Tech
Scope of US state-level privacy laws expands rapidly in 2025 | Computer Weekly
The number of individual US states with local data privacy legislation on their statute books has expanded rapidly in 2025, with nine more state laws coming into effect this year and three more states – Indiana, Kentucky and Rhode Island – slated to start enforcing their own rules on 1 January 2026, according to a report compiled by the International Association of Privacy Professionals (IAPP).
Since the introduction of the landmark California Consumer Privacy Act in 2020, politicians in state capitals across the US have eagerly taken up the data protection baton, with Colorado, Connecticut, Utah and Virginia all introducing comprehensive privacy laws in 2023; Montana, Oregon and Texas in 2024; and Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey and Tennessee this year.
A further 16 states are currently deliberating comprehensive privacy bills, including economic powerhouse states such as Massachusetts and New York.
The resulting report captures an in-depth picture of each of the separate state privacy laws, with the overall goal being to outline the contours of each state to offer more meaningful guidance to organisations. The IAPP has been actively tracking amendments to state privacy laws – Connecticut, Montana and Oregon all made changes his year to expand the scope of applicability, enhance consumer rights and put in place more business obligations around control and processing of personal data, for example.
Where to start?
Müge Fazlioglu, IAPP principal researcher, privacy law and policy, has been tracking these developments. She described an increasingly complex patchwork of compliance for organisations working in the US.
“The applicability of each US state privacy law can be assessed through a multistep process as each state law has a unique scope based on variety of thresholds,” she told Computer Weekly. “These thresholds are related to entity’s jurisdiction, revenue, volume of personal data processing and revenue derived from the sale of personal data.”
To dig deeper into the extent to which the laws differ, five different thresholds in the US now exist for processing resident’s personal data. These include no threshold in Nebraska and Texas; 25,000 or more unique consumers in Montana; 35,000 in Connecticut, Delaware, Maryland, New Hampshire and Rhode Island; 100,000 in California, Colorado, Indiana, Iowa, Kentucky, Minnesota, New Jersey, Oregan, Utah and Virginia; and 175,000 in Tennessee. So, any organisation holding data on any Texas residents becomes subject to applicability, but they must hold data on 0.6% of the population of Maryland, or 3.3% of the population of tiny Delaware.
Then there are thresholds for the sale of personal data. Here, again, Nebraska and Texas are strictest, ruling that the control, processing or sale of any personal data is subject to state privacy laws, albeit with exemptions for small businesses. Meanwhile in California, organisations fall in scope if they control or process any personal data and derive 50% or more of their revenues from the sale of data. Colorado and New Jersey both include population thresholds again – 25,000 unique consumers or more, and in-scope organisations derive any revenue or discount on the price of any goods or services from the sale of personal data.
When it comes to exemptions, each of the 19 state laws excludes various entities and types of data held by them – most commonly, government agencies, non-profits and higher education institutions; and organisations already subject to national, sectoral legislation, such as the Health Insurance Portability and Accountability Act (HIPAA).
Differences again abound. For example, the laws of Colorado, Delaware, Minnesota, Montana, New Jersey and Oregon do not exempt non-profits. California and Maryland do exempt non-profits but do not exempt higher education institutions, and so on. Nuances exist even here – Delaware, for example, exempts only some non-profits and its laws don’t apply to those than handle data held by non-profits working with victims of child abuse, domestic violence, human trafficking or sexual assault. Neighbouring Maryland exempts those that process or share personal data to assist first responders in emergency situations, or law enforcement investigating fraud or insurance-related crime.
When it comes to business obligations under state privacy laws, all states require regulated entities to provide consumers with privacy practice disclosure notices – California asks for this at the point of collection, and all bar Rhode Island and Utah impose minimisation and purpose limitations on the collection or processing of data. This typically restricts the collection, use, retention and sharing of consumer data to what is adequate, relevant and reasonably necessary. Most states – bar Iowa and Utah – require data protection impact assessments (DPIAs), but in Delaware, Indiana and Virginia, DPIAs are specifically required for targeted advertising, the sale of personal data or individual profiling.
Naturally, all states require consent for processing of sensitive data, but again they define varying categories of data as sensitive. Most state laws cover a standard dataset that will be familiar to most, classing children’s data, data on ethnic background, religion, and sexual orientation as sensitive. However, some states go further, with Maryland and Oregon also recognising information on national origin as sensitive, while five states – Connecticut, Delaware, Maryland, New Jersey and Oregon – include data that might reveal an individual’s status as non-binary or transgender.
Maryland, meanwhile, has the only state level law that does not classify mental or physical health data as sensitive, whereas California ploughs a unique furrow and classes philosophical beliefs as a protected category, protecting existentialists, logical positivists, nihilists and stoics alike.
Finally, turning to consumer rights to access, correct and delete data held on them, things are a little simpler but there are still differences to account for. In all states consumers can access, correct and delete data – bar Iowa, where they cannot correct it; and Indiana, where they can correct it only if they have provided it in the first place.
Similarities to GDPR
Organisations operating out of the UK or European Union (EU), may be tempted to look to the practices and principles already established under the General Data Protection Regulation (GDPR) as a helpful guide to the growing labyrinth of rules, clauses and exceptions in the US.
However, Fazlioglu said that while the requirements of the various US regimes relating to consumer rights, data minimisation, purpose limitation of data collection and processing, and so on, might feel familiar to organisations that are already GDPR compliant at first glance, data privacy professionals should be wary of inferring too much from this, and it would be a grave error to rely too heavily on them.
“As we know in the world of privacy and digital governance, compliance work requires continuously mapping the current landscape, monitoring the changes, and making necessary updates and adjustments,” she said. “When it comes to the overlap of GDPR and the US state privacy laws, there’s a lot to identify, assess, translate and consider. There’s no simple checklist or formula to confirm alignment … Organisations need to examine the extent of each state privacy law and evaluate whether their existing practices are sufficient.”
Fazlioglu said that understanding the scope and specificity of each law, including the categories of sensitive data or how various terms such as “sale” are defined, is critical.
She said that while this may feel complex and daunting, the interaction between the various laws and domains and the GDPR may ultimately benefit consumers. “It encourages deeper attention to the crossroads of consumer protection and emerging technologies,” she said.
Federal laws a subject of debate
In parallel to the enacting of state-level legislation in the US, calls continue for Washington DC to introduce a federal privacy law. While British and European observers not steeped in US political tradition may naturally feel inclined to prefer a national data protection standard, this is not such a simple ask for the US federal system.
“It is preferable for some and not preferable for others,” said Fazlioglu. “For example, during discussions around the American Privacy Rights Act of 2024 and the American Data Privacy and Protection Act of 2023, we observed different reactions from various groups – some supported these bills to simplify the landscape, while others emphasised the risk of weakening the protections currently offered by state legislatures.”
The IAPP tracks developments in this regard, examining contentious issues such as bipartisanship, private right of action and preemption. Fazlioglu said it was difficult to predict whether or not a federal law could advance through US Congress, but by analysing prior attempts, it is possible to see that laws which include private right of action and preemption clauses can influence a bill’s ability to attract both Democrat and Republican support.
Fazlioglu added: “The question is not only whether federal privacy legislation is preferable, but also whether such a law should function as a ceiling or a floor. Proponents of preemption argue that a federal law should serve as a ceiling – setting a uniform standard that overrides state laws. In contrast, supporters of preserving state privacy laws believe a federal law should act as a floor – a minimum standard that states can build upon.”
This is why, Fazlioglu said, it’s important to consider both state and federal privacy law developments in order to see the full picture. “I believe the state-federal dynamics influence each other. So, while it’s uncertain whether we’ll see a federal privacy law enacted, I expect continued discussions at both the intra-state level and between state and federal frameworks. Together, these conversations will continue to shape the US approach to privacy law and policy in the coming years,” she said.
Tata Communications has launched a self-healing network platform called IZO datacentre Dynamic Connectivity, which is designed to eliminate costly datacentre downtime and support the demands of an artificial intelligence (AI)-driven world.
In explaining the rationale for the launch, Tata Communications said that in the current digital economy, disruptions from cable cuts, route failures or sudden AI workload spikes can bring business to a standstill.
Specifically, that is every enterprise depends on the ability to always be connected with an uninterrupted data flow. From financial transactions, information technology-enabled services (IT-ITeS) and manufacturing to streaming platforms and online retail, the connections between datacentres keep the modern world running. Tata Communications added that when those connections are interrupted, businesses do not just slow down, they are brought to a complete standstill.
The company warned that the networks connecting many enterprise datacentres were built for a different era. Traditional datacentre (DC)-to-DC links were designed for predictable workloads and stable traffic patterns. It stressed that the current reality is far more dynamic. In this, enterprises operate across global locations and cloud environments, moving massive volumes of data in real time to support AI workloads and business needs.
In an environment shaped by increasing geopolitical constraints, cable outages, route failures or sudden spikes in demand, these can quickly cascade into service disruption and operational risk, leading to a costly downtime. In such scenarios, the response is often reactive and manual, consuming valuable time when business need certainty and speed.
The IZO datacentre Dynamic Connectivity platform is designed to address these issues by creating an intelligent network that covers key global datacentres across five continents.
Tata Communications, said that unlike conventional architectures, the new platform uses deterministic multi-path routing to deliver predictable latency and performance. It said this transforms resilience from a reactive process into an autonomous capability, changing how enterprises connect their datacentres in an increasing AI-driven and distributed world.
This means the platform is smart enough to automatically re-route traffic within seconds without manual intervention during disruptions. This is said to enable enterprises to achieve >99.99% service availability across mission-critical infrastructure that supports business-critical applications, “turning resilience from a contingency into a default state”.
The platform is also attributed with giving enterprises access over their connectivity. Through a unified digital interface and APIs, enterprises can monitor performance, receive proactive alerts and dynamically scale bandwidth as workloads evolve.
Tata Communications said the result is that business impact is a shift from crisis management to strategic growth with business leaders no longer having to guess their future needs or over-pay for “just in case” bandwidth. Instead, leaders have access to Al-driven predictive insights allowing them to forecast their capacity requirements in advance. If a sudden workload demands more capacity or choice of route, users can instantly scale their bandwidth or add route through self-service feature.
Tata Communications calculates that by moving to a flexible, consumption-based pricing model, enterprises can reduce the need for idle backup capacity and save up to 30% on operational costs. Enterprises can activate resilience and bandwidth when required, helping to optimise costs while maintaining deterministic performance across geographies.
“Datacentres are the core engines of today’s digital economy, and the connections between them must be as resilient as the networks that connect them,” said Genius Wong, chief technology officer and executive vice-president of core and next-gen connectivity services at Tata Communications. “They must be just as dynamic as the applications they support.
“With IZO DC Dynamic Connectivity, we are shifting resilience from a reactive process to an autonomous capability. By combining global reach, deterministic routing and intelligent automation, we are enabling enterprises to build a digital foundation that scales with confidence and operates without disruption.”
Soft plastics are notorious for jamming sorting machines, slipping through processing lines, and wreaking havoc on the environment. They’re also not accepted in most municipal curbside recycling programs.
Facilities for recycling these types of plastic exist, but getting waste to these locations clean and free of what some call “wishful recycling” items (compostable cups, plastic utensils) is such a challenge that the majority of soft plastics, even the bags recycled at the front of grocery stores, end up in the trash. The SPC is what Arbouzov calls a “pre-recycling device,” designed to simplify this stream and deliver plastic that’s contained, traceable, and more likely to make it through the system.
I tried to envision how the blocks would turn into patio furniture, as advertised, but didn’t learn exactly how until months later, when Arbouzov sent me a video of the blocks at their final destination—a facility in Frankfort, Indiana, that specializes in processing polyethylene and polypropylene films. The blocks get shredded into crumbles resembling, at least on video, handfuls of wet newspaper, which are then compressed into composite decking, chairs, garden edging, and more.
Courtesy of Clear Drop
Courtesy of Clear Drop
“The full cycle from mailing a block to it entering recycling processing typically takes a few weeks,” Arbouzov said, “depending on shipping time and batching schedules.” Right now, the Frankfort location is the only facility processing the blocks, but Arbouzov said he hopes this is only temporary.
“Our goal is to shift more of this processing closer to where the material is generated, so blocks can move in bulk through regional recycling infrastructure rather than through mail-based logistics,” he said. “The mail-back system is essentially a bridge that allows the material to be captured today while that larger infrastructure develops.”
Recycling, Rewired
I found that my household of three was able to produce a block every couple of weeks, which quickly outpaced the provided supply of mailers. As the blocks started piling up on the floor of my office, I found myself wishing the SPC made something useful for consumers. Spoons, straws, 3D-printing filament … anything that could be used at home.
However, a 2023 Greenpeace report found that recycling plastic can actually make it even more toxic than it already is—heating it can not only cause existing chemicals to escape into the air and water supply, but even create new ones, like benzene. Would I want this in my house? Does recycled plastic actually belong in a circular economy? I asked Arbouzov what he thought.
Predating the launch of Moto Mods in 2016, the first batch of Jolla The Other Half concepts included back covers with an extra E Ink display, an infrared camera, and an Angry Birds tie-in that activated themes and ringtones. But probably the most popular was a Blackberry/Nokia Communicator-style slider keyboard made and sold by two entrepreneurs from the original Jolla community. That trend is back in—at CES 2026, accessory company Clicks showed off a magnetic keyboard accessory you can slap on the back of any Qi2 or MagSafe smartphone, though it uses Bluetooth for connectivity.
Quite a bit has changed in what’s achievable, not least more bandwidth, more capability, and more accessible, high-quality 3D printing. “We have seven pogo pins [on the Jolla Phone] which give you the capability to get power out and power in,” says Jolla CEO Sami Pienimäki. “So you can do maybe wireless charging, and you can power external circuit boards.” Pienimäki imagines E Ink interfaces or low-bandwidth radios on the back of its upcoming phone—it has an I3C interface, which delivers bit rates up to 12 megabits per second, allowing data to flow between the phone and the mod, enabling new kinds of smarter modular accessories.
Jolla has promised to release the final phone specifications by the end of the month, with shipping due for the first preorder customers at the end of June. Pienimäki teases that it’s “tempting” for him to release one of Jolla’s own internal concepts for a TOH back cover even earlier as “a showcase of what you can actually do.” (The Jolla Phone doesn’t have FCC approval in the US, but the company is considering a US launch in the future.)
With more than 10,000 preorders since December 2025, Jolla is back in business but still far from mainstream. So why, despite plenty of internet hype over the years, did truly modular phones never quite take off?
“During the LTE days, there was thinking that these devices would morph into ‘cloud phones,’ where the rest of the phone could be cost-optimized,” Fieldhack says. “Swappable parts and lower costs, as most of the compute would be done in the cloud.”
But things changed as flagship phones went from costing $350 to around $1,000. Both the camera and media production and consumption became much more important: “Great displays, great cameras, multiple cameras, more memory, better sound and mics, as well as more elegant and thin devices—this is not easily done on a modular smartphone,” Fieldhack says. “There are huge compromises, and phones are thicker and heavier with less performance. Then, agentic AI, on-device for lower costs and better security, made modular design even less optimal.”
Repairable Modules
One strong and emerging argument for true hardware modularity is repairability. Another European smartphone maker, Fairphone, has been making that case for over a decade. “It’s about thinking about how do we group the actual phone itself into modules?” says Fairphone chief technology officer Chandler Hatton. The latest FairPhone Gen 6 smartphone is made up of 12 modules. A customer sitting at the kitchen table with a single T5 screwdriver (included) and a guitar pick can repair the phone quickly, easily, and cheaply.
The Men’s 2026 March Madness Pain Index
Ole Miss to launch center devoted to risks, effects of gambling
War economy fuels $252 bn technical textile boom amid cost surges
-
Entertainment1 week agoStrategic oil stocks to be released ‘immediately’ in Asia and Oceania: IEA
-
Tech7 days agoJustice Department Says Anthropic Can’t Be Trusted With Warfighting Systems
-
Fashion1 week agoTrump signs order to combat fraudulent ‘Made in America’ labels
-
Business1 week agoStocks To Watch: Tata Motors, IndiGo, Jindal Stainless, GMR Airports, Hindalco, And Others
-
Sports1 week agoMen’s March Madness 2026 bracket: Get to know all 68 teams
-
Business1 week agoGas supply crunch a worry for AC makers ahead of peak season – The Times of India
-
Tech1 week agoEarly Deals From the Amazon Spring Sale That Passed Our BS Test
-
Sports6 days agoMarch Madness 2026 – How to watch in SA, start time, schedule, TV channel for NCAA championship basketball tournament