This page is intended to help our clients stay informed about the ongoing changes in state privacy laws. It is provided for general informational purposes only and should not be construed as legal advice.

Last Updated: 4.24.25

By 2026, 19 states will have comprehensive privacy laws in place. These laws are designed to strengthen protections around sensitive personal information and impose new responsibilities on businesses that handle this type of data.

Here are some key takeaways:

• Every law includes rules for handling sensitive personal information
• California, Iowa, and Utah will give consumers the right to opt out of certain uses of their sensitive data.
• All other states will require businesses to obtain opt-in consent before processing sensitive personal information.

As part of its commitment to compliance, Alesco Data will begin filtering sensitive personal information in the following states starting Q4 of 2024, ahead of the laws taking effect on January 1, 2025:

• Delaware
• Nebraska
• New Hampshire
• New Jersey

Alesco Data already filters sensitive data in Colorado, Connecticut, Florida, Montana, Oregon, Texas, and Virginia.

In the context of state privacy laws, “processing” refers to any action taken with personal data, whether done manually or through automated systems. This includes a wide range of activities such as:

• Collecting

• Using

• Storing

• Disclosing

• Analyzing

• Modifying

• Deleting

Even something as simple as storing sensitive personal information qualifies as processing under these laws. The definition is intentionally broad to ensure comprehensive coverage of how data is handled.

All 19 states with comprehensive privacy laws define sensitive personal information, although the specifics can vary. Here’s a breakdown by California and the other states:

California’s Definition of Sensitive Personal Information

Under California law, the following are considered sensitive:

1. Social Security numbers, driver’s license numbers, state ID cards, and passport numbers
2. Account log-ins, financial account details, debit or credit card numbers, when combined with access codes or passwords
3. Precise geolocation data
4. Racial or ethnic origin, religious or philosophical beliefs, or union membership
5. Contents of mail, email, or text messages not intended for the business
6. Genetic data
7. Biometric information is used to uniquely identify a consumer
8. Health-related information
9. Information regarding a consumer’s sex life or sexual orientation

Definition in Other States

In the other 18 states, sensitive personal information typically includes:

1. Racial or ethnic origin
2. Religious beliefs
3. Sexual orientation
4. Citizenship or immigration status
5. Biometric or genetic data
6. Health information (including medical history, conditions, treatments, or diagnoses)
7. Personal data from known children
8. Precise geolocation within a radius of 1,750 feet or less*

*Note: Geolocation thresholds may vary slightly by state.

*Colorado does not include precise geolocation in its definition of sensitive personal information.

Several states go beyond the standard definition and include additional data points as sensitive personal information:

• Consumer health data – Maryland

• Information about a person’s sex life – Delaware, Maryland, Montana, New Hampshire, New Jersey, Rhode Island

• Status as transgender or nonbinary – Delaware, Maryland, New Jersey, Oregon

• Financial information, including account numbers, log-in credentials, and access details that could allow access to a financial account – New Jersey

• Status as a victim of crime – Oregon

Opt-Out States: California, Iowa, and Utah

In California, Iowa, and Utah, businesses may process sensitive personal information unless and until a consumer chooses to opt out.

Key requirements:

• Businesses must provide clear notice to consumers.

• Consumers must be given a meaningful opportunity to opt out before sensitive data is used.

• Processing may continue until a consumer exercises their opt-out right.

Opt-In States: Colorado, Connecticut, Delaware, Indiana, Montana, Oregon, Tennessee, Texas, and Virginia 

In the remaining states, businesses must obtain opt-in consent before collecting or processing any sensitive personal information.

What this means:

• The consumer must take affirmative action, that is:

  • Freely given

  • Specific

  • Informed

  • Unambiguous

• Without this consent, businesses cannot process sensitive personal data.

Special Note – Maryland:
Maryland has strict rules prohibiting the sale of sensitive data, even if opt-in consent has been obtained.

Florida Digital Bill of Rights (Effective July 1, 2024)

Florida’s law is not considered a comprehensive privacy law because its scope is limited to very large companies. It only applies to businesses that:

1. Are for-profit and conduct business in Florida
2. Collect or determine the purpose of processing personal data about consumers
3. Have annual gross revenue over $1 billion

And meet at least one of the following criteria:

• Derive 50% or more of global revenue from online ad sales, including targeted advertising

• Operate a voice-activated smart speaker service (not including in-vehicle systems)

• Operate an app store or digital platform offering 250,000+ downloadable apps

Despite its narrow scope, Florida’s law does prohibit the sale of sensitive personal information without opt-in consent for any business that:

• Is for-profit

• Conducts business in Florida

• Collects personal data from consumers or on behalf of another entity

Alesco’s Response:
To ensure compliance, Alesco will filter sensitive personal information in Florida in the same way it does in states that require opt-in consent.

Alesco provides two types of data to clients:

• Actual data: Directly collected from or provided by a consumer

• Modeled data: Created through analytics and inferences using multiple actual data sources

Challenges with Modeled Data:

Modeled data is not collected directly from consumers, making opt-in consent impractical or impossible.

How Alesco Is Responding:

• California, Iowa, Utah:
  No product changes are required unless a consumer opts out. If they do, Alesco will process that request as a deletion, following current procedures.

• Opt-In States:

  • Alesco is working with its data sources to determine whether affirmative, opt-in consent can be obtained for actual data.

  • If consent cannot be obtained for a specific data element, that element will be filtered from Alesco’s data products before delivery.

  • Alesco is also reviewing and clarifying data element names to prevent confusion. For example, modeled elements referencing specific holidays may be grouped under a broader label like “Winter Holiday.”

  • If naming updates don’t resolve concerns, those modeled elements will also be filtered.

Bottom line:
Alesco is committed to delivering data products that are fully compliant with all state privacy laws as they go into effect.

This map tracks the current status of privacy law statutes and bills across the US.