At the start of the year, the IAPP hosted a webinar with Hunton Andrews Kurth Associate Danielle Dobrusin and Centre for Information Policy Leadership Director of Privacy and Data Policy Matthew Reisman, who walked the audience through recent changes in the patchwork of U.S. state privacy laws, trends in enforcement, state-level AI law developments and compliance strategies, among other key privacy issues being debated within state capitols.
Early in the conversation, Reisman introduced a unique term for this sprawling group of U.S. state privacy laws, describing it as a kaleidoscope "because it gets more dizzying every week and the colors get a little more vivid as different variants emerge." Indeed, with Maryland's unique data minimization requirements and Minnesota's wrinkles around profiling decisions coming into force this year, the collective of U.S. state privacy laws have come to rival the EU General Data Protection Regulation in their overall complexity.
U.S. state privacy law in 2025
As a quick refresher, the total number of comprehensive U.S. state privacy laws in force today is 13, a number set to increase to 16 by the end of the year. And, the sprint has already begun in just the first few months of 2025 with at least 15 additional states having proposed at least one comprehensive consumer privacy bill and some having introduced several.
And the kaleidoscope continues to twirl. Joining the well-established suite of consumer rights to access, correction, deletion and data portability that appear across all U.S. state privacy laws, new consumer rights have been enshrined. These include a twist on transparency in Oregon's right to be notified of third-party recipients of personal data as well as the above-mentioned novel right under Minnesota's law for consumers to question and be informed of the reasons behind profiling decisions that produce legal or other similarly significant effects. Novel provisions such as these have added new textures to the U.S. state law kaleidoscope.
State-level enforcement trends: High- and low-hanging fruit
With all these new state privacy laws in focus, Dobrusin broke down the areas of priority for future U.S. state privacy law enforcement.
Surveying a broad range of formal enforcement actions, sweeps and advisories, her list included the sale of personal data, global privacy control, the ability of consumers to make rights requests and the use of dark patterns as top enforcement priorities across jurisdictions. As she explained, other sorts of "low-hanging fruit" ripe for enforcement include issues such as whether privacy notices provide sufficient notice of consumers rights under the law and appropriate methods for exercising these rights.
Considering enforcement priorities, it's important to recall that 2024 saw the second and third settlements of public enforcement actions of the California Consumer Privacy Act, following the 2022 fine of USD1.2 million against online retailer Sephora for failure to disclose sale of personal data and failure to honor opt-out requests. Last year's CCPA enforcement actions were directed against Tilting Point Media, a mobile game developer, for collecting and sharing children's data without parental consent, and Door Dash, a food delivery platform, for selling the personal information of its consumers without providing notice or opt-out options.
Outside of California, enforcement in other states has also been heating up. On 13 Jan., the Texas attorney general filed the first lawsuit enforcing the Texas Data Privacy and Security Act against insurance company Allstate and its subsidiary Arity for unlawfully collecting, using and selling geolocation and movement data from Texans' cellphones.
Indeed, as Dobrusin put it, "State regulators are certainly becoming more pro-active," and we are likely to see more enforcement actions as cure periods expire.
The speed of AI legislation
Alongside this state-level lawmaking activity and enforcement around privacy, AI has occupied a significant slice of state lawmakers' agendas as well. In Reisman's words, "If you think privacy's moving fast, look at the AI lawmaking landscape." Colorado, Utah and California have all enacted state-level AI legislation establishing consumer protections, with dozens more active AI bills throughout other states. From algorithmic discrimination bills introduced in Connecticut and Virginia to the Texas Responsible AI Governance Act, these bills mirror the EU AI Act, applying risk-based frameworks to AI systems, prohibiting AI uses that pose unacceptable risks and establishing an AI sandbox for businesses to test new applications with limited scrutiny from regulators.
Harmonizing U.S. state privacy law: Strategies for compliance
So, given this dizzying array of new laws, how are organizations finding ways to harmonize compliance across the entire field of U.S. state privacy, while accounting for the growing number of unique provisions across states?
As Dobrusin explained, when there was only a handful of state laws, companies were more likely to take a state-by-state approach. As the number of states passing comprehensive privacy laws reached 19, such an approach became untenable. Now, as she laid out, the challenge is two-fold. "We want to ensure compliance with baseline privacy principles across jurisdictions, and we also want to address state-specific variations without creating excessive operational burdens," she said.
One way she suggested to approach this is to find commonality between laws and to implement policies "across the board." This means doing things like offering the full suite of consumer privacy rights to consumers in every state, applying data minimization and data processing restrictions across jurisdictions, obtaining opt-in consent to process sensitive information even in states with an opt-out requirement and conducting risk assessments for data processing activities even if they are only happening in certain states.
There are also customer service/public relations reasons for not offering rights only to a select handful of consumers in certain states. In practice, this may mean offering consumers the right to opt out of profiling even in states that do not provide this right. Another example is offering consumers the right to delete all data the business has collected about them, even though some states only require businesses to provide the right to delete for data collected "from the consumer."
The key, Dobrusin explained, is to build programs around core privacy principles such as transparency, data security and consumer rights, while allowing for state-specific adaptations. Other core strategies she recommends included creating a centralized privacy governance team to ensure consistent policies, training and risk assessments across jurisdictions, as well as continuously monitoring and adapting to state laws.
The 64,000-dollar question: Prospects for U.S. federal privacy legislation in 2025
No discussion of U.S. state privacy law would be complete without invoking the federal privacy debate, which was the final topic covered. Admitting his Magic 8 Ball is "notoriously murky" for what's coming ahead in U.S. federal privacy legislation, Reisman noted there are a couple of factors that would drive passage this year. For one, there is unified control of Congress and the White House, which he explained "creates certain opportunities for convergence across those houses and the branches of government for passing a law. However, that is not a guarantee." More important is the relative positive of privacy on Congress's agenda. The 64,000-dollar question, as he put it, is where privacy stacks up against other legislative priorities given the inherent time constraints of Congress to legislate.
To recall, two of the main stumbling blocks in the federal privacy debate have been preemption of state law, the idea that a federal law would essentially override and effectively cancel out any state laws that offered higher protection, and the private right of action, which would give individuals the right to enforce the law through private litigation and class-action lawsuits. Any federal privacy law would need to settle both contentious issues.
Dobrusin added many businesses and trade groups have enhanced their support and lobbying for a preemptive federal privacy law on account of the complexity and burden of complying with so many different state laws in the face of their multiplication.
Indeed, given the plethora of privacy legislative and enforcement activity that has emerged from the states, the outcomes of privacy discussions at the federal level are as consequential as ever. In the face of this uncertainty, the knowledge about the intricacies of U.S. state privacy law and strategies for compliance harmonization laid out during this webinar will almost certainly prove invaluable.
Müge Fazlioglu, CIPP/E, CIPP/US, is the principal researcher, privacy law and policy, at the International Association of Privacy Professionals.
