
Last Updated: March 12, 2025
What to Expect in 2025
More Info: Website Documents
More Info: eCommerce Acquisitions
The Quest for a Federal Privacy Law Continues
As of March, 2025, the United States remains without a comprehensive federal privacy law.
Beginning in 2019-20, the U.S. Congress has been engaged more in politics than policy attempting to craft a federal privacy law.
While efforts such as the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA) attempted to create a national standard, these bills stalled in Congress due to disagreements over state preemption and enforcement mechanisms (i.e. "politics").
What we're still stuck with is essentially a "patchwork quilt" of state privacy laws.
If a federal law is eventually passed, its likely to preempt most state laws, reducing compliance complexity, but potentially weakening privacy protections in states with stricter requirements.
The "Patchwork" of State Privacy Laws Continues to Expand
Since the failure to pass a uniform federal standard, states proceeded on a "full speed ahead" to regulate consumer privacy.
As of 2025, nineteen states have enacted comprehensive privacy laws, with eight new statutes taking effect this year, including those in New Hampshire, Delaware, Iowa, Nebraska, New Jersey, Tennessee, Minnesota, and Maryland.
Each state law includes core privacy rights, such as data access, correction, deletion, portability, and opt-out options for targeted advertising and the sale of personal information. However, thresholds for applicability, enforcement mechanisms, and definitions of sensitive data vary significantly. This creates significant compliance challenges for businesses operating in multiple states.
Examples: State Law "Patchwork"
* Thresholds for Compliance: States like Tennessee apply their privacy law only to businesses with $25 million in annual revenue and processing data of 175,000 consumers. In contrast, Nebraska's law applies broadly to any business processing consumer data, with no revenue threshold.
* Consumer Rights: Most states grant access, correction, and deletion rights, but Iowa lacks a correction right.
* Opt-Out Requirements: Some states, like California and Texas, now require businesses to honor universal opt-out mechanisms that enable consumers to block tracking and data sales across all websites automatically.
* Sensitive Data Protections: While all states recognize racial, religious, and biometric data as sensitive, New Jersey and California classify financial data under the same category.
* Data Minimization Requirements: Maryland's new law introduces data minimization requirements, restricting data collection to what is necessary for a specific purpose. Other states may follow suit, requiring businesses to re-think data retention practices.
Federal Agencies Remain Active for Privacy & Data Rights
Although a federal privacy law remains stalled, agencies the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) continue to be active for privacy enforcement for consumers.
For example, the FTC has long taken the position that the "promises" made in Privacy Policies posted on websites are viewed as enforceable, and the FTC has a history of filing enforcement actions if these "promoses" are not followed.
Compliance Challenges for U.S. Businesses Increase
Operating within a "patchwork quilt" of state laws continue to create significant challenges.
* Increased compliance costs.
* Data rights management.
* Risk of enforcement actions.
Checklist for Privacy & Data Rights Steps You Should Take in 2025
* Conduct a comprehensive data audit to assess data collection, sharing, and retention practices.
* Implement a dynamic privacy framework that can adapt to state-by-state requirements.
* Enhance consumer opt-out mechanisms to comply with expanding universal opt-out requirements.
* Review vendor contracts to ensure third-party data processors comply with state laws.
How to Get Started
The recommended way to get started is to scroll to the bottom of this page, click on the "Book a Call" button, then schedule a call.
At the same time, sign Up for my complimentary 2-Minute Marketing Compliance Email.
It's not a newsletter (they take too long to read).
Every week or so, you'll get compliance tips, insights, strategies, tactics, and alerts you can digest quickly and use, written in a simple, conversational way to help you grow your business with confidence.
Best wishes for your online business success.

My Background
- Juris Doctor Degree, Wake Forest University School of Law
- Adjunct Professor of Law, Wake Forest University School of Law (20 years)
- Martindale-Hubbell Highest Attorney Peer Rating – AV® PREEMINENT™
- Co-Founder & CEO, FTCGuardian.com, #1 in FTC Compliance Training