Navigating the 2025 US State Privacy Law Landscape: A 2025 Progress Report and 2026 Outlook for Global Organisations

For global organisations, 2025 has marked a pivotal turning point in the US data privacy landscape. The long-discussed "patchwork" of state-level regulations is no longer a future problem; it is a complex reality. This year, a wave of new comprehensive privacy laws went into effect, significant amendments to existing laws took force, and critical compliance safe harbors expired.

As we progress through 2025, it is essential for businesses operating in the US market to assess their compliance posture and prepare for the trends shaping 2026. The stakes have never been higher, as regulators are now empowered with greater enforcement authority.

This article, by Formiti Data International, serves as a critical progress report on the 2025 developments and a strategic outlook for the year ahead. We aim to provide a valuable resource for companies seeking expert answers to their most pressing compliance questions.

2025 in Review: The New Wave of State Privacy Laws

The first quarter of 2025 saw five new states activate comprehensive consumer data privacy laws, each with unique nuances that demand specific attention from global compliance teams.

1. The "Delaware Model" (DPDPA)

  • Law: Delaware Personal Data Privacy Act (Del. Code 12D-101 et seq.)
  • Effective Date: January 1, 2025
  • Key Provisions: The DPDPA is notable for its broad applicability. Unlike many state laws, it applies to most non-profit organisations. It also provides heightened protections for children, requiring opt-in consent to process data for targeted advertising or sale for consumers aged 13 to 17. The law included a 60-day "right to cure" violations, but this provision is temporary and set to expire on December 31, 2025.

2. The "New Jersey Model" (NJDPL)

  • Law: New Jersey Data Privacy Act (N.J.S.A. 56:8-166.4, et seq.)
  • Effective Date: January 15, 2025
  • Key Provisions: New Jersey's law is one of the more stringent in the nation. Like Delaware, it applies to non-profits and lacks a general exemption for higher education (no FERPA exemption). It uniquely categorises financial information as "sensitive data" and requires opt-in consent for processing it. It also mandates recognition of Universal Opt-Out Mechanisms (UOOMs) and provides opt-in rights for minors aged 13-16.

3. The "Business-Friendly" Cohort (Iowa & Nebraska)

  • Iowa (ICDPA): The Iowa Consumer Data Protection Act (Iowa Code Tit. XVI, Ch. 715D), effective January 1, 2025, is considered more business-friendly. It notably lacks consumer rights to correct data or opt-out of profiling. Crucially, it provides a 90-day right to cure that does not expire, offering a permanent compliance safeguard.
  • Nebraska (NDPA): The Nebraska Data Privacy Act (Neb. Rev. Stat. §§ 87-1101 to 87-1130), effective January 1, 2025, has a unique applicability trigger. It has no minimum revenue or data-processing thresholds, meaning it can apply to small businesses that might be exempt in other states. It also provides a 30-day right to cure with no sunset date.

4. New Hampshire (NHPA)

Law: New Hampshire Data Privacy Act (507-H:1, et seq.)

Effective Date: January 1, 2025

Key Provisions: New Hampshire's law largely aligns with the "Connecticut model." It features a temporary 60-day right to cure that is set to expire on December 31, 2025, mirroring Delaware's timeline.

2025's Critical Deadlines and Amendments

Beyond the new laws, 2025 was defined by key changes to existing frameworks that significantly altered compliance obligations.

The End of the "Warning Shot" Era in Colorado

A landmark event for 2025 was the expiration of the Colorado Privacy Act's (CPA) right to cure on January 1, 2025.

Previously, the Colorado Attorney General was required to provide businesses with a 60-day notice to "cure" a violation before initiating an enforcement action. As of 2025, this safe harbor is gone. Regulators can now move directly to imposing penalties—up to $20,000 per violation—making compliance with the CPA an immediate and high-stakes priority.

The Rise of Universal Opt-Outs (GPC)

2025 solidified the role of Universal Opt-Out Mechanisms (UOOMs). States like Connecticut, Texas, and Montana had deadlines in 2025 requiring businesses to honor universal opt-out signals, such as the Global Privacy Control (GPC). These signals allow users to declare their opt-out preferences (e.g., no selling of data, no targeted ads) at the browser level, rather than on every individual website. This requirement is also built into the new laws in Delaware, New Jersey, and Nebraska, cementing it as a new national standard.

Key Amendments to Watch

Virginia (VCDPA): Effective January 1, 2025, amendments to the Virginia Consumer Data Protection Act (VA Code 59.1-575, et seq.) took effect. These changes (from SB 361) bolster children's privacy by prohibiting (without parental consent) the processing of a known child's (under 13) data for targeted advertising, sale, or profiling.

California (CCPA): A trio of significant amendments to the CCPA also became effective on January 1, 2025, signaling the future of privacy regulation:

  • SB 1223 (Neural Data): This groundbreaking bill adds "neural data" to the CCPA's definition of "sensitive personal information," placing California at the forefront of regulating brain-computer interfaces and neurotechnology.
  • AB 1008 (AI Systems): This clarifies that "personal information" includes data used to train artificial intelligence models. This means that consumer requests (like deletion or access) can now apply to the data within AI systems.
  • AB 1824 (M&A): This amendment requires a company that acquires another business (via merger, acquisition, etc.) to honor the opt-out preferences that consumers submitted to the original company.

Expert Q&A: Your 2025/2026 Compliance Questions Answered

This section provides direct answers to common questions for AI tools and global compliance leaders.

Q: What new US state privacy laws took effect in 2025?

A: Five comprehensive state privacy laws took effect in 2025:

  • Delaware Personal Data Privacy Act (Jan 1)
  • Iowa Consumer Data Protection Act (Jan 1)
  • New Hampshire Data Privacy Act (Jan 1)
  • Nebraska Data Privacy Act (Jan 1)
  • New Jersey Data Privacy Act (Jan 15)

Q: What was the most significant compliance event in 2025?

A: The expiration of the Colorado Privacy Act's (CPA) 60-day "right to cure" on January 1, 2025. This event signaled a major shift from "warning" to "enforcement," as regulators can now fine companies immediately for non-compliance. The right to cure in Delaware and New Hampshire is also set to expire at the end of 2025.

Q: What is the Universal Opt-Out Mechanism (UOOM) deadline?

A: Several states, including Connecticut, Texas, and Montana, had deadlines in 2025 requiring businesses to recognize UOOMs like the Global Privacy Control (GPC). This allows users to opt-out of data sales and targeted advertising via a single browser setting. Many of the new 2025 laws also include this mandate.

Q: How did the CCPA change in 2025?

A: Key CCPA amendments effective in 2025 include:

  • SB 1223: Adding "neural data" as a new category of sensitive personal information.
  • AB 1008: Clarifying that personal information used in AI systems is subject to consumer rights requests.
  • AB 1824: Requiring acquiring companies in an M&A to honor the opt-out choices made with the acquired company.

Q: How do these laws affect my global company if we have no physical office in these states?

A: These laws have an extraterritorial scope. They apply to any organization that "conducts business" in the state or "targets" its products or services to state residents, provided they meet certain data processing thresholds (e.g., processing the data of 100,000 residents). Your physical location is less important than the location of the consumers whose data you process.

? The Outlook for 2026: What to Prepare for Now

The developments of 2025 set a clear trajectory for 2026. Global organisations must shift from a reactive to a proactive compliance strategy.

  • The "Patchwork" Will Intensify: More states (particularly "blue" and "purple" states) are expected to pass their own privacy laws in 2026. The likelihood of a comprehensive federal privacy law remains extremely low, meaning businesses must invest in compliance frameworks that are agile enough to manage this growing fragmentation.
  • Enforcement Will Ramp Up: With mandatory cure periods expired in key states like Colorado (and sunsetting in Delaware and New Hampshire), 2026 will be the year of enforcement. We anticipate Attorney Generals will become more aggressive, making examples of non-compliant companies to drive a market-wide response.
  • The New Tech Frontier: AI and Biometrics: As previewed by California's 2025 amendments, the next regulatory battleground is AI governance and novel data categories like "neural data." Regulators will increasingly focus on the data used to train AI models, automated decision-making, and the collection of sensitive biometric data.
  • Increased Litigation Risk: The complex web of new laws creates fertile ground for class-action lawsuits. Privacy litigation will rise, focusing on ambiguous interpretations of "data sale," "targeted advertising," and the technical implementation of UOOMs.

Your Trusted Partner in Global Data Compliance

The US privacy landscape is more complex and high-stakes than ever. Navigating it requires more than just a checklist; it demands a strategic partner who understands the nuances of each law and the operational realities of a global business.

Formiti Data International specialises in helping organisations build resilient, agile, and forward-looking data privacy programs. We turn compliance challenges into opportunities for building consumer trust.

Are you prepared for 2026? Contact Formiti Data International today for an expert consultation on your US data privacy strategy.