US privacy in 2025: a decision brief for operators

7/15/2025

State privacy laws continue to expand. Unlike Europe’s GDPR, the US lacks a single federal privacy law, creating a complex patchwork of state-level regulations. Operators need a practical view of who is covered, what is new in 2025, and what to do in the next two quarters.

What changes in 2025 at a glance

• New state laws take effect with familiar structures and some unique definitions.
• Thresholds continue to exempt smaller firms, but service providers still inherit obligations through contracts.
• Deletion, access, and opt out rights persist across states with different response timelines.

Treat this as an operations problem with legal inputs. The work is scoping data, fixing high risk flows, and keeping records.

Examples of 2025 state activity to track:

• New effective laws in states like California, Virginia, Colorado, Utah, and Connecticut are adding familiar rights with different timelines and definitions.
• Broader recognition of universal opt out signals and dark patterns enforcement.
• Sector specific rulemaking that touches first party data, such as health adjacent apps.

Scope and thresholds

Create a quick table for your footprint: which states you do business in, whether you meet thresholds, and whether you handle sensitive data. For covered states, flag distinct definitions, response timelines, and appeal processes.

Priority work for the next two quarters

1. Data mapping light: inventory systems that hold personal data. Note sources, purposes, and processors. Start with public facing forms and customer systems.
2. Request handling: standardize intake, identity checks, and fulfillment steps. Track deadlines by state.
3. Sensitive data: identify consent requirements and tighten access. Reduce collection when purpose is weak.
4. Contracts: update vendor terms to align with state definitions and flow down requirements. Keep a log of which contracts are updated and when.
5. Notices: refresh privacy notices and opt out mechanisms so they are accurate and readable.

If you operate in multiple states, build your baseline to the strictest requirement you face and maintain a short exceptions log.

Metrics to track

• Requests received and completed on time by state.
• Time to fulfill and error rates.
• Number of contracts updated and outstanding.
• Incidents involving personal data and time to contain.

What not to do

• Do not spin up a new project for each state. Build a baseline that meets the strictest standards you face and note exceptions.
• Do not rely on a single spreadsheet. Use a simple system that your team can maintain over time.
• Do not promise what you cannot deliver in notices. Be precise.

The goal is not to predict every change. It is to operate a program that can absorb changes without disrupting the business.

The Global Context

The US “patchwork” approach to privacy stands in contrast to the comprehensive approach of Europe’s GDPR. For businesses that operate globally, this means navigating a complex web of regulations and ensuring that their privacy practices meet the highest standards required in any of their markets.

The Role of Technology

Privacy-enhancing technologies (PETs) can play a crucial role in helping businesses comply with privacy regulations. Tools for data discovery, consent management, and data anonymization can help automate compliance, reduce risk, and build trust with consumers.

Resources

• International Association of Privacy Professionals (IAPP): The IAPP is a great resource for information and analysis on privacy laws and best practices.
• State Attorneys General Websites: The websites of state attorneys general often provide guidance and enforcement updates on their respective privacy laws.

Templates to reuse

• Data map fields: system, purpose, data categories, retention, processors, and owner.
• Request handling workflow: intake, identity verification, fulfillment steps, deadlines, and audit log.
• Vendor review checklist: data categories shared, sub processors, security measures, deletion timelines, and breach terms.

Illustrative two quarter plan

• Weeks 1 to 2: confirm scope and thresholds, pick a baseline state requirement, and assign owners.
• Weeks 3 to 4: complete a light data map for public facing systems and top three customer systems.
• Weeks 5 to 6: launch request handling workflow and test with internal dry runs.
• Weeks 7 to 8: update contracts for top ten vendors and log exceptions.
• Weeks 9 to 10: refresh notices and implement universal opt out where required.
• Weeks 11 to 12: run an incident tabletop focused on personal data exposure and lessons.