Go Back
Data Privacy Alerts

U.S. State Privacy Laws Expand and Evolve

Review the latest updates to state privacy laws in this data privacy alert.

Why this Alert Is Important

The rapid evolution of U.S. state privacy laws has turned compliance into a moving target. With 13 comprehensive privacy laws already in effect and three more expected by the end of 2025, the landscape is becoming increasingly fragmented. Organizations must now contend with differing consumer rights, enforcement priorities, and AI-related provisions—all of which are creating mounting operational and regulatory pressure.

Key Developments in US Privacy Law

In a recent IAPP webinar, privacy leaders referred to the U.S. state law landscape as a “kaleidoscope”—a metaphor capturing the dizzying pace at which privacy laws are changing and multiplying.

  • New Laws Incoming: 13 states currently have active privacy laws; by the end of 2025, this number will rise to 16. Meanwhile, over 15 additional states have proposed their own comprehensive bills.
  • Novel Consumer Rights Introduced: Some states introduce new concepts in their laws. Oregon mandates consumer notification when data is shared with third parties, while Minnesota grants individuals the right to understand and contest decisions made via automated profiling.
  • AI Legislation Picks Up Speed: States like Colorado, Utah, and California are enacting state-level AI laws that incorporate risk-based governance frameworks, echoing elements of the EU AI Act. These laws aim to prohibit high-risk AI uses and enforce transparency around algorithmic decision-making.
  • State Enforcement Is Intensifying: The California Attorney General has continued enforcing the CCPA, with recent actions against DoorDash and Tilting Point Media. Meanwhile, in Texas, the first privacy lawsuit was filed under the Texas Data Privacy and Security Act against Allstate, signaling the start of broader enforcement nationwide.

These shifts demonstrate that compliance is no longer a one-time initiative but an ongoing process of monitoring, adapting, and aligning privacy strategies across jurisdictions.

Implications of the Changing US Privacy Landscape

Organizations relying on state-by-state compliance strategies will quickly find themselves overwhelmed. The increasing divergence in consumer rights, breach notification standards, and AI regulations demands a more scalable and intelligent approach to privacy governance.

Key risks include:

  • Non-compliance due to varying definitions, obligations, and rights across states
  • Legal exposure from failure to notify or act on data breaches
  • Reputational harm from mishandling automated profiling or AI-based decisions
  • Operational inefficiencies from duplicate, manual compliance workflows

The new privacy paradigm calls for an integrated ecosystem of privacy tools—from automated data discovery and consent management to risk assessments and incident response—to enable defensible, scalable compliance.

With the likelihood of a federal privacy bill still uncertain, state-level momentum for comprehensive privacy legislation is stronger than ever. While these state laws often share common elements, they also contain critical differences, creating a complex patchwork of obligations for businesses. Operating nationwide may require a compliance strategy that can accommodate the varying requirements of different state privacy laws.

Recent enforcement actions serve as an important reminder for businesses to evaluate how the expanding landscape of data privacy laws impacts their operations. A successful privacy compliance strategy involves developing programs based on essential privacy standards such as notice, transparency, consumer rights, and data security, while allowing for state-specific adjustments where necessary. Now is the time to identify compliance gaps, assess potential risks, and implement changes to mitigate those risks, all while consistently monitoring and adapting to evolving state laws.

Amira Bucklin, Associate, Rutan

Data Privacy Tip

Automate and integrate your privacy processes. A cohesive privacy ecosystem should include automated data mapping, consent tracking, privacy impact assessments, incident response workflows, and compliance dashboards. This integrated approach allows you to proactively mitigate privacy risks, meet varied regulatory requirements, and respond quickly to evolving obligations—all while building long-term stakeholder trust.

Explore 5 Must-Have Privacy Tools Every Organization Needs In 2025

Download PDF

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy Policy
Do Not Sell or Share My Personal Information