Tech
Scope of US state-level privacy laws expands rapidly in 2025 | Computer Weekly
The number of individual US states with local data privacy legislation on their statute books has expanded rapidly in 2025, with nine more state laws coming into effect this year and three more states – Indiana, Kentucky and Rhode Island – slated to start enforcing their own rules on 1 January 2026, according to a report compiled by the International Association of Privacy Professionals (IAPP).
Since the introduction of the landmark California Consumer Privacy Act in 2020, politicians in state capitals across the US have eagerly taken up the data protection baton, with Colorado, Connecticut, Utah and Virginia all introducing comprehensive privacy laws in 2023; Montana, Oregon and Texas in 2024; and Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey and Tennessee this year.
A further 16 states are currently deliberating comprehensive privacy bills, including economic powerhouse states such as Massachusetts and New York.
The resulting report captures an in-depth picture of each of the separate state privacy laws, with the overall goal being to outline the contours of each state to offer more meaningful guidance to organisations. The IAPP has been actively tracking amendments to state privacy laws – Connecticut, Montana and Oregon all made changes his year to expand the scope of applicability, enhance consumer rights and put in place more business obligations around control and processing of personal data, for example.
Where to start?
Müge Fazlioglu, IAPP principal researcher, privacy law and policy, has been tracking these developments. She described an increasingly complex patchwork of compliance for organisations working in the US.
“The applicability of each US state privacy law can be assessed through a multistep process as each state law has a unique scope based on variety of thresholds,” she told Computer Weekly. “These thresholds are related to entity’s jurisdiction, revenue, volume of personal data processing and revenue derived from the sale of personal data.”
To dig deeper into the extent to which the laws differ, five different thresholds in the US now exist for processing resident’s personal data. These include no threshold in Nebraska and Texas; 25,000 or more unique consumers in Montana; 35,000 in Connecticut, Delaware, Maryland, New Hampshire and Rhode Island; 100,000 in California, Colorado, Indiana, Iowa, Kentucky, Minnesota, New Jersey, Oregan, Utah and Virginia; and 175,000 in Tennessee. So, any organisation holding data on any Texas residents becomes subject to applicability, but they must hold data on 0.6% of the population of Maryland, or 3.3% of the population of tiny Delaware.
Then there are thresholds for the sale of personal data. Here, again, Nebraska and Texas are strictest, ruling that the control, processing or sale of any personal data is subject to state privacy laws, albeit with exemptions for small businesses. Meanwhile in California, organisations fall in scope if they control or process any personal data and derive 50% or more of their revenues from the sale of data. Colorado and New Jersey both include population thresholds again – 25,000 unique consumers or more, and in-scope organisations derive any revenue or discount on the price of any goods or services from the sale of personal data.
When it comes to exemptions, each of the 19 state laws excludes various entities and types of data held by them – most commonly, government agencies, non-profits and higher education institutions; and organisations already subject to national, sectoral legislation, such as the Health Insurance Portability and Accountability Act (HIPAA).
Differences again abound. For example, the laws of Colorado, Delaware, Minnesota, Montana, New Jersey and Oregon do not exempt non-profits. California and Maryland do exempt non-profits but do not exempt higher education institutions, and so on. Nuances exist even here – Delaware, for example, exempts only some non-profits and its laws don’t apply to those than handle data held by non-profits working with victims of child abuse, domestic violence, human trafficking or sexual assault. Neighbouring Maryland exempts those that process or share personal data to assist first responders in emergency situations, or law enforcement investigating fraud or insurance-related crime.
When it comes to business obligations under state privacy laws, all states require regulated entities to provide consumers with privacy practice disclosure notices – California asks for this at the point of collection, and all bar Rhode Island and Utah impose minimisation and purpose limitations on the collection or processing of data. This typically restricts the collection, use, retention and sharing of consumer data to what is adequate, relevant and reasonably necessary. Most states – bar Iowa and Utah – require data protection impact assessments (DPIAs), but in Delaware, Indiana and Virginia, DPIAs are specifically required for targeted advertising, the sale of personal data or individual profiling.
Naturally, all states require consent for processing of sensitive data, but again they define varying categories of data as sensitive. Most state laws cover a standard dataset that will be familiar to most, classing children’s data, data on ethnic background, religion, and sexual orientation as sensitive. However, some states go further, with Maryland and Oregon also recognising information on national origin as sensitive, while five states – Connecticut, Delaware, Maryland, New Jersey and Oregon – include data that might reveal an individual’s status as non-binary or transgender.
Maryland, meanwhile, has the only state level law that does not classify mental or physical health data as sensitive, whereas California ploughs a unique furrow and classes philosophical beliefs as a protected category, protecting existentialists, logical positivists, nihilists and stoics alike.
Finally, turning to consumer rights to access, correct and delete data held on them, things are a little simpler but there are still differences to account for. In all states consumers can access, correct and delete data – bar Iowa, where they cannot correct it; and Indiana, where they can correct it only if they have provided it in the first place.
Similarities to GDPR
Organisations operating out of the UK or European Union (EU), may be tempted to look to the practices and principles already established under the General Data Protection Regulation (GDPR) as a helpful guide to the growing labyrinth of rules, clauses and exceptions in the US.
However, Fazlioglu said that while the requirements of the various US regimes relating to consumer rights, data minimisation, purpose limitation of data collection and processing, and so on, might feel familiar to organisations that are already GDPR compliant at first glance, data privacy professionals should be wary of inferring too much from this, and it would be a grave error to rely too heavily on them.
“As we know in the world of privacy and digital governance, compliance work requires continuously mapping the current landscape, monitoring the changes, and making necessary updates and adjustments,” she said. “When it comes to the overlap of GDPR and the US state privacy laws, there’s a lot to identify, assess, translate and consider. There’s no simple checklist or formula to confirm alignment … Organisations need to examine the extent of each state privacy law and evaluate whether their existing practices are sufficient.”
Fazlioglu said that understanding the scope and specificity of each law, including the categories of sensitive data or how various terms such as “sale” are defined, is critical.
She said that while this may feel complex and daunting, the interaction between the various laws and domains and the GDPR may ultimately benefit consumers. “It encourages deeper attention to the crossroads of consumer protection and emerging technologies,” she said.
Federal laws a subject of debate
In parallel to the enacting of state-level legislation in the US, calls continue for Washington DC to introduce a federal privacy law. While British and European observers not steeped in US political tradition may naturally feel inclined to prefer a national data protection standard, this is not such a simple ask for the US federal system.
“It is preferable for some and not preferable for others,” said Fazlioglu. “For example, during discussions around the American Privacy Rights Act of 2024 and the American Data Privacy and Protection Act of 2023, we observed different reactions from various groups – some supported these bills to simplify the landscape, while others emphasised the risk of weakening the protections currently offered by state legislatures.”
The IAPP tracks developments in this regard, examining contentious issues such as bipartisanship, private right of action and preemption. Fazlioglu said it was difficult to predict whether or not a federal law could advance through US Congress, but by analysing prior attempts, it is possible to see that laws which include private right of action and preemption clauses can influence a bill’s ability to attract both Democrat and Republican support.
Fazlioglu added: “The question is not only whether federal privacy legislation is preferable, but also whether such a law should function as a ceiling or a floor. Proponents of preemption argue that a federal law should serve as a ceiling – setting a uniform standard that overrides state laws. In contrast, supporters of preserving state privacy laws believe a federal law should act as a floor – a minimum standard that states can build upon.”
This is why, Fazlioglu said, it’s important to consider both state and federal privacy law developments in order to see the full picture. “I believe the state-federal dynamics influence each other. So, while it’s uncertain whether we’ll see a federal privacy law enacted, I expect continued discussions at both the intra-state level and between state and federal frameworks. Together, these conversations will continue to shape the US approach to privacy law and policy in the coming years,” she said.
Design Within Reach carries some of the best and coolest home decor you can find, from modern couches to fantastic office chairs and fun designers like Herman Miller and Dusen Dusen. It’s not a cheap store to shop at, though, which is what makes these coupons something to jump on. Unlock online-exclusive discounts of up to 50%, free shipping, plus 20% off featured brands and 15% off office furniture bundles with Design Within Reach promo codes and Summer 2025 sale events. Save on hundreds of stylish items, including our favorite Design Within Reach office chairs, plus some other fantastic home gear we’ve earmarked for testing.
Extra 25% Off at Design Within Reach
Upgrade your digs to sleek Eames-esque mid-century modern design for up to 25% off furniture with Design Within Reach promo code EXTRA25. Head to Design Within Reach’s sale page for huge markdowns of live-proof, luxe furniture and household items like storage furniture, bar stools, chairs, couches, cabinetry, accessories, and more. And don’t forget to use that Design Within Reach promo code for even more savings.
Get 15% Off Furniture With Design Within Reach Promo Codes
On Design Within Reach’s website, you’ll see an expansive catalogue with a huge range of furniture to revamp any room—from couches and credenzas to coffee tables and bar stools for way less than normal designer prices. Flos lamps, known for mixing functionality and style, are now 20% off for a limited time. These colorful table lamps start at $255, with wall sconces, pendants, and more on sale.
Summer’s here, and it’s better late than never to get some great outdoor furniture. During Design Within Reach’s outdoor sale event, you can get up to 30% off great outdoor furniture essentials, like outdoor sectionals, chaise lounge chairs, benches, and outdoor tables. You can get bonus savings with sitewide Design Within Reach promo codes during this time. But you can still save thousands of dollars, on top of 50% off markdowns. If you’ve been eyeing the Eames Lounge Chair, Aeron Chair, or Noguchi table, this is your chance to save over $1,500.
One of the easiest ways to get a design within reach coupon is by signing up for their emails. When you sign up for DWR’s email list, you’ll get 15% off your first order, plus, you’ll be the first to know of flash sale events and discount codes when the updates are sent straight to your inbox.
You can ditch the delivery fees with Quick-Ship free shipping offers. You can save up to $699 and get complimentary shipping sitewide on orders of $2,000 or more. Explore the many items with quick-ship and free shipping offers, including sofas, storage pieces, coffee tables, and more iconic furniture. Check out their New to Sale deals too, with 40% off select bar stools, 20% off sectionals, and decor for 50% off. Design Within Reach’s end-of-season sales are some of the best times to save big on those pricier purchases, but you’ll be surprised to find that many new arrivals will go on sale too. While you’re browsing the Sale section, you can use the filter button to organize by category, specific designers, brands, and even price. Unleash your inner interior designer and go wild.
Shop up to 50% Off Design Within Reach Clearance Sale Deals
Buying furniture and other household items can be one of the biggest purchases one makes in their life. Luckily, Design Within Reach has some great furniture deals, with clearance deals that are even steeper than their usual sale discounts. These deals include last-chance furniture discounts, with up to 50% off on all home categories and decor—including light fixtures, tables, ottomans, furniture cushions, and more. Check out Design Within Reach clearance deals and take advantage of the final sale prices, where furniture items are at their lowest prices yet—before they go out of stock.
More Ways to Save on Design Within Reach Furniture
Design Within Reach is also here for small business owners and design industry professionals, to help them jumpstart and elevate their businesses in style. They can apply to the free DWR Trade program, where they will receive sitewide discounts every day, a dedicated Account Executive, exclusive promotions only available to Trade members, and exclusive and discounted Trade pricing across Design Within Reach’s 200 premium design brands in one place.
Our Favorite Design Within Reach Gear
Design Within Reach has a huge range of designers and home pieces, from massive couches to decor and chargers. They carry Herman Miller pieces we love from our guide to the Best Office Chairs, plus chargers from Courant that we recommend in our Best Wireless Chargers guide. We’ve also got our eye on couches and sheets from designers like Hay and Dusen Dusen to test too that you can find at Design Within Reach.
As the Trump administration phases out the use of animal experimentation across the federal government, a biotech startup has a bold idea for an alternative to animal testing: nonsentient “organ sacks.”
Bay Area-based R3 Bio has been quietly pitching the idea to investors and in industry publications as a way to replace lab animals without the ethical issues that come with living organisms. That’s because these structures would contain all of the typical organs—except a brain, rendering them unable to think or feel pain. The company’s long-term goal, cofounder Alice Gilman says, is to make human versions that could be used as a source of tissues and organs for people who need them.
For Immortal Dragons, a Singapore-based longevity fund that’s invested in R3, the idea of replacement is a core strategy for human longevity. “We think replacement is probably better than repair when it comes to treating diseases or regulating the aging process in the human body,” says CEO Boyang Wang. “If we can create a nonsentient, headless bodyoid for a human being, that will be a great source of organs.”
For now, R3 is aiming to make monkey organ sacks. “The benefit of using models that are more ethical and are exclusively organ systems would be that testing can be meaningfully more scalable,” Gilman says. (R3’s name comes from the philosophy in animal research known as the three R’s—replacement, reduction, and refinement—developed by British scientists William Russell and Rex Burch in 1959 to promote humane experimentation.)
New drugs are often tested in monkeys before they’re given to human participants in clinical trials. For instance, monkeys were critical during the Covid-19 pandemic for testing vaccines and therapeutics. But they’re also an expensive resource, and their numbers are dwindling in the US after China banned the export of nonhuman primates in 2020.
Animal rights activists have long pushed to end research on monkeys, and one of the seven federally funded primate research facilities across the country has signaled it would consider shutting down and transitioning into a sanctuary amid growing pressure. The US Centers for Disease Control and Prevention is also winding down monkey research, part of a bigger trend across the government to reduce reliance on animal testing.
As a result, Gilman says, there aren’t enough research monkeys left in the US to allow for necessary research if another pandemic threat emerges. Enter organ sacks.
Organ sacks would in theory offer advantages over existing organs-on-chips or tissue models, which lack the full complexity of whole organs, including blood vessels.
Gilman says it’s already possible to create mouse organ sacks that lack a brain, though she and cofounder John Schloendorn deny that R3 has made them. (For the record, Gilman doesn’t like the term “brainless” to describe the organ sacks. “It’s not missing anything, because we design it to only have the things we want,” she says.) Gilman and Schloendorn would not say how exactly they plan to create the monkey and human organ sacks, but said they are exploring a combination of stem-cell technology and gene editing.
It’s plausible that organ sacks could be grown from induced pluripotent stem cells, says Paul Knoepfler, a stem cell biologist at the University of California, Davis. These stem cells come from adult skin cells and are reprogrammed to an embryonic-like state. They have the potential to form into any cell or tissue in the body and have been used to create embryo-like structures that resemble the real thing. By editing these stem cells, scientists could disable genes needed for brain development. The resulting embryo could then be incubated until it grows into organized organ structures.
“Tavajoh! Tavajoh! Tavajoh!” a man’s voice announces, before going on to narrate a string of numbers in no apparent order, slowly and rhythmically. After nearly two hours, the calls of “Attention!” in Persian stop, only to resume again hours later.
The broadcast has been playing twice a day on a shortwave frequency since the start of the US-Israel attack on Iran on February 28.
According to Priyom, an organization which tracks and analyses global military and intelligence use of shortwave radio, using established radio-location techniques, the broadcast was first heard as the US bombing of Iran began. It has since played on the 7910 kHz shortwave frequency like clockwork—at 02.00 UTC and again at 18.00 UTC.
Over the weekend, Priyom said it had identified the likely origin of the broadcast. Using multilateration and triangulation techniques, the group traced the signal to a shortwave transmission facility inside a US military base in Böblingen, southwest of Stuttgart, Germany.
The site lies within a restricted training area between Panzer Kaserne and Patch Barracks, with technical operations possibly linked to the US army’s 52nd Strategic Signal Battalion, headquartered nearby.
That identification narrows the field, but it does not reveal who is behind the transmissions or who they are meant for.
The two-hour-long transmission is divided into five to six segments, each lasting up to 20 minutes. Each opens with “Tavajoh!” before shifting into a string of numbers in Persian, sometimes punctuated with an English word or two. Five days into the broadcast, radio jammers were heard attempting to block the frequency. The following day, the transmission shifted to a different frequency—7842 kHz.
Radio communication experts believe the broadcast is likely part of a Cold War–era system known as number stations.
The Return of the Numbers
Number stations are shortwave radio broadcasts that play strings of numbers or codes that sound random—like the one now heard in Iran. “It is an encrypted radio message used by foreign intelligence services, often as part of a complex operation by intelligence agencies and militaries,” says Maris Goldmanis, a Latvian historian and avid numbers stations researcher.
Number stations are most commonly associated with espionage. “For intelligence agencies, it is important to communicate with their spies to gather intelligence,” says John Sipher, a former US intelligence officer who served 28 years in the CIA’s National Clandestine Service. “This is not always possible in person due to political constraints or conflict. This is where number stations come in.”
While the use of number stations can be traced back to the First World War, they gained prominence during the US-Soviet Cold War. As espionage grew more sophisticated, governments used automated voice transmissions of coded numbers to communicate with agents, Goldmanis says. Citing declassified KGB and CIA documents, he adds that number stations were widely used during this period, often as Morse code transmissions and, in many cases, as two-way communications, with agents reporting back using their own shortwave transmitters.
“Nowadays, you have various satellite and encrypted communications technologies,” Sipher says. “But during the Cold War and even before that, governments had to find ways to do this without being noticed, and broadcasting coded messages was one way to communicate with your assets discreetly.”
The apparent randomness of the numbers means they can be understood only with a codebook, Sipher adds. “Nobody can make heads or tails of it or understand what it says unless you have the codebook that can give you hints to decrypt the code,” he says, noting that such systems must be set up and coordinated in advance.
A Signal Without a Sender
While the likely origin of the signal may now be clearer, its purpose and intended recipient remain unknown.
Because the broadcasts are encrypted and designed to be covert, those details may remain unclear for years, Goldmanis says. The structured nature of the transmission—its fixed schedule and consistent use of frequencies—further suggests it is part of a planned operation.
How Jaxon Smith-Njigba’s contract extension impacts Seahawks
China sees rise in new FDI firms despite lower inflows
Vets to be legally required to publish price lists and cap prescription fees
-
Sports1 week agoJapan suffers shocking collapse to Venezuela in World Baseball Classic
-
Entertainment1 week agoStrategic oil stocks to be released ‘immediately’ in Asia and Oceania: IEA
-
Business1 week agoNew Income Tax Act 2025 To Take Effect From April 1: 10 Key Changes That Will Affect Your Money
-
Sports1 week agoTransfer rumors, news: Real Madrid open to Camavinga exit, as Premier League clubs circle
-
Sports6 days agoMarch Madness 2026 – How to watch in SA, start time, schedule, TV channel for NCAA championship basketball tournament
-
Sports1 week agoPCB files complaint over allowing Bangladesh to take review on penultimate ball – SUCH TV
-
Business7 days agoStocks and pound rise as US rate call approaches
-
Tech6 days agoJustice Department Says Anthropic Can’t Be Trusted With Warfighting Systems