Navigating Data Privacy in 2025: Essential Compliance for 2026

Data privacy regulation continued to accelerate in 2025, with both U.S. regulators and international authorities placing increased emphasis on enforcement and operational compliance. For organizations that collect, use, or share personal data across jurisdictions, the past year highlighted growing regulatory complexity, expanding compliance obligations, and heightened enforcement risk. As we look ahead to 2026, businesses should anticipate continued regulatory scrutiny rather than a period of stability. In the United States, the lack of a comprehensive federal privacy statute has resulted in sustained state-level legislative activity. During 2025, several new comprehensive state privacy laws became effective. Delaware’s Personal Data Privacy Act (effective January 1, 2025) applies to entities that control or process personal data of at least 35,000 consumers (excluding payment-only data) and includes consumer rights like other state laws, along with data protection assessment requirements for higher-risk processing. Iowa’s Consumer Data Protection Act (effective January 1, 2025), by contrast, takes a narrower approach, with higher applicability thresholds and fewer consumer rights, most notably excluding a right to correct data. Nebraska’s Data Privacy Act (effective January 1, 2025) applies broadly, with no revenue threshold, making it one of the more expansive statutes in terms of potential applicability. New Hampshire’s (effective January 1, 2025) law largely tracks the Virginia model but includes explicit consent requirements for processing sensitive data. Additional laws came into effect later in the year. New Jersey’s Data Privacy Act (effective January 15, 2025) includes a broad definition of “sale” and requires businesses to recognize universal opt-out mechanisms. Tennessee’s Information Protection Act (July 1, 2025) incorporates a unique safe harbor tied to recognized privacy frameworks, offering potential mitigation of enforcement risk for organizations with mature compliance programs. Minnesota’s Consumer Data Privacy Act (July 31, 2025) imposes heightened obligations, including broader consumer rights and detailed assessment requirements, while Maryland’s Online Data Privacy Act (October 1, 2025) is among the most stringent state laws to date, significantly limiting the collection and processing of sensitive data and data relating to minors. While these statutes share common elements, such as consumer rights to access, delete, and opt out of certain processing activities, they vary in important respects in applicability thresholds, definitions of sensitive data, consent standards, and requirements for data protection assessments. As a result, 2025 demonstrated that compliance requires careful, state-by-state analysis rather than reliance on a single, uniform approach. State attorneys general remain the primary enforcement authorities, and several have emphasized that enforcement will focus on whether businesses have implemented effective rights-request processes, vendor oversight, and data governance controls. Looking ahead to 2026, additional state privacy laws took effect on January 1, 2026, including: Indiana Consumer Data Protection Act, Kentucky Consumer Data Protection Act, and Rhode Island Data Transparency and Privacy Protection Act. These laws largely follow existing state models but introduce additional compliance obligations, including requirements related to opt-out mechanisms, sensitive data consent, and data protection impact assessments. Federal regulators also remained active throughout 2025. The Federal Trade Commission continued to bring enforcement actions under its unfair and deceptive practices authority, with particular attention to sensitive data, biometric information, children’s data, and artificial intelligence–driven data uses. These actions underscore that federal enforcement risk persists even in the absence of a comprehensive federal privacy law, particularly where data practices diverge from public disclosures or internal policies. Internationally, data privacy regulation in 2025 continued to be shaped by enforcement, with regulators taking somewhat different approaches across jurisdictions. EU data protection authorities remained active in GDPR enforcement, particularly regarding transparency, lawful bases for processing, and cross-border data transfers. At the same time, post-Brexit developments in the United Kingdom and evolving transfer and localization requirements in other regions added additional considerations for multinational compliance programs. For organizations operating across borders, these developments highlight the importance of staying informed about jurisdiction-specific obligations, rather than relying entirely on a single global privacy framework. Internationally, regulators are expected to continue prioritizing cross-border data transfers, AI governance, and accountability measures, further complicating compliance for multinational organizations.