No New Broad Privacy Bills, Yet 2025 Still an Active Year: IAPP
Zero states passing new comprehensive privacy laws in 2025 so far “is conspicuous and enigmatic,” said IAPP in a retrospective analysis posted Monday that also said privacy regulation was busy this year.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
About 20 states have comprehensive privacy laws. While several others proposed such sweeping legislation this year, none crossed the finish line, though bills remain active in Massachusetts, Michigan, Pennsylvania and Wisconsin.
“This could be a natural consequence of diminishing marginal returns if the states that were most likely to enact privacy legislation have already done so,” wrote Jordan Francis, Future of Privacy Forum (FPF) senior privacy counsel, and David Stauss, Troutman privacy attorney. “It could be simple bad luck, given how unpredictable the legislative process can be.”
“Massachusetts is making a late push … but they are working against the clock," the analysis said. “Pennsylvania is another late mover” with a bill that passed the House last month (see 2510020029), but a similar measure in 2024 reached the same milestone then stalled in the Senate. Meanwhile, neither the Michigan proposal nor the Wisconsin bill have made it out of committee, IAPP noted.
Even so, 2025 was not a quiet year, they wrote. “We saw hundreds of consumer privacy bills introduced, newly enacted amendments to existing laws, multiple states engaging in rulemaking, including potentially game-changing rulemaking in California, new sectoral laws addressing health and youth privacy and online safety, and an uptick in state enforcement activity.”