Compliance

US Data Privacy Laws: How Regulations Are Expanding, and the New Twists Businesses Must Be Aware Of

December 02, 2025by Bill Tolson
SUBSCRIBE TO BLOG

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing [email protected].

TL;DR: State data privacy laws rapidly expanded in 2025, introducing new requirements for sensitive data, AI profiling, and universal opt-out signals. Businesses need adaptable, privacy-by-design compliance strategies to manage rising multi-state regulatory complexity.

US data privacy laws have entered a new era. Since 2018, landmark legislation, including the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), has transformed the way personal data is collected, used, and protected. Growing public concern over data misuse and pressure for stronger consumer protections have accelerated this shift, and the regulatory landscape is evolving faster than ever.

What was once a patchwork of narrow, sector-specific rules has evolved into a complex and rapidly changing network of state privacy statutes, expanded consumer rights, and new compliance requirements. For organizations of every size, data privacy compliance is no longer optional or reactive. It is now central to corporate governance, brand reputation, and long-term success.

Why US data privacy laws matter

US data privacy regulation is expanding rapidly, with 20 states now enforcing comprehensive laws that introduce new requirements for sensitive data, AI profiling, children’s privacy, and universal opt-out signals. As state rules diverge on consent, enforcement, and key definitions (and federal action remains stalled) businesses face rising compliance complexity. Emerging issues like bankruptcy-related data rights and algorithmic transparency add further uncertainty. To stay ahead, organizations need adaptable, privacy-by-design strategies supported by strong governance and centralized data management.

From patchwork to proliferation: The evolution of US data privacy laws

For decades, data privacy in the United States was governed primarily by a few industry-specific federal laws:

While these laws remain important, they were never designed to address the vast amounts of personal data generated in today’s digital economy. That gap prompted states to act. California’s CCPA, enacted in 2018, and the CPRA, passed in 2020, became the blueprint for a new generation of privacy legislation.

As of October 2025, the United States has 20 state-level comprehensive data privacy laws in effect or enacted, with eight new taking effect in 2025.

Trends shaping state data privacy laws in 2025

While each state law is different, several major trends define this new era of privacy regulation:

1. Lower applicability thresholds

Early privacy laws typically applied only to large enterprises that handled massive volumes of data. Newer laws are expanding their reach to include mid-sized businesses and even startups. If your organization collects or processes consumer data at scale, you are likely subject to at least one state law.

2. Broader definitions of sensitive data

Modern privacy statutes go beyond basic identifiers. Many now classify biometric data, precise geolocation, genetic information, private communications, union membership, and mental health data as “sensitive,” requiring stricter consent and stronger security controls.

3. Regulation of profiling and automated decision-making

As artificial intelligence and algorithmic decision-making become more widespread, lawmakers are imposing new safeguards. Companies must increasingly disclose profiling activities, allow consumers to opt out, and, in some cases, avoid specific uses of data altogether, particularly when minors are involved.

4. Stronger protections for children and teens

Protecting minors is becoming a central focus. Many new laws require opt-in consent before collecting or sharing children’s data, prohibit targeted advertising aimed at minors, and ensure that consent can be easily revoked.

5. Shorter or eliminated “right to cure” periods

Earlier privacy laws often provided companies with time to correct violations before facing penalties. Many newer statutes shorten or eliminate those grace periods, signaling a shift toward faster enforcement and increased regulatory risk.

6. Universal opt-out and signal-based privacy controls

An increasing number of states require businesses to honor universal opt-out signals from browsers or devices. This enables consumers to exercise their privacy choices across multiple platforms with a single action, introducing new technical demands on organizations.

Federal efforts: Still stalled

A federal privacy law could simplify compliance, but progress remains slow. The proposed American Privacy Rights Act (APRA) would create a national standard, expand consumer rights, limit data use, and require algorithmic transparency.

However, political disagreements and industry lobbying have stalled the bill. Until Congress acts, state-level privacy laws will continue to multiply and diverge, leaving businesses with an increasingly complex compliance puzzle.

Fragmentation and complexity: The new compliance reality

The biggest challenge businesses face today is the growing fragmentation of privacy law. States differ significantly in how they define and enforce key requirements:

  • Consent requirements: Some mandate opt-in for sensitive data, while others rely on opt-out
  • Opt-out mechanisms: Universal signals may be valid in one state but not another
  • Enforcement: Cure periods, penalties, and oversight bodies vary widely
  • Definitions: What qualifies as “personal data,” “reasonable security,” or a “sale” change by jurisdiction

For organizations operating across multiple states, this patchwork demands a multi-layered compliance approach. Businesses must invest in data mapping, consumer rights workflows, dynamic privacy policies, and jurisdiction-specific governance strategies to stay compliant.

Emerging challenges and open questions

The evolving legal landscape raises new questions that compliance teams must prepare to address:

  • Bankruptcy and data rights: Do deletion obligations survive a company’s bankruptcy? The collapse of 23andMe brought this question into focus.
  • Intersection with sectoral laws: How do new state laws interact with HIPAA, GLBA, or FERPA? Exemptions and overlaps remain uncertain.
  • Universal opt-out implementation: How will businesses detect and honor browser-level signals at scale?
  • AI and algorithmic accountability: What does “transparency” mean in practice, and how will it be enforced?
  • Reasonable security standards: Most laws require them, but few define them clearly.
  • Private right of action: Will individuals gain greater power to sue companies directly?

These issues underscore the need for compliance strategies to evolve in tandem with the laws themselves.

What businesses should watch for next

As privacy regulation matures, several developments will shape the future:

  • Federal preemption debates: Will a national law override state statutes or set a baseline?
  • Stronger enforcement: Expect shorter cure periods, larger fines, and more regulatory action.
  • Rising consumer expectations: One-click opt-outs and centralized deletion portals are becoming standard.
  • Global interoperability: Companies must align US compliance with frameworks like the GDPR and Canada’s CPPA.

Data privacy compliance: From obligation to strategic imperative

The rapid expansion of US data privacy laws represents more than a legal challenge. It marks a fundamental shift in how personal information is governed. Compliance is now a core business priority. Organizations that treat privacy as a reactive process risk not only fines but also the loss of customer trust and brand credibility.

The most forward-thinking companies are embedding privacy-by-design principles into their products and services, strengthening governance practices, and creating adaptable frameworks that evolve in response to the changing regulatory landscape. With state laws proliferating, universal opt-outs emerging, and enhanced protections for minors taking shape, now is the time to act.

How Smarsh helps organizations stay ahead

As US data privacy laws become increasingly complex, organizations require more than just policies. They need technology that can keep pace. That is where Smarsh comes in.

With Smarsh, you gain more than a compliance solution. You gain a platform built to reduce risk, streamline workflows, strengthen security, and future-proof your organization against evolving privacy regulations. The stakes have never been higher, but with Smarsh, you will always be prepared for what comes next.

The Smarsh platform is designed to help compliance, legal, and governance teams manage today’s regulatory demands while preparing for tomorrow’s. It delivers the visibility, control, and automation organizations need, all within a single, unified platform.

With Smarsh, businesses can:

  • Simplify compliance by centralizing data from hundreds of communication channels into one secure, searchable platform, making retention and governance more efficient.
  • Automate consumer rights requests and manage data lifecycle processes, ensuring timely responses to “right to access” and “right to delete” requirements.
  • Continue to strengthen security with encryption, granular access controls, immutable storage, and detailed audit trails, demonstrating accountability to regulators.
  • Adapt to evolving laws around AI, profiling, and sensitive data while maintaining privacy-by-design practices.
  • Future-proof compliance strategies as state laws change or federal standards emerge.

Please contact us to request a demo or to speak to an expert.

featured guide icon

FEATURED BLOG

7 Hidden Risks Lurking in Your Voice Data and How to Address Them

Read Now

Share this post!

Bill Tolson
Latest posts by Bill Tolson (see all)
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

CONTACT US

FEATURED CONTENT

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

watch it work
CONTACT SALES

More Resources

business people viewing computer in office 650x330
The Hidden Risk in Data Acquisition: Why Data Quality Determines Compliance and AI Success
by Smarsh
on January 29, 2026
Read more
archive 650x330
Search Tiering: Smarter, Cost-Efficient Access to Your Archived Data
by Smarsh
on January 28, 2026
Read more
finra washingtonDC q4 2022 event 650x330
FINRA’s 2026 Oversight Report Identifies AI as Both Opportunity and Risk
by Tiffany Magri
on January 27, 2026
Read more

Contact Us

Tell us about yourself, and we’ll be in touch right away.

icon-angle icon-bars icon-times