Find a lawyerOur capabilitiesYour careerSearch
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  2. 2025 Data law trends
  3. US State consumer privacy laws are expanding
6. US state consumer privacy laws are expanding
2025 Data law trends
hero-image-0

In brief

Consumer privacy legislation in the US has reached a critical turning point. With no comprehensive nationwide privacy law in place, individual states have begun enacting their own laws to safeguard consumer privacy. Currently, over 40 percent of US states have implemented consumer privacy laws, and momentum continues to grow as additional states propose and consider their own legislation.

While these new state laws share some commonalities, their unique obligations contribute to a complex compliance landscape. Furthermore, certain states are also introducing specialized privacy laws, such as those focused on consumer health data. In this chapter, we explore the current status of US state consumer privacy laws, highlight key areas of alignment and divergence, and offer predictions regarding upcoming enforcement priorities.

Download report
US state consumer privacy laws are expanding

California was the first state to pass a comprehensive consumer privacy law, called the California Consumer Privacy Act (CCPA), in 2018. Since then, other states started to pass their own laws and the first half of 2024 saw a surge of states passing these laws; at one point, a new state law seemed to pass weekly. These state consumer privacy laws are either in effect or shortly coming into effect through 2026.

As of the end of August 2024, 20 states had passed consumer privacy laws, and two further states had passed consumer health data laws. Notably, these laws have gained support on both sides of the political aisle, from both Democrat and Republican legislators.

The chart below shows the degree of bipartisan support for these privacy laws, reflecting, in blue, the states with consumer privacy laws with Democratic-party affiliated governors, and red for states with Republican-party affiliated governors.

*Consumer health data specific laws
1. Nevada Act Relating to Data Privacy
2. Washington My Health My Data Act
Laws passed as of August 31, 2024

While there initially appeared to be momentum in Congress toward a federal privacy bill, including for the American Privacy Rights Act of 2024 (APRA) being deliberated in this 118th Congress, support for the APRA has appeared to cool and commentators now think it’s unlikely that the APRA will pass in its current form in this legislative session.

QuoteMarks_34x25px_Blue.png

We have reached a turning point in US privacy regulation, and there is no going back: the future involves greater regulation and protection for consumers.

Christine Lyon, Partner

This means that, for the foreseeable future, the state-level privacy laws are here to stay. Notoriously, the US has 50 different state data breach laws, and in principle, we could potentially end up with 50 different state consumer privacy laws as well.

Looking Ahead

As the number of US state consumer privacy laws continues to grow, it’s crucial for companies to take proactive steps to navigate this evolving landscape.

Here are three key actions to consider:

1. Develop a Compliance Strategy: Collaborate with your business teams to create a comprehensive approach for complying with state privacy laws. With new legislation emerging regularly, having a robust privacy compliance strategy will help you establish sustainable policies and procedures.

2. Review Consumer Rights Mechanisms: Take a close look at the rights mechanisms available to consumers. This includes evaluating the methods you have in place and ensuring you’re ready to respond effectively.

Keep in mind:

  • This area is under high scrutiny, with significant volumes of complaints reported by the CPPA.
  • Consumer rights mechanisms are highly visible to regulators, making it easy for them to spot potential deficiencies (for example, companies receiving CCPA notices of violation for failing to include a ‘Do Not Sell or Share My Personal Information’ link on their sites).
  • Prioritizing these mechanisms is essential, as they are a focal point of US state privacy laws and play a crucial role in building customer trust.

3. Educate and Engage Your Team: Share updates on new privacy laws and provide training for employees on how to handle data subject requests and the importance of compliance. Keeping your team informed and engaged is vital for fostering a culture of privacy within your organization.

Our team

Our team

San Francisco
Christine ChongSenior Associate
Silicon Valley
Christine E. LyonPartner and Global Co-Head of Data Privacy and Security
2025 Data law trends

2025 Data law trends

Reports
Nov 29 2024
1. AI governance takes center stage

With regulatory pressures, changing expectations from shareholders and customers, and the increasing risk of litigation, it’s clear that addressing AI governance is more important than ever.

Reports
Nov 29 2024
2. International data transfers are under the spotlight

In 2025, questions around data transfers and localization requirements will still be front and center for businesses. Regulators across different jurisdictions – each with varying requirements – aren’t holding back either; they’ve shown they’re ready to impose hefty fines for non-compliance.

Reports
Nov 29 2024
3. A new wave of cyber threats is here

As global cybersecurity threats continue to evolve, companies are navigating an increasingly complex risk landscape.

Reports
Nov 29 2024
4. New global regulations are changing our digital operations

Over the past year, a global push to regulate the safety, accountability, and transparency of online services have begun to crystalize. In late 2023, the EU Digital Services Act came into force alongside the passage of the UK Online Safety Act, signaling a significant shift in how digital intermediaries are regulated.

Reports
Nov 29 2024
5. Tougher enforcement is reshaping data and privacy compliance

The spotlight on AI risks is intensifying, and with it comes a surge in data-related regulatory enforcement worldwide. Regulators are not only using existing laws but are also advocating for greater powers to oversee AI development and deployment.

Reports
Nov 29 2024
6. US State consumer privacy laws are expanding

Consumer privacy legislation in the US has reached a critical turning point. With no comprehensive nationwide privacy law in place, individual states have begun enacting their own laws to safeguard consumer privacy. Currently, over 40 percent of US states have implemented consumer privacy laws, and momentum continues to grow as additional states propose and consider their own legislation.

Reports
Nov 29 2024
7. Asia’s privacy laws are maturing

In recent years, many countries across Asia have either rolled out new comprehensive privacy laws or made significant amendments to existing regulations. Notable examples include China, India, Indonesia, Japan, Malaysia, South Korea, Sri Lanka, Thailand, and Vietnam. Currently, Indonesia, India, and Malaysia are working toward the full implementation of their newly amended laws.

Reports
Nov 29 2024
8. New EU data access regulations are shaping the future

The European Commission’s Data Strategy 2020 has paved the way for new data access regulations that will significantly impact businesses across Europe. In this chapter, we dive into the data access rights established by the EU’s Data Act, along with two pivotal Common European Data Spaces: the European Health Data Space (EHDS) and the Financial Data Access (FIDA) framework.

FIND US IN
All locations
NAVIGATE TO
About usYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

© 2025 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome

Select language: