U.S. State Privacy Laws Expand and Evolve

Why this Alert Is Important

The rapid evolution of U.S. state privacy laws has turned compliance into a moving target. With 13 comprehensive privacy laws already in effect and three more expected by the end of 2025, the landscape is becoming increasingly fragmented. Organizations must now contend with differing consumer rights, enforcement priorities, and AI-related provisions—all of which are creating mounting operational and regulatory pressure.

Key Developments in US Privacy Law

In a recent IAPP webinar, privacy leaders referred to the U.S. state law landscape as a “kaleidoscope”—a metaphor capturing the dizzying pace at which privacy laws are changing and multiplying.

• New Laws Incoming: 13 states currently have active privacy laws; by the end of 2025, this number will rise to 16. Meanwhile, over 15 additional states have proposed their own comprehensive bills.
• Novel Consumer Rights Introduced: Some states introduce new concepts in their laws. Oregon mandates consumer notification when data is shared with third parties, while Minnesota grants individuals the right to understand and contest decisions made via automated profiling.
• AI Legislation Picks Up Speed: States like Colorado, Utah, and California are enacting state-level AI laws that incorporate risk-based governance frameworks, echoing elements of the EU AI Act. These laws aim to prohibit high-risk AI uses and enforce transparency around algorithmic decision-making.
• State Enforcement Is Intensifying: The California Attorney General has continued enforcing the CCPA, with recent actions against DoorDash and Tilting Point Media. Meanwhile, in Texas, the first privacy lawsuit was filed under the Texas Data Privacy and Security Act against Allstate, signaling the start of broader enforcement nationwide.

These shifts demonstrate that compliance is no longer a one-time initiative but an ongoing process of monitoring, adapting, and aligning privacy strategies across jurisdictions.

Implications of the Changing US Privacy Landscape

Organizations relying on state-by-state compliance strategies will quickly find themselves overwhelmed. The increasing divergence in consumer rights, breach notification standards, and AI regulations demands a more scalable and intelligent approach to privacy governance.

Key risks include:

• Non-compliance due to varying definitions, obligations, and rights across states
• Legal exposure from failure to notify or act on data breaches
• Reputational harm from mishandling automated profiling or AI-based decisions
• Operational inefficiencies from duplicate, manual compliance workflows

The new privacy paradigm calls for an integrated ecosystem of privacy tools—from automated data discovery and consent management to risk assessments and incident response—to enable defensible, scalable compliance.

Data Privacy Tip

Automate and integrate your privacy processes. A cohesive privacy ecosystem should include automated data mapping, consent tracking, privacy impact assessments, incident response workflows, and compliance dashboards. This integrated approach allows you to proactively mitigate privacy risks, meet varied regulatory requirements, and respond quickly to evolving obligations—all while building long-term stakeholder trust.

Explore 5 Must-Have Privacy Tools Every Organization Needs In 2025