As the end of 2025 approaches, we wanted to give an update on the status of federal privacy law.
No new omnibus federal privacy law passed in 2025, and it appears unlikely that any omnibus federal privacy law will pass any time soon. Though several proposals are circulating in Congressional committees, no comprehensive privacy bill has reached the House or Senate floor for final passage. The U.S. is the only G20 nation without a comprehensive national data protection law.
Though no broad federal privacy law was enacted in 2025, there were several federal law developments affecting privacy. The TAKE IT DOWN Act, which addresses non-consensual intimate imagery (including AI-generated deepfakes), became law in May 2025. It criminalizes non-consensual publication of this content and mandates platform takedown mechanisms, which will be enforced by the FTC. Also, in April 2025, new rules governing the Telephone Consumer Protection Act (TCPA) went into effect. These rules introduce stricter consent and opt-out obligations for automated calls/texts. Consumers are no longer required to revoke consent through a specific method (for example, texting “STOP” only) and may opt out using any reasonable means. Also, the TCPA now requires that revocations must be processed within ten business days.
Though the TAKE IT DOWN Act and TCPA are not data privacy statues, they are part of the broader privacy and consumer protection landscape. Given the unlikelihood of a federal privacy law passing in the near future, we should expect incremental movement in privacy and consumer protection under federal law similar to these advancements.
While we wait for comprehensive federal privacy legislation, the privacy protection landscape will continue to be focused on state privacy laws. This year, comprehensive privacy laws to regulate how businesses handle digital information and to give consumers more protections over their personal data went into effect in the following states: Delaware, Iowa, Minnesota, Nebraska, New Hampshire, New Jersey, Tennessee and Maryland. Privacy laws enacted in Indiana, Kentucky and Rhode Island will go into effect next year. Given the challenges to businesses to have to deal with the patchwork nature of the various state laws, perhaps the increase in the number of states enacting comprehensive privacy laws will be a catalyst for the implementation of a federal law.
One development of note relating to the enactment of the various state privacy laws is that they are increasingly incorporating AI-related obligations, such as rights to opt out of profiling or automated decision-making and disclosure requirements for AI-driven processing. For example, Minnesota’s law grants consumers the right to question and receive an explanation for consequential decisions made by automated profiling algorithms. Also, California businesses, as of January 1, 2027, will be required to assess and mitigate risks of AI systems and give consumers notice and choices regarding AI-driven decisions.
We will continue to monitor federal and state privacy law developments.
Tom Sowers approaches legal issues from a businessperson’s perspective. A Shareholder at Berman Fink Van Horn, Tom’s practice focuses on representing businesses and their owners in a wide range of transactional matters and legal issues.
