Cold weather returned to Washington, D.C. this week. Songbirds and congressional representatives alike began to migrate through the beltway, pausing, in some cases, to vote to reopen the federal government before continuing with their preparations for winter.
The six-week shutdown had ramifications across the economy. The main effect in our narrow but mighty corner of tech policy, aside from the slowing of privacy enforcement and other administrative activity, was a major delay in policymaking. Most lawmakers, especially in the shuttered House of Representatives, placed their legislative plans on hold. This includes the expected comprehensive privacy discussion draft from Rep. Brett Guthrie, R-Ky., chair of the House Committee on Energy and Commerce, which now will be hard pressed to see the light of day before the end of 2025.
Once the chambers settle back into business as usual — if such a thing can be said to exist anymore — all this pent-up policymaking is likely to burst forth in a flood of hearings, bills, and long-delayed committee meetings.
Though the lack of federal activity may be unusual, the lack of results is not. The same cannot be said at the state level, where 2025 has been uncharacteristically quiet when it comes to the passage of new comprehensive consumer privacy laws. The gap in new laws is a data point that David Stauss and Jordan Francis describe in their recent reflection on the 2025 state legislative cycle as "conspicuous and enigmatic" when compared with the past five years of rapid advancement of these laws across the states.
The Stauss and Francis retrospective is a must-read as it serves as a one-stop-shop for all the U.S. state-level privacy developments over the past year, from amendments to enforcement. Despite the lack of new laws, the article paints a stark picture of just how busy state legislatures have been this year, with nine states amending their consumer privacy laws in some form or another.
This so-called "amendment era" is a big deal, especially when coupled with the substantive rulemaking activity in California and pending rules in other states, like New Jersey. On balance, it is hard to say whether all this activity has made the U.S. consumer privacy patchwork more divergent or less. Some of the most substantive amendments, like Connecticut's overhaul, largely borrow from other states in ways that increase interoperability. It is probably safe to say that new regulatory obligations will have a larger operational impact than any of the amended state codes.
As ever, the devil is in the details. For some helpful perspective on just how much these details matter, I highly recommend a new report from the Centre for Information Policy Leadership, which provides a streamlined overview of the state-level approach to defining sensitive personal data. The only downside to the report is that it does not reflect the new 2025 amendments, which, at least in the cases of Colorado, Connecticut and Oregon, make load-bearing changes to sensitive data requirements (an understandable oversight given the pace of change).
Nevertheless, the report serves as a useful resource because it illustrates how small differences can have major compliance impacts, even if the overall trend is toward convergence.
For an even deeper dive into current state privacy requirements, IAPP members have access to a refreshed U.S. State Comprehensive Privacy Laws Report. I promise this one does reflect the most up-to-date changes in the states, at least at the time of publication — it even includes a handy chart tracking 2025's amendments. In the report, my esteemed colleague, Müge Fazlioglu, reflects on the trends we saw this year, while also updating our many comparison charts and graphs to demonstrate current baseline compliance obligations.
One could imagine still deeper dives on the tripwires and nuances between states. For example, neither the CIPL nor the IAPP report devote space to examine the differing definitions and treatment of biometric and genetic information under various state laws. Small differences can create compliance ripple effects — or at least ambiguities. For example, Maryland’s definition of biometric data was broadened to include data that "can be used to uniquely authenticate a consumer's identity." Other states, instead, limit this only to data that is used or intended to be used for such purposes. It remains to be seen how much water the addition of "can" will carry, but from a technical perspective, is significantly more inclusive than an intended one.
Substantive requirements for sensitive data differ too, not just whether specific data types are included. Maryland bans the sale of sensitive data — or at least makes an attempt to do so. Oregon's amendments this year have done the same for precise location data.
At the end of the day, whether privacy teams feel operational differences between state privacy laws will depend significantly on the business reality of each organization. But the 2025 session has proven again why privacy programs are not a set-it-and-forget-it exercise. Adapting to new amendments and forthcoming regulatory requirements means treating privacy as a living and breathing governance practice.
Although simplification may be the word of the day in the European Union, the same is not true in the United States, at least not until federal legislators return to the forefront of the conversation. Even then, continued advancement of sectoral, niche and kids-focused state rules means the patchwork, in some form, is here to stay.
Please send feedback, updates and migration stories to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.
