Compliance

US state privacy readiness for 2025 enforcement

Zeph Tech aggregates Minnesota’s Consumer Data Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, and the Colorado Privacy Act into one operating plan that aligns controller thresholds, universal opt-out technology, and DPIA triggers.

Updated with briefing crosslinks covering Delaware’s PDPA go-live, Minnesota’s enforcement week, and Oregon’s nonprofit obligations so privacy teams can reference the supporting research while executing this guide.Compliance Briefing — August 18, 2025Compliance Briefing — August 1, 2025Compliance Briefing — September 3, 2025

Use this guide to accelerate data inventory updates, harden processor contracts, confirm opt-out preference signal handling, and monitor attorney-general enforcement cadences as cure periods sunset.

Research crosslinks

Briefings to cite while executing 2025 readiness

Keep these Zeph Tech briefings open as you coordinate opt-out orchestration, appeal workflows, and enforcement monitoring. They provide the evidence behind the Minnesota, Delaware, and Oregon controls highlighted in this guide.

  • Compliance Briefing — August 1, 2025 — Minnesota’s Consumer Data Privacy Act has been in force since 31 July 2025, leaving only days to lock down universal opt-out signals, heightened protections for teens, and data protection assessments across high-risk processing.
  • Compliance Briefing — August 18, 2025 — Delaware’s Personal Data Privacy Act has shifted enforcement toward youth data governance, requiring opt-in consent for sales or targeted advertising involving consumers under 18 and heightened processor controls eight months after go-live.
  • Compliance Briefing — September 3, 2025 — Two months into nonprofit enforcement, Oregon’s Consumer Privacy Act is testing consent processes, opt-out fulfilment, and sensitive data tagging at charities and foundations newly covered as of 1 July 2025.
Execution plan

Lock in 2025 privacy enforcement milestones

Assign accountable owners to the most urgent statutory deliverables so opt-out orchestration and child privacy protections withstand attorney-general audits.

  1. Minnesota universal opt-out proofs. Capture packet-level evidence that Global Privacy Control (GPC) signals, browser preference headers, and teen-specific opt-in workflows are honoured across every commerce and support experience before the 31 January 2026 cure-period sunset.Compliance Briefing — August 1, 2025
  2. Delaware youth data governance. Rebuild consent journeys for minors so sales, targeted advertising, and profiling toggles default to “off” and log parent or guardian authorisations; memorialise processor instructions covering teen data within updated DPAs.Compliance Briefing — August 18, 2025
  3. Oregon nonprofit onboarding. Extend privacy impact assessments, data inventories, and opt-out fulfilment SLAs to newly in-scope foundations and associations; document training rosters and data-tagging coverage that Oregon DOJ investigators are reviewing during autumn 2025 outreach.Compliance Briefing — September 3, 2025
State privacy landscape

Aggregate statutory controls across Minnesota, Oregon, Texas, and Colorado

Crosswalk controller thresholds, opt-out requirements, data protection assessment triggers, and enforcement cadence so legal, privacy, and engineering teams prioritise the highest-risk obligations.

Comparison of 2025 state privacy statutes
Statute Effective window Controller threshold Universal opt-out tech DPIA triggers Enforcement posture
Minnesota Consumer Data Privacy Act (MCDPA) Effective 31 Jul 2025; AG cure period runs through 31 Jan 2026 ≥100k consumers/year (excluding payment-only processing) or ≥25k with ≥25% revenue from personal data sales Must honour user-enabled universal opt-out signals once the Attorney General finalises the recognised mechanism list by 31 Jan 2026 Targeted advertising, selling personal data, profiling with significant effects, processing sensitive data, or any processing presenting a heightened risk of harm Exclusive AG enforcement; civil penalties up to $7,500 per violation after discretionary cure window closes
Oregon Consumer Privacy Act (OCPA) Effective 1 Jul 2024 for most controllers; 1 Jul 2025 for 501(c)(3) nonprofits ≥100k consumers/year (excluding payment-only processing) or ≥25k with ≥25% revenue from selling personal data Controllers must integrate recognised universal opt-out preference signals no later than 1 Jan 2026 per Department of Justice specification Targeted advertising, selling personal data, profiling with foreseeable risk, processing sensitive data, or any activity heightening consumer risk Oregon DOJ enforcement with $7,500 statutory penalties; 30-day cure period sunsets 1 Jan 2026
Texas Data Privacy and Security Act (TDPSA) Effective 1 Jul 2024 Applies to entities doing business in Texas that process or sell personal data, excluding small businesses under SBA definitions unless they sell sensitive data Requires prominent opt-out controls; no mandated recognition of browser-based universal signals, though alignment is recommended for multi-state parity Targeted advertising, selling personal data, processing sensitive data (including biometrics), and profiling that presents a reasonably foreseeable risk of unfair or deceptive impact Texas AG exclusively enforces with uncapped investigative subpoenas and $7,500 penalties; permanent 30-day cure opportunity conditioned on remediation commitments
Colorado Privacy Act (CPA) Effective 1 Jul 2023; 60-day cure period expired 1 Jan 2025 ≥100k consumers/year or ≥25k with revenue from selling personal data Mandatory recognition of Attorney General-approved universal opt-out mechanisms (including Global Privacy Control) since 1 Jul 2024 Targeted advertising, selling personal data, profiling creating foreseeable risk, processing sensitive data, and any activity raising significant harm Colorado AG and district attorneys enforce without mandatory cure; civil penalties up to $20,000 per violation under the Colorado Consumer Protection Act
Delaware Personal Data Privacy Act (DPPA) Effective 1 Jan 2025; universal opt-out signal recognition mandated 1 Jan 2026 ≥35k consumers/year (excluding payment-only processing) or ≥10k with ≥20% revenue from selling personal dataHB 154 Authenticated universal opt-out signals covering targeted advertising and data salesHB 154 Targeted advertising, data sales, profiling producing legal or similarly significant effects, processing sensitive data, and youth data for consumers aged 13–17 Delaware Department of Justice; civil penalties, restitution, and injunctive reliefDelaware signing release

Use the comparison to sequence remediation: align controller scoping with Minnesota’s July 2025 effective date, retrofit opt-out preference signal handling ahead of Oregon’s January 2026 deadline, and remove reliance on Colorado’s expired cure period.

Delaware PDPA

Operationalise Delaware’s Personal Data Privacy Act

Delaware’s PDPA brings some of the strictest youth advertising rules and opt-out orchestration mandates in the United States. Controllers must coordinate legal, engineering, and marketing teams to evidence compliance from day one.Compliance Briefing — August 18, 2025Compliance Briefing — January 1, 2025HB 154Delaware signing release

  • Centralise opt-out orchestration. Capture browser-based universal opt-out signals across web and mobile properties, propagate suppression lists to downstream adtech, and log fulfilment within 15 days for audit readiness.HB 154
  • Implement teen opt-in controls. Require explicit consent before selling or targeting consumers aged 13–17; record consent artefacts, withdrawal handling, and age assurance logic in the evidence repository.HB 154
  • Ready DSR and appeal workflows. Update request portals with Delaware-specific rights, 45-day response clocks, and authenticated appeal processes. Train customer support on verification steps and log retention expectations from the Department of Justice.Compliance Briefing — January 1, 2025HB 154
Data inventory

Refresh controller and processor inventories for multi-state compliance

Synchronise your data inventory tooling so it reflects statute-specific scoping rules and keeps sensitive data gating accurate as Minnesota comes online.

  • Segment by residency. Tag Minnesota, Oregon, Texas, and Colorado consumers in data catalogs and system-of-record metadata so processing reports surface jurisdiction counts against each threshold.
  • Capture revenue dependencies. Flag products and advertising units deriving ≥25% of revenue from data sales to model Minnesota and Oregon applicability and Texas sensitive data consent checkpoints.
  • Document nonprofit status. Identify 501(c)(3) entities operating in Oregon to ensure they meet the 1 Jul 2025 compliance deadline, and cascade controls to shared services teams.
  • Map sensitive data workflows. Track biometric, precise geolocation, health, and children’s data flows so opt-in consent and processing restrictions are enforced across all four statutes.
Opt-out technology

Implement universal opt-out handling without fragmenting experiences

Design opt-out services that satisfy mandatory signal recognition requirements while preserving telemetry for jurisdictions that have not yet mandated browser-based signals.

  • Adopt a shared preference service. Centralise opt-out preference ingestion so Global Privacy Control (GPC) and other AG-listed signals automatically cascade to web, mobile, and advertising systems serving Colorado residents.
  • Stage Minnesota and Oregon deadlines. Build configuration flags that enable recognised universal signals ahead of 31 Jan 2026 (Minnesota) and 1 Jan 2026 (Oregon) so controllers can toggle enforcement once the Attorneys General publish final mechanism lists.
  • Expose explicit UX in Texas. Maintain prominent in-product opt-out controls for Texas to satisfy statutory requirements while feeding selections back into the shared preference service for evidence of honouring requests.
  • Version consent records. Store opt-out preference signal receipts with timestamps, jurisdiction logic, and downstream system acknowledgements to satisfy audit trails and AG investigations.
Processor management

Update processor contracts with state-specific clauses

Align master service agreements and data processing addenda with the contractual minimums mandated across the statutes so processors can prove compliance on demand.

  • Mandate purpose limitation. Require processors to handle personal data solely on documented instructions, mirroring Minnesota Section 7, Oregon Section 6, Texas Business & Commerce Code §541.104, and Colorado §6-1-1305 requirements.
  • Flow down security and deletion duties. Insert explicit confidentiality, security safeguard, and deletion/return obligations and require processors to assist with consumer rights and DPIA responses.
  • Control subcontracting. Enforce prior authorisation for subprocessors and obligate equivalent contract terms, satisfying each statute’s subprocessors clause.
  • Secure audit rights. Preserve controller rights to assess processor compliance through SOC report reviews, questionnaires, or onsite audits so evidence is available if an Attorney General issues a civil investigative demand.
DPIA operations

Integrate state DPIA triggers into enterprise risk cadences

Blend state-specific data protection assessment requirements with enterprise risk management so privacy, legal, and product teams close gaps before enforcement escalates.

  • Extend DPIA intake. Add Minnesota, Oregon, Texas, and Colorado trigger questions (targeted advertising, data sales, sensitive data, profiling with significant effects) to existing privacy impact forms.
  • Map to board risk reporting. Align assessment outputs with ERM heat maps and board privacy dashboards, highlighting the end of Colorado’s cure period and approaching Minnesota effective date.
  • Version remediation artefacts. Store DPIA decisions, mitigations, and residual risk acceptance with statute tags so you can respond to AG subpoenas or consumer complaints inside statutory timelines.
  • Coordinate with procurement. Require DPIA sign-off before renewing ad-tech, data broker, or profiling services that expand into Minnesota or Oregon markets.
Regulatory intelligence

Monitor enforcement signals and cure periods

Build a monitoring workflow that surfaces enforcement posture changes, AG rulemaking, and published universal opt-out mechanism lists.

  1. Track Attorney General actions. Subscribe to Minnesota, Oregon, Texas, and Colorado AG consumer protection RSS feeds and docket alerts to log civil investigative demands, settlement terms, and penalty calculations.
  2. Log cure-period expirations. Update compliance calendars: Colorado’s cure period expired 1 Jan 2025, Oregon’s sunsets 1 Jan 2026, and Minnesota’s ends 31 Jan 2026, while Texas maintains an ongoing 30-day cure opportunity.
  3. Capture rulemaking updates. Document Minnesota and Oregon Attorney General notices designating approved opt-out mechanisms and Texas AG guidance on acceptable “clear and conspicuous” notices.
  4. Escalate consumer complaint trends. Correlate opt-out and access request metrics with AG complaint data to detect when enforcement risk is escalating in a particular jurisdiction.
Guide changelog

Track material updates

Share changelog entries with privacy programme owners so inventory, consent, and enforcement workstreams stay aligned.

Last refreshed
23 November 2025 — added a research crosslink article and execution plan so controllers can jump straight to Zeph Tech’s Minnesota enforcement, Delaware youth advertising, and Oregon nonprofit governance briefings while tracking opt-out, teen consent, and nonprofit onboarding deliverables.Compliance Briefing — August 1, 2025Compliance Briefing — August 18, 2025Compliance Briefing — September 3, 2025
Next planned review
1 March 2026 — evaluate Delaware AG enforcement trends and Minnesota cure-period expiration impacts on inventory governance.