The Proliferation Everyone Expected Didn’t Happen: What Stalled State Data Privacy Laws in 2025

Beginning with the advent of the California Consumer Privacy Act (CCPA) in 2020, privacy and data protection policy activity has largely been concentrated in the states, as several attempts in Congress to agree on a national privacy standard have fallen short of adoption. Between 2020 and 2024, 20 states enacted comprehensive privacy laws, fulfilling their oft-cited role as laboratories of democracy. Many observers assumed that 2025 would see a continued proliferation of state-level laws.

Surprisingly, that didn’t happen; while proposals were introduced in the legislatures of at least 13 states, none made it across the finish line. Let’s examine a few factors that likely led to the slowdown and look ahead to what to expect this year.

Political headwinds

The proposals floated in a number of states met with political opposition on both sides of the ideological spectrum. For example, in Washington, HB 1671, which would have enacted a comprehensive privacy regime, was vigorously opposed by business interests, primarily because it included a private right of action for consumers (a right unavailable in every current state privacy law except for a limited right of action in California). The Washington Retail Association branded the proposal “deeply flawed” and emphasized the burdens it would have placed on small businesses in particular. The bill never made it out of committee and was considered dead just a few weeks after its introduction.

Meanwhile, several states, including Georgia (SB 111) and Oklahoma (SB 546) introduced bills that were approved in their chamber of origin but ultimately failed, due at least in part to scathing reviews from consumer advocates like the Electronic Privacy Information Center (EPIC), which gave the Georgia proposal an F, calling it “one of the worst bills in the nation” with respect to protecting consumers’ data, and Consumer Reports, which joined EPIC in saying that the Oklahoma bill would do little to protect consumers’ personal information.

Other priorities

In several states, legislators shifted their focus away from comprehensive privacy legislation to more targeted initiatives, particularly in the area of children’s privacy. Many of these proposals targeted app store providers and developers, which builds on a trend that began last year. 

Louisiana enacted a law, effective Jan. 1, 2026, that requires app stores to verify the age of users and to obtain parental consent under specified conditions. In addition, several states have adopted age-appropriate design codes that require developers of apps aimed at children to take privacy and safety concerns into consideration when designing their products. 

Many of these laws have been challenged in court by business associations like NetChoice on constitutional grounds, but in the meantime, affected businesses will need to prepare for compliance with their provisions.

Data Privacy

What You Need to Know About Maryland’s New Data Privacy Law

by Karan Manohar and Gia Grimm

November 18, 2025

The law shifts focus from allowing unlimited data for company purposes to providing collection as a service benefiting consumers

Read moreDetails

AI emergence

State-level AI policy also took up a lot of attention for legislators. Every state, as well as DC, Puerto Rico and the Virgin Islands, introduced AI legislation in 2025, with several states imposing new restrictions on the use of AI, particularly in high-risk use cases, banning the creation of deepfakes and establishing transparency and disclosure requirements, among other items. 

An executive order from President Donald Trump on Dec. 11 is designed to require the issuance of a single regulatory framework for AI and to prohibit states from enacting any restrictions deviating from that framework. The order is certain to be challenged in court, but in the meantime, despite the urging of several consumer groups encouraging states to move forward with AI regulation, the order is likely to have a chilling effect on further state regulation in the area.

Privacy fatigue? 

Somewhat ironically, the enactment of 20 comprehensive privacy laws over the past four years was almost certainly a contributing factor in the lack of action in 2025. Businesses have been required to ramp up their compliance efforts to meet a variety of disparate requirements in these laws, with many taking a “lowest common denominator” approach, assuming that if they are in compliance with the more consumer-friendly laws (like California or Connecticut), they will pass muster with other, less restrictive states. As a result, many states may have simply decided that it was not necessary to duplicate provisions that many businesses already have implemented based on other state laws.

What to look for in 2026

Given that enactment of a preemptive federal law governing privacy and data protection is highly unlikely, state legislation and regulation remains the only game in town. Accordingly, businesses and practitioners need to continue tracking new proposals at the state level. Bills in several states that stalled in 2025 may carry over or be reintroduced to 2026 sessions. 

In addition, several states, most notably Connecticut and Colorado, made significant amendments in 2025 to existing privacy laws that businesses must incorporate into their compliance strategies. Finally, new regulations in California expanding on CCPA requirements related to automated decision-making tools, risk assessments and cybersecurity audits provide some clarity for businesses but also will require adjustments to compliance procedures to avoid costly enforcement activity.

We may never return to the days where a half-dozen or more states enact a privacy law in a single year, but that doesn’t mean that they will abandon the effort altogether. Businesses should exercise due diligence in tracking these potential changes to avoid any unpleasant surprises.