California and Texas lead enforcement while new state laws create layered compliance obligations
The absence of a comprehensive federal privacy statute continues to drive a proliferation of state-level data protection laws, with 20 states now enforcing consumer privacy statutes as of January 2026. The result is an increasingly complex compliance landscape for businesses operating across state lines, with each jurisdiction imposing its own requirements around data collection, consumer rights, and enforcement mechanisms.
The year 2025 marked a notable shift in the privacy landscape. For the first time since 2020, no new state passed a comprehensive privacy law, despite 13 states introducing privacy bills. Political disagreements, competing priorities around AI regulation, and resistance from both business groups and privacy advocates contributed to the pause. Yet the compliance burden continued to grow as previously enacted laws took effect throughout the year.
Seven new comprehensive privacy laws became effective in 2025 alone. Delaware, Iowa, Nebraska, and New Hampshire launched their statutes on January 1, followed by New Jersey on January 15. Tennessee’s Information Protection Act followed in July, and Maryland’s Online Data Privacy Act, one of the most stringent state laws to date, took effect on October 1. Maryland’s law applies to entities processing data from as few as 10,000 consumers, a significantly lower threshold than most comparable statutes.
California continued to refine its regulatory framework with far-reaching consequences. In September 2025, the California Privacy Protection Agency finalized regulations on cybersecurity audits, risk assessments, and automated decision-making technology. These regulations went into effect on January 1, 2026, though businesses have staggered compliance deadlines extending to 2028 for certain requirements. The new rules require businesses to conduct structured evaluations of their data safeguards and provide consumers with rights to opt out of automated decision-making in contexts like housing, employment, and healthcare.
Texas emerged as an unexpectedly aggressive enforcer in 2025. In January, the state filed the first-ever privacy lawsuit under a comprehensive state privacy law, alleging a car insurance company collected consumers’ geolocation data without consent. Texas Attorney General Ken Paxton also pursued enforcement actions against social media companies for alleged violations of children’s privacy protections. The state’s approach signaled that enforcement would not be limited to California.
At the federal level, the Department of Justice’s Bulk Data Rule took effect in April 2025, introducing restrictions on cross-border transfers of Americans’ sensitive personal data to countries of concern, including China, Russia, Iran, and North Korea. Additional requirements under the rule became effective in October. Meanwhile, breach notification requirements continued to evolve, with New York and California both adding 30-day deadlines to their notification statutes and Oklahoma expanding its definition of covered personal information for the first time since 2008.
Website tracking litigation added another layer of legal risk for businesses. Plaintiffs brought class action claims under state privacy statutes and even the Video Privacy Protection Act, a federal law originally intended to protect video rental histories, challenging the use of common technologies like analytics pixels and social media tracking tools. Circuit courts split on whether pixel tracking falls under the scope of older privacy laws, creating uncertainty for companies nationwide.
Looking ahead to 2026, compliance professionals face an environment where privacy, cybersecurity, and AI obligations increasingly overlap. Organizations that deploy artificial intelligence using personal data now confront layered requirements spanning consumer consent, risk assessments, transparency disclosures, and bias testing across multiple jurisdictions.
Sources
1. “Year in Review: The Top Ten US Data Privacy Developments from 2025” — WilmerHale, January 28, 2026. https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20260128-year-in-review-the-top-ten-us-data-privacy-developments-from-2025
2. “Privacy and Cybersecurity 2025-2026: Insights, Challenges, and Trends Ahead” — White & Case, 2026. https://www.whitecase.com/insight-alert/privacy-and-cybersecurity-2025-2026-insights-challenges-and-trends-ahead
3. “Privacy in Transition: What 2025 Taught Us and How to Prepare for 2026” — Wolters Kluwer, January 6, 2026. https://www.wolterskluwer.com/en/expert-insights/privacy-in-transition-what-2025-taught-us-and-how-to-prepare-for-2026
4. “Privacy Law Recap 2025 — Data Security” — Perkins Coie, January 2026. https://perkinscoie.com/insights/blog/privacy-law-recap-2025-data-security
5. “U.S. and International Data Privacy Developments in 2025” — McDonald Hopkins, 2026. https://www.mcdonaldhopkins.com/insights/news/u-s-and-international-data-privacy-developments-in-2025-and-compliance-considerations-for-2026
