As the United States enters 2025 without an all-inclusive federal privacy law, state governments have accelerated their efforts to fill the regulatory void, creating an increasingly complex patchwork of data protection requirements across the nation.
Eleven new extensive privacy laws are scheduled to take effect in 2025 and 2026, extending coverage to 20 states and approximately half of the U.S. population, as five additional state privacy laws became effective in January 2025 across Delaware, Iowa, Nebraska, New Hampshire, and New Jersey.
Eleven new privacy laws will take effect by 2026, bringing comprehensive data protection to 20 states and half the U.S. population.
The regulatory environment will continue expanding throughout the year, with Minnesota and Tennessee implementing their privacy laws in July 2025, followed by Maryland’s Online Data Protection Act in October 2025.
By year’s end, 16 states will have extensive privacy laws in force, creating considerable compliance challenges for businesses operating nationwide. This state-by-state legal fragmentation complicates operational strategies, forcing companies to navigate varying requirements as they maintain consistent data practices.
Federal efforts toward establishing a thorough privacy framework persist, though authorities have shifted focus toward sensitive personal data and national security implications.
The Department of Justice issued new guidance restricting “bulk” sensitive data transactions involving certain foreign countries of concern, while Executive Order 14117 aims to prevent foreign access to Americans’ bulk sensitive personal data.
The implemented Data Security Program restricts bulk data transactions with countries including China, Iran, and Russia. The FTC Act provides the Federal Trade Commission with broad authority to prevent unfair practices and protect consumers in commercial transactions.
Enforcement activities are intensifying across multiple jurisdictions, with state attorneys general and regulators increasing scrutiny of data practices.
Arkansas sued General Motors in February 2025 for allegedly collecting and selling consumer driving data without informed consent, highlighting growing concerns over consumer awareness regarding data sales to third-party brokers.
Litigation is expected to increase substantially in areas concerning informed consent and third-party data transactions.
Companies face mounting pressure to establish strong compliance programs addressing varying state requirements, heightened due diligence during business transactions, and continual updates to privacy frameworks. The California Privacy Protection Agency emphasized data minimization requirements for businesses under CCPA through enforcement advisory guidance issued in April 2024.
Many new laws introduce cure periods for alleged violations, allowing businesses time to rectify issues before facing penalties, though the absence of standardized consent requirements creates consumer confusion and inconsistent protections nationwide.
