Retrospective: 2025 in state data privacy law

Although 2025 may end as the first year since 2020 in which no new state comprehensive privacy law is enacted, this year was anything but quiet. We saw hundreds of consumer privacy bills introduced, newly enacted amendments to existing laws, multiple states engaging in rulemaking, including potentially game-changing rulemaking in California, new sectoral laws addressing health and youth privacy and online safety, and an uptick in state enforcement activity. 

No new comprehensive laws: A turning tide? 

For the first time since 2020, we may not see any new state comprehensive privacy laws enacted this year. This lack of activity is conspicuous and enigmatic. This could be a natural consequence of diminishing marginal returns if the states that were most likely to enact privacy legislation have already done so. It could be simple bad luck, given how unpredictable the legislative process can be. 

Bills in Alabama (HB 283), Oklahoma (SB 546) and Georgia (SB 111) all stumbled at the final steps. Given other events happening at the local, state, federal and global levels, state lawmakers could have had more pressing legislative priorities than privacy this year. Or the content of the bills themselves could have diminished the likelihood of passage, as multiple states considered diverging models from the status quo. Legislators in Maine (LD 1822) and Vermont (H208) once again considered bolder, more-restrictive frameworks, but neither state got as close this year as they did in 2024.