The US Still Lacks Its Own GDPR, But That Doesn’t Mean Data Privacy Enforcement Isn’t Happening

In the absence of a comprehensive federal data privacy law, the US privacy regulatory environment has evolved piecemeal, with agencies like the FTC enforcing data privacy requirements and nearly two dozen states establishing their own privacy frameworks.  

For companies operating in the US, this can naturally lead to fragmentary compliance efforts — or even a “wait-and-see” approach — rather than a holistic, carefully constructed privacy program. But as the compliance grace periods for new state laws expire and state and federal regulators ramp up enforcement efforts, robust compliance can’t wait any longer.

Here are key developments businesses should watch for in 2025 and how best to prepare for the compliance tests ahead.

Regulators heighten data privacy enforcement efforts

Federal regulators set an ambitious pace for privacy enforcement last year, with a focus on protecting children’s privacy and safeguarding sensitive information like biometric, location and browsing data.

The FTC, for example, took enforcement action against five data brokers, alleging they were unlawfully collecting, using and selling location data that can be used to identify individuals and label them according to sensitive categories like religion, health and political orientation. It also prioritized issues involving children’s online activities, most notably by taking action against TikTok for “flagrantly violating” the Children’s Online Privacy Protection Act.

States have followed suit: Multiple state authorities, such as Colorado and Connecticut, have ended the grace periods to implement privacy protection programs and comply with new laws. Notably, the California Privacy Protection Agency — one of the most consequential regulators at the state level — began enforcing the data broker registration requirements under the state’s Delete Act in late 2024.

The Texas attorney general’s office was particularly active last year, too, taking action against Meta for collecting biometric data in violation of state law and TikTok for disclosing children’s data to third parties. More than 100 companies also received a notice from the Lone Star State’s attorney general for failing to register as a data broker, as stipulated by a state law that went into effect in 2023.

Data Privacy

The AI Regulation Pendulum Swings: Innovation vs. Privacy Protection

by Richart Ruddie

March 25, 2025

Federal retreat from oversight could trigger state-level privacy rules and compliance maze

Read moreDetails

New privacy laws further complicate the regulatory landscape

This enforcement environment is likely to get even more complicated as new laws come into effect in 2025, bringing the total number of states with comprehensive privacy laws to 20. Delaware, New Hampshire, Nebraska, Iowa and New Jersey’s laws went into effect in January, with Tennessee and Minnesota’s to follow in July and Maryland’s coming into force in October. These new laws not only bring stricter data protection requirements but also enhance consumer rights and impose greater transparency obligations for businesses handling personal data.

While the new administration may take a different approach to regulating and enforcing privacy protections, companies should not count on a laxer approach from the FTC. After all, the new chairman, Andrew Ferguson, supported many of the privacy enforcement actions the agency took in 2024. Under his leadership, the agency is likely to have a continued focus on protecting sensitive data and children’s privacy.

Additionally, as geopolitical tensions between the US and other countries intensify, companies that engage in cross-border data transfers must reckon with the new DOJ rule limiting data transfers to “countries of concern,” including Russia and China, which goes into effect this year. Under this framework, companies will face significant security and compliance measures, with some transaction types banned altogether.

Best practices for privacy compliance in 2025

Beginning or strengthening compliance efforts can seem daunting when faced with a highly complex and constantly evolving patchwork of state and federal privacy laws. But following these established best practices can help organizations identify risks, minimize liabilities and establish smooth processes to adapt to future changes.

Understand existing data collection practices

Compliance teams first need to conduct a comprehensive audit to understand what kind of data the company is collecting and how, where it is being stored and how it is being used. It’s also critical to note whether the company is selling any data to third parties, as these transactions come with strict legal requirements of their own and are an enforcement priority for regulators like the FTC.

Marketing and sales departments may be a good place to start these audits, as these functions tend to drive data collection and usage to help decipher buyer preferences and reach potential customers.

Audits of some sort are often required by law. Most state privacy laws compel companies to complete a data protection impact assessment if they engage in targeted advertising, collect sensitive data (e.g., location, race or health) or sell such information. These assessments typically involve detailing the purpose and procedures behind the data processing, an evaluation of its necessity to the business and the risks to consumers and possible remedies to safeguard consumer rights.

Evaluate existing company privacy policies

Once compliance teams have a better understanding of the company’s risk profile, they should ensure their public-facing privacy policies are up to date. Even if the company is properly handling data, an outdated policy that runs counter to new privacy laws could get the company in trouble for something it isn’t even doing.

Additionally, an overly broad policy can cause just as many issues as an outdated policy. Updated policies should accurately reflect the personal information and data collected and not attempt to over-include data as a catch all.

Companies should also ensure their policies properly disclose the use of third-party tracking technologies and cookies on the website to give consumers a full picture of where their data is going.

Improve privacy program sophistication

Companies must be able to follow the privacy policies they put in place to mitigate privacy risks, since failure to comply with policies and applicable laws could lead to investigations and fines.

This requires putting in work on the back end to be able to effectively respond to consumer rights requests and provide information about how personal data is used and stored, including developing procedures for responding to requests for information from regulators. Having the proper documentation prepared and designated points of contact can help prevent a last-minute scramble should issues arise.

To mitigate additional risks, companies should establish robust compliance procedures for vetting vendors, evaluating new tools and keeping policies up to date. When sales or marketing teams are looking to purchase new tools or platforms from vendors, for example, this process tends to be driven by information technology (IT) teams that examine related compatibility and cybersecurity issues. But IT may not be aware of the privacy compliance issues these new tools could introduce, so businesses should ensure that their vetting processes bring in the compliance team from the start.

Privacy compliance can’t wait in 2025

With new rules coming into effect and enforcement efforts ramping up in 2025, now is the time for companies to prioritize privacy compliance.

Updated and actionable policies and procedures — coupled with a thorough knowledge of the business’s risk profile and the data it collects and processes — can help prevent costly legal issues as the privacy regulatory landscape grows more complex in the years to come.