After five years of near-constant legislative churn, 2025 marked a pause in the expansion of state comprehensive privacy laws. With no new state-level privacy laws enacted for the first time since 2020, lawmakers and enforcers shifted focus to amending existing statutes, drafting regulations, and stepping up enforcement.
The result is a more fragmented yet increasingly aggressive privacy landscape that is testing corporate compliance programs across the U.S.
Dozens of state privacy bills failed to clear legislative hurdles this year, including measures in Alabama, Georgia, Oklahoma, Maine, and Vermont. Massachusetts and Pennsylvania advanced comprehensive bills late in the year, but as of early November both remained in limbo. The absence of new laws appears less a sign of waning interest than of maturing state privacy regimes, according to an analysis compiled by the non-profit research organization, IAPP.
In place of new frameworks, nine states revised their existing laws, often expanding their reach and complexity. Connecticut led the way with SB 1295, an overhaul that broadens coverage thresholds, adds new consumer rights, and, notably, requires companies to disclose whether personal data is used to train large language models (LLMs). The measure, which takes effect in mid-2026, also bans targeted advertising to minors under 18.
Other states followed suit. Montana expanded its applicability thresholds and eliminated companies’ right to cure privacy violations. Oregon, Colorado, and Kentucky aligned their statutes with emerging norms on sensitive data and profiling, and Texas added AI-specific obligations in its data privacy and biometric laws.
Virginia added limits on social media use by minors, while Utah introduced a right to correct personal data. California, which has often led the way on privacy protections, enacted the “Opt Me Out Act,” requiring browsers to include easy-to-find settings enabling consumers to activate opt-out preference signals.
Read more: States Team on Privacy Enforcement as Federal Action Stalls
With legislative activity cooling, state agencies accelerated rulemaking. The California Privacy Protection Agency finalized extensive updates to the CCPA, including new rules on automated decision-making, risk assessments, and cybersecurity audits. Beginning in 2028, companies must submit compliance certifications under penalty of perjury, an unprecedented requirement in the privacy space.
Colorado’s attorney general updated its privacy rules to implement protections for minors, clarifying how “willful disregard” of a minor’s age is determined and defining design features that increase minors’ online engagement. In New Jersey, draft regulations under the 2024 Data Privacy Act drew industry concern for their novel treatment of “scraped” data and for limiting the internal research exception for AI training without consumer consent.
If legislatures were quieter, enforcement agencies were anything but. California’s CPPA and attorney general’s office collectively extracted multimillion-dollar settlements from companies over deficient privacy notices, consent mechanisms, and Global Privacy Control signal recognition. Connecticut issued an $85,000 fine for improper data disclosures, while Texas secured a $1.375 billion settlement with a major technology firm and filed additional lawsuits under its consumer privacy and data broker laws.
States also expanded their reach into children’s privacy. A patchwork of new and amended minor online safety laws in Arkansas, California, Louisiana, Montana, Nebraska, Texas, Utah, and Vermont added overlapping obligations around age verification and parental oversight.
State privacy and law enforcement authorities also are increasingly teaming up across borders to coordinate enforcement actions, including formation of the 10-state Consortium of Privacy Regulators and a joint investigative sweep by California, Colorado and Connecticut.
Many of those actions are also increasingly prescriptive, according to IAPP, with injunctive relief requiring companies to conduct quarterly tracking-technology scans, update data-processing agreements, and implement regular privacy audits, setting de facto compliance standards across jurisdictions.
For businesses, the compliance challenge is shifting from learning new statutes to demonstrating readiness for audits and investigations. As one privacy attorney observed, “The age of implementation is giving way to the age of enforcement.”
