New Privacy Laws: Age-Gating and Data Security in 2025

The regulatory landscape for data privacy is undergoing a seismic shift in 2024–2025. New privacy laws are accelerating regulations on age-gating, imposing strict limits on surveillance data collection, and mandating stronger data security and transparency requirements. This creates a rapidly fragmenting U.S. state landscape that companies must navigate for 2025–2026 compliance.

The Expanding Patchwork of State Privacy Laws

In the absence of a federal comprehensive privacy law, the United States is witnessing a surge in state-level legislation. By mid-2025, roughly 16–17 U.S. states had enacted comprehensive consumer privacy laws. This includes eight new state laws taking effect in 2025 alone, significantly increasing compliance complexity for businesses.

Compliance Complexity and Operational Challenges

This proliferation of laws creates a state-by-state patchwork that is operationally burdensome. Each jurisdiction has unique thresholds, definitions, and enforcement mechanisms. For example, Connecticut’s SB 1295 expanded applicability to controllers handling personal data of at least 35,000 consumers or sensitive data.

By mid-2025, roughly 16–17 U.S. states had enacted comprehensive consumer privacy laws, with eight new state laws taking effect in 2025 alone.

The following states implemented new comprehensive privacy laws in 2025, adding to the existing framework:

Delaware
Iowa
Maryland
Minnesota
Nebraska
New Hampshire
New Jersey
Tennessee

This fragmentation risk requires companies to maintain agile compliance programs. Staggered effective dates and mid-year amendments necessitate continuous monitoring and adaptation.

Age-Gating and Enhanced Protections for Minors

Legislatures and regulators in 2025 are focusing heavily on children’s and teen privacy. Historically, COPPA protected children under 13, but new laws expand age protection to include teens. Several states now require opt-in consent for collection or sale of teen data and prohibit targeted advertising to minors.

Shifting Baselines from COPPA

The trend is toward treating minors as under 16 or 18 in many laws. This shifts practices away from the COPPA baseline and mandates more robust age-gating flows and parental controls. Drivers include concerns about social media harms to teens, such as addiction and mental health issues.

Key provisions in new state laws regarding minor protection include:

Opt-in consent for processing teen data for advertising or sale
Bans on targeted advertising to minors
Expansion of protected age to under 16 or under 18
Enhanced parental controls and consent mechanisms

For instance, Connecticut’s SB 1295 prohibits targeted advertising to under-18s. This represents a significant expansion from traditional COPPA rules, impacting digital marketing strategies.

Surveillance Data Restrictions and Geolocation Bans

States are imposing new limits on the collection and use of surveillance-type data. Recent laws restrict the sale or collection of geolocation and biometric data and impose tougher rules for tracking technologies. This reflects growing public concern over pervasive monitoring.

Specific Restrictions on Surveillance Technologies

Companies using geolocation or biometric systems must audit their collection, retention, and consent processes. Some states ban the sale of geolocation data or restrict biometric collection without explicit consent. These measures aim to curb surveillance capitalism practices.

States are imposing new limits on collection/use of surveillance-type data: recent laws and amendments restrict sale/collection of geolocation and biometric data.

Practical implications include reassessing data inventories and vendor management. Rights to know third-party recipients and restrictions on data sale require up-to-date data mapping and contractual changes with processors.

Drivers Behind the New Privacy Regulations

Several factors are driving the rapid enactment of new privacy laws. Concerns about social media harms to teens, high-profile data breaches, and the growth of AI-driven profiling technologies are key catalysts. Political momentum at the state level continues while a federal solution remains uncertain.

Social Media and Mental Health Concerns

The link between social media usage and teen mental health issues has spurred legislative action. States are moving to protect minors from targeted advertising and excessive data collection that may exacerbate these problems. This has led to expanded teen privacy protections beyond traditional COPPA boundaries.

Data Breaches and Security Imperatives

Frequent data breaches have highlighted the need for stronger data security measures. New laws often include requirements for impact assessments and transparency to mitigate risks. For example, Florida’s law includes civil fines up to $50,000 per violation, which can triple if a company knowingly served minors.

Additionally, the proliferation of AI and automated decision-making systems has raised alarms about profiling and discrimination. This has led to expanded opt-out rights and algorithmic impact assessment requirements in several statutes, coupling privacy rules with AI governance.

Third-Party Transparency and the Right to Know

A significant trend in the new privacy laws is the demand for third-party transparency. States like Minnesota and Connecticut have introduced rights allowing residents to know the identities of third-party recipients of their personal data. This shift forces companies to provide unprecedented visibility into their data flows and downstream data sharing practices.

Operationalizing Data Flow Transparency

For businesses, this creates a profound operational challenge. To comply with new rights to know third-party recipients, organizations must maintain up-to-date data inventories and accurate data mapping. This requires robust vendor management programs and often, contractual amendments with processors and advertising partners. The goal is to enable consumers to see exactly where their information travels.

Minnesota’s law includes a specific right to know third-party recipients of personal data, reflecting the pace of mid-year rollouts in 2025 and the trend toward transparency about data flows.

Key actions companies must take to ensure third-party transparency compliance include:

Conducting detailed data mapping exercises to document all data sharing points.
Updating privacy notices to clearly explain categories of third-party recipients.
Revising vendor contracts to obligate partners to assist with consumer rights requests.
Implementing procedures to respond to individual requests for recipient information.

This movement toward data flow disclosure signals a broader regulatory intent to demystify the often-opaque ecosystem of data brokers and secondary data users, placing the burden of clarity squarely on data controllers.

Profiling, AI Governance, and Automated Decision-Making

As artificial intelligence and automated systems become ubiquitous, new privacy laws are increasingly incorporating AI governance requirements. Regulators are coupling traditional data privacy rules with new obligations around profiling and automated decisions that significantly affect consumers, such as in employment, credit, and housing.

Expanded Consumer Rights and Algorithmic Assessments

Several state statutes now provide consumers with expanded rights to opt-out of profiling and to understand the logic behind automated decisions. Furthermore, laws are beginning to mandate algorithmic impact assessments for high-risk processing activities. Connecticut's law, for example, expands opt-out rights for automated decisions and requires impact assessments for certain profiling that leads to legal or similarly significant effects.

The core components of new AI and profiling regulations within privacy laws include:

Expanded opt-out rights for consumers regarding automated decision-making.
Requirements for Data Protection Impact Assessments (DPIAs) for high-risk profiling.
Duties to provide meaningful information about the logic involved in significant automated decisions.
Mechanisms for consumers to challenge or correct inaccurate outputs from profiling.

This regulatory push addresses growing concerns about algorithmic bias, discrimination, and the lack of human oversight. Companies must now build governance frameworks that not only protect data but also ensure fairness and accountability in automated systems.

Enforcement, Penalties, and the Risk of Non-Compliance

With the expansion of new laws comes a significant strengthening of enforcement mechanisms and remedies. States are empowering regulators with new investigatory tools and, in some jurisdictions, creating private rights of action for consumers. The financial stakes for non-compliance have risen dramatically, making data security and adherence to these laws a critical business priority.

Financial Exposure and Civil Penalties

The potential fines for violations are substantial and vary by state. Florida’s targeted privacy measures, for instance, include civil fines up to $50,000 per violation. These fines can triple if a company is found to have knowingly processed data of minors in violation of the law, illustrating the heightened risk around age-gating failures.

Florida’s law includes civil fines up to $50,000 per violation and can triple fines if a company knowingly served minors—illustrating the potential financial exposure from noncompliance.

Common enforcement trends and penalty structures across state laws include:

Increased civil penalties per violation, often calculated on a per-consumer basis.
Cure periods that are shortening or being eliminated, reducing the grace for companies to fix issues.
Broad injunctive powers for attorneys general to mandate business practice changes.
In some states, the creation of dedicated privacy enforcement units within the attorney general's office.

This heightened enforcement landscape makes proactive compliance not just a legal necessity but a vital financial safeguard. Companies must prioritize building compliant programs rather than risking costly litigation and reputational damage.

Practical Compliance Steps for Technology Companies

Navigating the fragmented landscape of new privacy laws requires a strategic and operational response. From updating user experience to overhauling vendor contracts, businesses must take concrete steps to achieve compliance for 2025–2026. A reactive approach is no longer viable given the complexity and pace of regulatory change.

Auditing and Updating Age-Verification Systems

Firms must urgently reassess their age-gating flows and parental consent mechanisms. With many states now protecting teens up to age 18, simple checkboxes are insufficient. Companies need reliable methods to verify age and obtain verifiable parental consent where required. This often involves implementing more robust identity assurance technologies or partnering with specialized age verification services.

Key actions for age and minor data compliance include:

Auditing all user journeys where age is collected or inferred.
Implementing layered consent mechanisms that differentiate between minors and adults.
Ensuring data minimization for all user accounts, especially for minors.
Reviewing and potentially halting targeted advertising campaigns directed at users under protected age thresholds.

Conducting Surveillance Technology Risk Assessments

Companies using geolocation tracking, facial recognition, or other biometric systems must conduct thorough audits. The goal is to align collection, retention, and consent processes with new jurisdictional bans and opt-in requirements. For example, if a state bans the sale of precise geolocation data, companies must ensure their data sharing agreements and practices reflect this prohibition.

A surveillance technology audit should cover:

Data Inventory: Catalog all locations where geolocation or biometric data is collected.
Purpose Limitation: Verify that collection is strictly for disclosed, necessary purposes.
Consent Verification: Confirm that opt-in consent is obtained where required by law.
Third-Party Sharing: Review all downstream data flows to ensure no illegal sale or sharing occurs.

This proactive assessment helps mitigate the significant risk associated with non-compliance in this highly scrutinized area.

Building a Flexible, State-Agnostic Compliance Program

Given the state-by-state patchwork, the most sustainable strategy is to build a flexible compliance program that can adapt to varying requirements. This involves establishing a baseline of strong privacy protections that meet or exceed the strictest state law, while creating processes to manage state-specific exceptions.

Core elements of a robust, adaptable privacy program include:

A centralized data inventory and mapping tool that can generate reports by jurisdiction.
Modular privacy notices and consent banners that can be customized based on user location.
A governance committee responsible for monitoring state legislative developments.
Regular training for product, engineering, and legal teams on new obligations.

This approach transforms privacy compliance from a series of frantic, reactive projects into a manageable, ongoing business operation.

The Future of U.S. Privacy Regulation and Federal Prospects

The trajectory of U.S. privacy regulation points toward continued state-level innovation and complexity in the near term. While the fragmentation risk of the state-by-state patchwork creates pressure for a federal solution, political consensus remains elusive. In the interim, businesses must prepare for a landscape defined by proliferation of effective dates and ongoing amendment cycles, requiring vigilant monitoring and agile compliance programs.

Staggered Deadlines and Ongoing Legislative Activity

The operational challenge is compounded by staggered enforcement dates. For instance, Minnesota’s law became effective July 31, 2025, while other 2025 laws had different start dates. Furthermore, many laws are subject to mid-year amendments, as seen with Connecticut’s SB 1295. This demands that companies treat privacy compliance as a continuous process, not a one-time project with a fixed deadline.

Key trends shaping the future regulatory environment include:

Increasingly aggressive teen privacy protections that may expand to more states.
Broadening definitions of sensitive data to include types like neural data or inference data.
Stronger convergence between privacy, AI governance, and cybersecurity regulations.
Potential for sector-specific laws (e.g., for health data, financial data) to add further layers of complexity.

Many 2025 laws have staggered effective/enforcement dates and numerous mid-year amendments, requiring ongoing monitoring and agile compliance programs.

This dynamic environment means that the compliance obligations for 2026 will likely differ from those in 2025. Companies must build programs capable of adapting to this constant state of flux.

Guidance for Journalists and Industry Analysts

For those reporting on or analyzing the privacy landscape, understanding the operational impact of these laws is crucial. The story extends beyond legislative text to the practical challenges of implementation. Key areas for journalistic focus include the real-world effectiveness of age-gating technologies, corporate transparency about data flows, and the enforcement priorities of state attorneys general.

Key Questions for Investigative Reporting

Journalists can drive accountability by asking pointed questions about compliance. Focusing on how companies operationalize new requirements reveals the gap between policy and practice. This scrutiny is vital for data security and consumer protection in an era of pervasive data collection.

Critical lines of inquiry for reporters include:

How are major platforms modifying their advertising technology to comply with state bans on targeted ads to minors?
Are companies providing meaningful, accessible information about third-party recipients when consumers exercise their right to know?
How are regulators staffing their enforcement units, and what types of complaints are they prioritizing?
What is the actual user experience of new consent mechanisms and privacy controls, especially for younger users?

Interview Questions for Regulators and Compliance Officers

Engaging directly with key stakeholders provides deep insight. Questions for regulators might explore enforcement philosophy, while questions for corporate leaders can uncover implementation hurdles. This dual perspective paints a complete picture of the regulatory ecosystem’s function and friction.

For regulators (e.g., State Attorneys General):

What resources are being allocated to enforce the new surveillance data restrictions?
How does your office view the role of algorithmic impact assessments in preventing consumer harm?
Are you seeing widespread corporate compliance with the new teen privacy provisions, or significant areas of non-compliance?

For company Chief Privacy Officers or compliance leads:

What has been the single greatest operational challenge in adapting to the 2025 state laws?
How is your company ensuring its data inventory remains accurate enough to fulfill new transparency rights?
What changes have you made to vendor management and contracts to address third-party transparency requirements?

Conclusion: Navigating the New Era of Data Privacy

The regulatory upheaval of 2024–2025 marks a definitive turning point for data privacy in the United States. The era of light-touch, notice-and-consent regulation is giving way to a new paradigm defined by proactive obligations, strict limitations on certain data practices, and severe penalties for non-compliance. The core pillars of this new era—age-gating, surveillance data restrictions, and third-party transparency—reflect a legislative intent to rebalance power between corporations and consumers.

Synthesis of Key Compliance Imperatives

Businesses that wish to thrive in this environment must internalize several non-negotiable imperatives. Success hinges on moving beyond checkbox compliance to embedding privacy-by-design into organizational culture and technology architecture.

The essential takeaways for any organization handling consumer data are:

Age is no longer just a number: Robust age verification and specialized treatment for teen data are now legal mandates, not optional best practices.
Transparency is operational: Knowing and disclosing your data flows to consumers requires sophisticated data governance and vendor management.
Surveillance carries risk: The collection and use of geolocation and biometric data are under intense scrutiny and subject to increasing bans and consent hurdles.
AI governance is privacy governance: Managing the risks of profiling and automated decisions through impact assessments and consumer rights is now part of the core privacy mandate.
Agility is survival: The state-by-state patchwork is dynamic; compliance programs must be built for continuous adaptation, not static adherence.

The drivers of this regulatory push include concerns about social media harms to teens, high-profile data breaches, growth in AI-driven profiling and surveillance technologies, and political momentum at the state level.

For consumers, these laws represent a hard-fought advancement in digital rights, offering greater agency over personal information in an increasingly datafied world. For businesses, they represent a complex but necessary evolution, demanding investment in data security, ethical data practices, and transparent operations.

The journey toward 2026 compliance is already underway. The companies that will succeed are those that view these new privacy laws not merely as a compliance burden, but as a strategic opportunity to build trust, demonstrate responsibility, and future-proof their operations in a world where data stewardship is paramount. The fight for data security and consumer privacy has entered a new, more rigorous phase, reshaping the digital ecosystem for years to come.