As we step into 2025, data privacy laws in the United States are evolving rapidly. With eight new state privacy laws taking effect, businesses face an increasingly complex web of compliance obligations—even in states without dedicated privacy regulations.
The Push for Federal Privacy Legislation Stalls—States Take the Lead
While there was initial optimism in 2024 around the passage of federal comprehensive privacy legislation, those efforts ultimately failed to gain traction in Congress. While it appears unlikely that we will see similar efforts on a federal level under the next administration, state legislatures and state attorneys general have shown an increasing willingness and ability to address data privacy at the state level.
Eight New State Privacy Laws in 2025
This year, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee join the ranks of states with comprehensive consumer privacy laws. These additions bring the total to 16 states, including:
- California
- Colorado
- Connecticut
- Montana
- Oregon
- Texas
- Utah
- Virginia
This count excludes sector-specific laws, like Washington’s My Health My Data Act, or those with limited applicability, such as Florida’s Digital Bill of Rights.
What This Means for Your Business
If your business operates in—or has customers or employees in—these states, now is the time to review your data privacy practices. Key areas to assess include:
- Data collection: Have you provided notice or obtained consent for the data you are collecting? Are you collecting only what is necessary?
- Data retention: How long do you keep consumer data?
- Data protection: Are your security measures robust and up to date? When was your last security risk assessment?
- Individual rights: Are you equipped to honor consumer rights under these laws?
While many of these state laws exempt businesses under certain revenue and consumer thresholds, others, such as the Texas Data Privacy and Security Act, have little or no minimum threshold for compliance.
State Enforcement: A Growing Priority
We expect oversight and enforcement by state regulators to take up the baton for any lag in federal action.
As an example, earlier in 2024, the New York Attorney General’s Office reminded businesses that New York consumer protection laws require websites’ representations concerning privacy to be truthful and not misleading. This guidance was especially surprising given that New York has not yet enacted a comprehensive privacy law that regulates a business’s privacy practices.
Similarly, Texas, where a comprehensive privacy law became effective in July 2024, has also been active recently in the enforcement space. Barely one month after the Texas Data Privacy and Security Act became effective, the Texas Attorney General filed suit against a major automotive manufacturer related to the alleged unlawful collection and sale of individuals' private driving data.
Also, in January of this year, Texas sued a large insurance company for violating the Texas state privacy law by unlawfully collecting drivers’ location data and then using and disclosing that data without providing notice to or obtaining consent from consumers.
Mitigating Heightened Risk for Businesses Nationwide
Businesses, even in states without comprehensive privacy laws, face increased compliance risks. To mitigate these risks, companies should assess the data they collect, understand applicable laws, and ensure their consumer representations align with their data practices.
