2025 Brought Us Eight US “Comprehensive” Privacy Laws, What’s Next?

For those keeping track of the growing list of US state “comprehensive” privacy laws, you know that the Maryland law (the Maryland Online Data Privacy Act or MODPA) went into effect on October 1^st. This rounds us out for US state privacy laws in 2025, bringing the total to 17 (or 16, if you discount Florida). Next up will be Indiana, Kentucky, and Rhode Island (all on January 1, 2026).

While we have provided extensive information about these laws as they were passed, including this post and our online state law tracker, it’s worth keeping in mind a few practical steps, especially as we wait for our next round, and undoubtably ongoing changes to the existing laws.

1. Have a regular cadence for reviewing your privacy policy. States -like Maryland- have specific content requirements. There is also exposure under deceptive trade practice laws if the policies are incorrect.
2. Review how and when you will provide “rights” like access and correction. Will the fact that a growing number of jurisdictions provide these rights tip you into the realm of offering them to all individuals?
3. Review your collection and storage practices. How are you addressing data minimization requirements, like those in Maryland? What about your treatment of sensitive information and your data sales practices? Are you meeting the growing patchwork of obligations that apply to digital targeting? What about the complex matrix of obligations for collection and use of children’s information?

Maryland -and other states- have attempted to reduce risk for businesses by creating cure periods (in Maryland the cure period is 60 days, but that sunsets on April 1, 2027) and not providing private rights of action. However, not all privacy risks in the US stem from these comprehensive state laws. And those laws do not necessarily have cure periods, and may also provide for private rights of action. The steps above may thus help in the face of this complex state patchwork.

Putting it into Practice: October for many entities is the height of planning for the coming year. The growth of the US privacy law patchwork does not seem to be slowing down, and putting in place methods for addressing privacy notice, choice, and other data practices is a good thing to have on the schedule for 2026.