FPF Releases Updated Report on the State Comprehensive Privacy Law Landscape

FILTER
December 12, 2025
Jordan Francis
Senior Policy Counsel
About Jordan
Blogs by Jordan

The state privacy landscape continues to evolve year-to-year. Although no new comprehensive privacy laws were enacted in 2025, nine states amended their existing laws and regulators increased enforcement activity, providing further clarity (and new questions) about the meaning of the law. Today FPF is releasing its second annual report on the state comprehensive privacy law landscape—Anatomy of a State Comprehensive Privacy Law: Charting The Legislative Landscape

Read the report here

The updated version of this report builds on last year’s work and incorporates developments from the 2025 legislative session. Between 2018 and 2024, nineteen U.S. states enacted comprehensive consumer privacy laws. As the final state legislatures close for the year, 2025 looks poised to break that trend and see no new laws enacted. Nevertheless, nine U.S. states—California, Colorado, Connecticut, Kentucky, Montana, Oregon, Texas, Utah, and Virginia—passed amendments to existing laws this year. This report summarizes the legislative landscape. The core components that comprise the “anatomy” of a comprehensive privacy law include: 

  • Definitions of covered entities (controllers and processors) and covered data (personal data and sensitive data); 
  • Individual rights of access, correction, portability, deletion, and both opt-in and opt-out requirements for certain uses of personal data; 
  • Business obligations such as transparency, data minimization, and data security; and 
  • Enforcement by the attorney general. 

The report concludes with an overview of ongoing legislative trends: 

  • Changes to applicability thresholds; 
  • Expanding scope of sensitive data; 
  • Emergence of substantive data minimization requirements; 
  • Heightened protections for adolescents’ personal data, consumer health data, biometrics, and location data; 
  • New individual rights, like contesting adverse profiling decisions; and 
  • A slowdown of legislative activity in 2025. 

This report highlights the strong commonalities and the nuanced differences between the various state laws, showing how they can exist within a common, partially-interoperable framework while also creating challenging compliance difficulties for companies within their overlapping ambits. Until a federal privacy law materializes, this ever changing state landscape will continue to evolve as lawmakers iterate upon the existing frameworks and add novel obligations, rights, and exceptions to respond to changing societal, technological, and economic trends.

Last Updated: December 12, 2025
Tags:

Explore

Issues

authors

dates

Posts by Jordan

screenshot 2025 12 12 at 8.16.22 am
FPF Releases Updated Report on the State Comprehensive Privacy Law Landscape
READ MORE
cyberspace,technology,with,blue,digital,light,patterns,,creating,a,futuristic
FPF Releases Issue Brief on New CCPA Regulations for Automated Decisionmaking Technology, Risk Assessments, and Cybersecurity Audits
READ MORE
connecticut,flag,waving,in,the,wind,,blue,sky,background
The Connecticut Data Privacy Act Gets an Overhaul (Again)
READ MORE
View More