businesses Need to Know for Compliance. White & Case. (2025, January 21). Retrieved from https://www.whitecase.com/insight-alert/2025-state-privacy-laws-what-businesses-need-know-compliance