Keypoint: Last week, bills passed the Montana and Arkansas legislatures while bills advanced in Alabama, Florida, Oregon, and Texas.

Below is the fifteenth weekly update on the status of proposed state privacy legislation in 2025. As always, the contents provided below are time-sensitive and subject to change.

Table of Contents

1. What’s New
2. AI Bills
3. Bill Tracker Chart

1. What’s New

The big news this week was two state legislatures passing data privacy bills.

First, as we foreshadowed last week, Montana’s legislature passed Senator Zolnikov’s SB 297. The bill had previously passed the Senate but needed one final vote after it was amended while in the House. It ultimately unanimously passed the Senate (50-0) on April 15. As a reminder, the bill amends Montana’s existing consumer data privacy law to lower the applicability threshold, modify the GLBA entity-level exemption and non-profit exemption, add Connecticut/Colorado-style children’s privacy protections, add Minnesota-style privacy policy and request to access provisions, and remove the right to cure.

Over 1,600 miles south east, the Arkansas legislature passed three bills prior to closing for the year. First, the legislature passed the Arkansas Children and Teens’ Online Privacy Protection Act (HB 1717). We provided a rundown of the bill here, including its many unique provisions. The Arkansas legislature also passed SB 611 and SB 612, which focus on social media companies. On the other hand, the legislature did not pass HB 1726 (Arkansas Kids Online Safety Act) and SB 258 (Arkansas Digital Responsibility, Safety and Trust Act).

In other developments, we continue to see movement with Oregon bills. HB 2008 passed the House on April 17. The bill amends the state’s consumer data privacy law to prohibit the sale of personal data or processing of personal data for targeted advertising or profiling if the controller has actual knowledge or willfully disregards that the consumer is under 16 years or age. It also prohibits the sale of precise geolocation data.

Turning to children’s privacy bills, the Texas Senate passed SB 2420 on April 16. The bill creates age verification requirements for app stores. In addition, SB 2881 (amends SCOPE Act) passed out of a Senate committee on April 14.

In Alabama, SB 187 (children’s privacy) passed the Senate on April 17. The Alabama legislature closes in mid-May so there is still time for the bill to move in the House.

In Florida, SB 868 (social media) unanimously passed a second Senate reading.

Finally, turning to data broker bills, an amended Texas SB 2121 unanimously passed out of committee on April 15 and was recommended for the local and uncontested calendar. The amended version of the bill changes the definition of “data broker” to broaden its applicability. Specifically, the bill removes the requirement that the business entity’s principal source of revenue come from transferring personal data it did not collect directly from the individual.

2. AI Bills

Our latest edition of Byte Back AI is now available to subscribers. Subscriptions start as low as $50/month. In this edition, we provide:

• Updates on another law enacted in Montana, bills passing out of the legislatures in Montana, Arkansas, and North Dakota, and bills crossing chambers in Tennessee, Arizona, and Nevada.
• A summary of the committee hearing on Florida’s provenance bill.
• Our special feature this week – summaries of Arkansas HB 1958 (AI policies for public entities) and HB 1876 (ownership of model training and content).
• Our “three things to know this week.”
• An updated state AI bill tracker chart.

Click here for more information on paid subscriptions.

3. Bill Tracker Chart

For more information on all of the privacy bills introduced to date, including links to the bills, bill status, last action, and hearing dates, please see our bill tracker chart.