Every year at this time I sit down to write a blog article, tying the experiences that I have during the holiday season into the world of data privacy. This year I have struggled to come up with a topic that really spoke to me. But, as I sat down to write my family’s annual Christmas card, I thought that a year in review might be fitting. Just like with my Christmas card there is limited space to create an adequate picture of the entire year. The data privacy world changes so fast that the list of changes could be as long as the wish list my kids send to Santa. Therefore, this year in review will be focused on the changes that occurred within the US data privacy landscape in 2025.
Comprehensive Data Privacy Laws
Although in 2025 no states enacted new comprehensive data privacy laws, the year was met with eight states’ comprehensive data privacy laws coming into effect. These include, the Delaware Personal Data Privacy Act (DPDPA), the Iowa Consumer Data Protection Act (IACDPA / ICDPA), the Nebraska Data Privacy Act (NDPA / NEDPA), the New Hampshire Data Privacy Act (NHDPA), the New Jersey Data Protection Act (NJDPA), the Tennessee Information Protection Act (TIPA), the Minnesota Consumer Data Privacy Act (MCDPA) and the Maryland Online Data Privacy Act (MODPA).
Although these eight new regulations coming into effect reflects a growing commitment to data protection at the state level, the absence of harmonization across these laws creates significant compliance complexity for organizations, as each state adopts a distinct regulatory approach.
Amendments to Existing Comprehensive Data Privacy Laws
As stated in an IAPP report, the consistency of data privacy regulations in the United States was additionally shaken in 2025 because, “as of mid-2025, eight states — Colorado, Connecticut, Kentucky, Montana, Oregon, Texas, Utah and Virginia — have amended their comprehensive privacy laws; further proposed amendments are pending in California and New Jersey.” California also made amendments to the California Consumer Privacy Act through an opt-out requirement, “making California the first state in the nation to require browsers to offer users a simple, built-in way to tell websites not to sell or share their personal information.”
These amendments reflect an ongoing regulatory evolution in state-level data privacy frameworks.
Federal Changes
We can see that the landscape of data privacy law is ever changing in the United States. However, there is a different momentum when we look for uniform changes especially through the implementation of a federal law which made no progress in 2025. After the movement in 2024, a passage of the American Privacy Rights Act, despite initial momentum and bipartisan leadership, did not pass the full House or Senate and is unlikely to become law in its current form. (Read more about the American Privacy Rights Act here.)
States, not Congress, continue to be the driving force behind practical outcomes in data privacy regulation.
Other Data Privacy Regulations
Along with comprehensive state privacy laws, many states have also taken more targeted regulatory approaches to protect specific categories of personal data.
In particular, several states have enacted laws addressing the collection and use of sensitive health-related data, including restrictions on geofencing around health-care facilities, limitations on the sale or use of reproductive-health data, and enhanced protections for biometric and genetic information. These sector-specific measures reflect a growing tendency among states to respond quickly to perceived risks through focused legislation.
Enforcement
Along with new laws becoming effective, 2025 also saw an uptick in state enforcement of existing privacy statutes including multi-million-dollar settlements. The Federal Trade Commission (FTC) reached a settlement offer with Disney for $10 million, for their violation of the Children’s Online Privacy Protection Act (COPPA). Texas Attorney General Ken Paxton also made clear that, “in Texas, Big Tech is not above the law.” Winning a $1.38 billion settlement against Google. Attorney General Tong announced an $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act. The state of Florida has also filed a suit stating, “the Attorney General brings this enforcement action pursuant to the Florida Deceptive and Unfair Trade Practices Act…to protect Florida’s children and families’ privacy rights and end Roku’s violations of Florida law.”
With comprehensive data privacy laws now in force, state regulators have moved from legislative implementation to active enforcement. The cases filed and fines issued in 2025 underscore that enforcement is no longer hypothetical, but an integral part of regulatory application.
Collaboration
In 2025 we also saw the first efforts of states working together in their data privacy actions. A multi-state Consortium of Privacy Regulators was established in the spring, with the participating states agreeing to:
- “Hold regular meetings and facilitate discussions on privacy law developments.
- Share enforcement priorities and coordinate investigations.
- Leverage technical and legal expertise across jurisdictions.
- Align enforcement around common statutory rights, such as access, deletion and opt-outs from the sale of personal information.”
These developments point toward a more coordinated and increasingly rigorous enforcement environment, even without new federal privacy legislation.
Conclusion
In conclusion, if I were data privacy in the U.S. and writing my year in review on a Christmas card, here would be my text to you this holiday season:
Taken together, 2025 may be remembered less for the passage of new laws and more for the maturity of the U.S. data privacy regulations already in place. While federal legislation remains elusive, states have shown that enforcement, coordination, and meaningful penalties can shape behavior just as effectively. As we look ahead to 2026, organizations should treat U.S. data privacy as an increasingly interconnected enforcement environment.