{"id":182433,"date":"2026-01-28T15:16:00","date_gmt":"2026-01-28T20:16:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/28\/the-top-ten-us-data-privacy-developments-from-2025\/"},"modified":"2026-01-28T15:20:11","modified_gmt":"2026-01-28T20:20:11","slug":"the-top-ten-us-data-privacy-developments-from-2025","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/01\/28\/the-top-ten-us-data-privacy-developments-from-2025\/","title":{"rendered":"The Top Ten US Data Privacy Developments from 2025"},"content":{"rendered":"

The Top Ten US Data Privacy Developments from 2025<\/a><\/p>\n

https:\/\/www.wilmerhale.com\/en\/insights\/blogs\/wilmerhale-privacy-and-cybersecurity-law\/20260128-year-in-review-the-top-ten-us-data-privacy-developments-from-2025<\/a><\/p>\n

Publish Date: 2026-01-28 15:16:00<\/a><\/p>\n

Source Domain: www.wilmerhale.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points.
\n 2025 marked another year of significant legislative and regulatory advances at the federal and state levels for data privacy and security, in ways that were both expected and unexpected. As was anticipated, a new administration meant a shift in enforcement priorities for some federal agencies, including for the Federal Trade Commission (FTC). Compared to the last administration\u2019s flurry of enforcement actions based on aggressive interpretations of \u201cunfair\u201d trade practices, the current FTC appears to be more concerned with a much narrower range of issues, focusing on the privacy and safety of children and teens online, as well as data security more generally. Other agencies that focused on privacy issues during the last administration (such as the Consumer Financial Protection Bureau) were also less active in privacy issues more generally in the past year. As has been the norm over the past few years, Congress kicked the tires on a few privacy proposals last year, but none gained meaningful traction.
\nWhile no federal privacy legislation emerged, there was a critical new federal development with the finalization of the Department of Justice\u2019s Data Security Program (DSP). This regulatory framework, which targets cross-border transfers of bulk US sensitive personal data and US government-related data to certain \u201ccountries of concern,\u201d interconnects data protection and national security concerns and has broad applicability based on how its relevant terms are defined (and does not have the same exemptions that are typically included in other data protection laws). Enforcement of the DSP will be an area of focus for companies in 2026 and beyond, especially given that the DSP comes with steep civil penalties and even potential criminal liability.
\nStates did fill most of the enforcement gap left at the federal level, with California\u00a0and Texas\u00a0leading as the prominent regulators in the privacy and cybersecurity landscape. While it was somewhat surprising that no new state passed a comprehensive privacy law (marking the first time this has happened since 2020), states remained busy enacting AI\u00a0and children\u2019s privacy\u00a0laws, proposing and amending laws to protect consumer health information, and engaging in privacy-related rulemaking. In addition to these developments at the federal and state levels, both pixel tracking litigation\u00a0and security incidents continued to be an issue for companies in 2025.
\nWe describe below our top ten US data privacy and cybersecurity developments (in no particular order) from the past year. Companies should understand the key shifts and trends from 2025 in relation to their existing compliance obligations and anticipate potential legislative and regulatory changes for the coming year. We will continue tracking all these developments in the new year and providing analysis on the compliance changes and policy updates in our Privacy and Cybersecurity Law blog, which you can subscribe to here.
\n1. DOJ Finalizes Rule Regarding Sensitive Data Transfers
\nOn January 8, 2025, the Department of Justice issued its final Rule\u00a0under Executive Order 14117, \u201cPreventing Access to Americans\u2019 Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern\u201d (the \u201cRule\u201d). The Rule, which took effect on April 8, 2025, targets cross-border transfers of bulk US sensitive personal data and US government-related data to certain \u201ccountries of concern,\u201d specifically China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela, as well as to \u201ccovered persons\u201d (essentially, any person or entity with certain affiliations with a country of concern). Furthermore, the Rule applies certain requirements and restrictions to certain data transactions with any foreign persons, or any person that is not a US person.
\nThe Rule prohibits US persons from engaging in any \u201cdata brokerage\u201d transaction involving identified categories of sensitive US personal data with \u201ccovered persons\u201d or \u201ccountries of concern.\u201d Put another way, the Rule bans US data brokers from licensing or otherwise transferring a wide variety of sensitive US personal data to covered countries or covered persons. Similarly, the Rule prohibits US persons from engaging in any \u201cdata brokerage\u201d transaction involving identified categories of sensitive US personal data with \u201cforeign persons\u201d absent the imposition of contractual safeguards to prevent the subsequent transfer of the data to a country of concern or covered person. Additionally, the Rule prohibits all US persons from knowingly engaging in any \u201ccovered data transaction\u201d with \u201ccountries of concern\u201d or \u201ccovered persons\u201d involving access to bulk human genomic, epigenomic, proteomic, or transcriptomic data, or with human biospecimens from which such data can be derived.
\nFurthermore, the Rule establishes a class of \u201crestricted\u201d transactions, referring to transactions involving vendor agreements, employment agreements, or investment agreements that provide countries of concern or covered persons with access to bulk US sensitive personal data or US government-related data. US persons are permitted to engage in such restricted transactions but must comply with cybersecurity standards promulgated by the Cybersecurity and Infrastructure Security Agency (CISA) and satisfy additional requirements, such as implementing a data compliance program, complying with audit requirements, and maintaining records related to applicable transactions.
\nThe Rule defines sensitive personal data broadly with relatively low thresholds, meaning a wide range of personal data collected in the course of fairly standard online transactions can trigger the Rule. Furthermore, compliance obligations under the Rule are significant, as the diligence, auditing, recordkeeping, and reporting requirements for restricted transactions may require that entities either build out or establish comprehensive compliance programs to comply with the Rule. Furthermore, companies should review cross-border data flows and update contracts to meet the new requirements. Penalties for violations are steep: civil fines can reach $368,136 or twice the transaction amount, and criminal penalties for willful violations include fines up to $1 million or imprisonment for up to 20 years. The Rule underscores the Department of Justice\u2019s growing focus on national security and potentially signals that additional national security-motivated data regulations may follow.
\n2. Federal Privacy Proposals Focus on Health and Children\u2019s Data, while Comprehensive Frameworks Stall
\nOn February 12, 2025, the US House of Representatives Committee on Energy and Commerce announced the creation of a comprehensive data privacy working group, with Committee Chairman Brett Guthrie and Vice Chairman John Joyce stating that \u201ca national data privacy standard is necessary.\u201d On February 21, Chairman Guthrie and Vice Chairman Joyce issued a Request for Information (RFI), inviting stakeholders to share questions and suggestions with the newly formed working group. While a federal comprehensive privacy law remained elusive in 2025, Chairman Guthrie held a December 2 hearing to \u201cexamine ways to protect children and teens online.\u201d The subcommittee hearing, titled \u201cLegislative Solutions to Protect Children and Teens Online,\u201d focused on 19 children\u2019s online safety bills, 18 of which were advanced to a full committee vote following a December 11 subcommittee markup session (the remaining bill, \u201cReducing Exploitative Social Media Exposure for Teens\u201d was not considered in the markup session). Notably, this focus on child safety was thought to be one of the reasons that the \u201cAI moratorium,\u201d aimed at reducing the enforcement of state AI regulations, was removed from the budget reconciliation bill.
\nIn addition to the data privacy working group and legislation focused on children and teens, there were multiple federal consumer health privacy bills introduced in 2025. Proposed health bills included the Health Information Privacy Reform Act\u00a0(\u201cto provide additional protections with respect to health information\u201d), the Reproductive Data Privacy and Protection Act (\u201cto ensure requests for data on individuals do not pertain to reproductive services\u201d), the American Genetic Privacy Act of 2025 (\u201cto prohibit the disclosure of certain genetic information to the People\u2019s Republic of China\u201d), and the My Body, My Data Act of 2025 (\u201cto protect the privacy of personal reproductive or sexual health information\u201d). Notably, none of these bills are bipartisan and have yet to make it outside of any committee.
\n3. Shift in Enforcement Priorities for New Administration
\n2025 was a relatively quiet year for the FTC (particularly compared to the previous two years), as the change in administration meant a shift in enforcement priorities. While the FTC under the previous administration used a broad interpretation of its Section 5 authority under the FTC Act to crack down on unfair and deceptive practices, the FTC under the current administration has yet to try to expand its Section 5 authority through the use of novel unfairness theories. This is consistent with various public statements by the new FTC Chair. Instead, the FTC\u2019s recent enforcement actions\u2014the first privacy enforcement actions under the new administration\u2014indicate that the Commission is focused on the privacy and safety of children and teens online.
\nThree of the four FTC enforcement actions brought in September alleged violations of the Children\u2019s Online Privacy Protection Act (COPPA), while the fourth action alleged unfair and deceptive practices relating to the failure to remove child sexual abuse material (CSAM) and nonconsensual material (NCM) from an adult content website. Notably, the FTC Commission has three vacancies and is currently comprised of two Republican commissioners, including Chairman Andrew Ferguson. It remains to be seen how the FTC\u2019s limited number of commissioners will impact its enforcement activities in 2026.
\n4. States Fill the Enforcement Gap, with California and Texas Leading the Charge
\nIn the absence of a strong federal regulatory presence, states have continued to fill the enforcement gap. In April 2025, a group of bipartisan state regulators formed the Consortium of Privacy Regulators to \u201cshare expertise and resources\u201d and to \u201ccoordinate efforts to investigate potential violations of applicable laws.\u201d The current Consortium consists of the California Privacy Protection Agency (CPPA) and state Attorneys General (AGs) from California, Colorado, Connecticut, Delaware, Indiana, Minnesota, New Hampshire, New Jersey, and Oregon.
\nCalifornia remained a prominent regulator in 2025, with both the California AG and the CPPA announcing their largest privacy-related monetary penalties. On July 1, 2025, the California AG announced a $1.55 million settlement\u2014the largest penalty issued under the California Consumer Privacy Act (CCPA) to date\u2014with Healthline, an online health and wellness knowledge platform. According to the California AG, Healthline violated the CCPA through its use of online tracking tools for targeted advertising purposes and its disclosure of sensitive health-related information to advertisers without complying with the CCPA\u2019s requirements. Furthermore, the California AG alleged that Healthline violated the CCPA\u2019s purpose limitation principle by using consumers\u2019 personal information in a manner that was inconsistent with the purposes for which it was collected and processed initially. On September 30, 2025, the CPPA announced a $1.35 million settlement\u2014the largest in the agency\u2019s brief history\u2014with Tractor Supply Company (Tractor Supply), a rural lifestyle retailer. According to the CPPA, Tractor Supply failed to provide consumers with an effective mechanism to opt out of the selling or sharing of their personal information and failed to notify California consumers\u2014including job applicants\u2014of their privacy rights in its privacy policy and disclosures. Notably, this is the first enforcement action involving employment-related data, which is protected under the CCPA (unlike most other state privacy laws).
\nWhile California has historically been an active regulator in the privacy and cybersecurity landscape, Texas continued to establish itself as an active enforcer in 2025. In January 2025, Texas filed the first-ever privacy lawsuit under a state comprehensive privacy law. The lawsuit alleged that a car insurance company developed a software development kit (SDK) which could collect a user\u2019s geolocation and movement data. Texas alleged that, by collecting consumers\u2019 geolocation data without their knowledge or consent, the car insurance company violated the state\u2019s Data Privacy and Security Act. Furthermore, Texas continued to aggressively enforce child privacy laws, with the state alleging in a January 2025 enforcement action\u00a0against a social media company that it violated the state\u2019s Deceptive Trade Practices Act by misrepresenting the quantity of explicit material depicting drugs, nudity, alcohol, and profanity exposed to children on the platform. Finally, Texas secured a $1.4 billion settlement\u2014one of the largest data privacy related settlements reached by a single state\u2014in connection with multiple data privacy claims, including a company\u2019s alleged violations of the Capture or Use of Biometric Identifier (\u201cCUBI\u201d) Act.
\n5. No New State Comprehensive Privacy Laws
\nDespite the introduction of hundreds of consumer privacy bills, 2025 was the first year since 2020 in which no new state comprehensive privacy was enacted. Massachusetts\u2019 and Pennsylvania\u2019s state legislatures made strides towards comprehensive privacy acts by passing bills through one chamber. However, both states failed to pass the bills through the second chamber before the end of the year. This leaves the total number of states with comprehensive privacy laws at 19.
\nStill, nine states passed amendments to their existing comprehensive privacy laws in 2025: Connecticut, Montana, Oregon, Colorado, Kentucky, Texas, Utah, Virginia, and California. Among the most significant amendments was Connecticut\u2019s SB 1295, which marked the second time Connecticut\u2019s Data Privacy Act (CTDPA) has been amended since its passage in 2022. This latest amendment, which expands the CTDPA\u2019s definition of sensitive data and modifies consumers\u2019 right to access, will go into effect on July 1, 2026. One of the most significant changes SB 1295 makes to Connecticut state comprehensive privacy law is its expansion of CTDPA\u2019s applicability. Currently, the CTDPA applies to entities that conduct business in Connecticut and, in the preceding year, (1) control or process personal information of at least 25,000 Connecticut residents and derive more than 25% of gross revenue from the sale of personal information; or (2) control or process personal information of at least 100,000 Connecticut residents. However, starting on July 1, 2026, the CTDPA will apply to entities that (1) control or process the personal data of at least 35,000 consumers; (2) control or process consumers\u2019 sensitive data; or (3) offer consumers\u2019 personal data for sale in trade or commerce. By expanding the applicability to entities that sell consumers\u2019 personal information or process consumers\u2019 sensitive information, SB 1295 will likely bring many more businesses within the CTDPA\u2019s scope.
\n6. States Focus on AI Legislation
\nStates remained focused on artificial intelligence (AI) legislation in 2025. On June 22, 2025, the Texas Governor signed the Texas Responsible Artificial Intelligence Governance Act\u00a0(TRAIGA) into law, making Texas the second state to pass comprehensiveAI regulation (with Colorado being the first). The Act, which places categorical limitations on the deployment and development of AI systems, went into effect on January 1, 2026, exactly one month before the Colorado AI Act. On December 19, 2025, the New York Governor signed the Responsible AI Safety and Education Act (RAISE Act) into law, amending the version that was originally passed by the state legislature in June. The RAISE Act creates requirements for the training and use of AI frontier models, including creating a safety plan. Given the civil penalties available under both statutory schemes, companies should evaluate their uses of AI to ensure compliance.
\nNotably, the new administration issued an executive order attempting to curb the impact\u00a0of state AI laws. The order, issued on December 11, 2025, targeted the \u201cpatchwork\u201d of \u201c50 discordant State\u201d regulatory regimes \u201cthwart[ing]\u201d the innovation required for the US to \u201cwin[] the AI race.\u201d The order cites to Colorado\u2019s AI Act as an example of harms posed by state AI laws, arguing that its ban on \u201calgorithmic discrimination\u201d requires \u201centities to embed ideological bias within models\u201d\u2014potentially \u201cforc[ing] AI models to produce false results in order to avoid a \u2018differential treatment or impact\u2019 on protected groups.\u201d While the order could chill future AI legislation at the state level, it is worth noting that the New York Governor signed the RAISE Act into law after the administration issued the order.
\n7. Consumer Health Data Remains a Priority
\nHealth data privacy remained a legislative priority for states in 2025. In March, Virginia enacted SB 754, amending its Consumer Protection Act to restrict the collection, disclosure, and sale of reproductive and sexual health information without opt-in consent. The law defines covered data broadly, including diagnoses, procedures, purchases, location data, and inferred information, while excluding HIPAA-regulated records. It also provides a private right of action directly to consumers, and gives the Virginia AG authority to bring actions as well. In June, the New York state legislature passed the Health Information Privacy Act\u00a0(NY HIPA), which proposed strict limits on processing \u201cregulated health information,\u201d defined to include any data reasonably linkable to an individual and related to physical or mental health. Ultimately, however, the New York Governor vetoed the Act on December 19, 2025 (although a modified version is expected to be introduced in 2026).
\n2025 also marked the first time a class action complaint was filed under Washington\u2019s My Health, My Data Act\u00a0(MHMDA). The class action alleged that Amazon.com, Inc. and Amazon Advertising, LLC\u2019s SDK embedded in third-party mobile applications violated federal wiretap laws and state privacy laws, including the MHMDA. This lawsuit represents a significant test case for Washington\u2019s MHMDA, which has been in effect since March 2024. Given the continued focus on consumer health data, companies should evaluate any data collection and consent processes related to their business.
\n8. States Propose and Finalize Significant Rules under the Comprehensive Privacy Laws
\nEven though no new comprehensive laws passed last year, companies should still be aware of new requirements at the state level that have been implemented through the rulemaking process. On June 2, 2025, the New Jersey Division of Consumer Affairs (the \u201cDivision\u201d), alongside the Office of the Attorney General, announced proposed rules\u00a0(the \u201cProposed Rules\u201d) to implement the New Jersey Data Privacy Act (NJDPA). The 60-day comment period, which closed on Friday, August 1, 2025, provided the public with an opportunity to weigh in on how the NJDPA is enforced. After the Division reviews and considers the submitted comments, it is expected to publish a Notice of Adoption this year.
\nAdditionally, on September 23, 2025, California finalized its regulations on cybersecurity audits, risk assessments, and automated decisionmaking technology (ADMT). While the regulations went into effect on January 1, 2026, companies have additional time to comply with cybersecurity audits, risk assessments, and requirements for automated decisionmaking technologies.
\n9. Pixel Tracking Litigation Remains Active
\nLitigation over website tracking technologies continued into 2025 as plaintiffs challenged these practices under various legal theories. Plaintiffs relied on state privacy statutes such as the California Invasion of Privacy Act (CIPA), wiretapping laws, and even the Video Privacy Protection Act\u00a0(VPPA), a federal statute originally intended to protect video rental histories. There have been significant circuit splits\u00a0on the VPPA and whether pixel tracking litigation falls under it.
\nThe VPPA prohibits a \u201cvideo tape service provider\u201d from knowingly disclosing personally identifiable information (PII) about a consumer, except in limited circumstances such as consent. Courts have split on what qualifies as PII and who counts as a consumer. On the PII question, the Second Circuit in Solomon v. Flipps Media held that complex identifiers embedded in pixels do not qualify as PII because an ordinary person cannot easily link them to video-viewing behavior. This approach aligns with the Third and Ninth Circuits\u2019 \u201cordinary person\u201d standard but conflicts with the First Circuit\u2019s \u201creasonable foreseeability\u201d test. On the consumer issue, the D.C. Circuit in Pileggi v. Washington Newspaper Publishing narrowed the interpretation of \u201cconsumer,\u201d going a step beyond the Sixth Circuit to further limit VPPA protections to individuals who rent, purchase, or subscribe to specific audiovisual services. The D.C. Circuit ruled that merely consuming audiovisual materials is insufficient; the videos for which viewing history is disclosed must be the same materials or services the individual purchased, rented, or subscribed to. In contrast, on this issue, the Second and Seventh Circuits have held that the VPPA covers individuals who rent, purchase, or subscribe to any good or service provided by a videotape service provider, even if the good or service is not itself audiovisual.
\nThese significant circuit splits on interpreting the VPPA and pixel litigation may eventually prompt Supreme Court review. For now, companies should monitor developments and reassess their use of tracking technologies to reduce litigation risk.
\n10. Data Security and Breach Enforcement Remains a Priority
\nRegulators continued to prioritize data security enforcement in 2025, imposing significant penalties for inadequate safeguards and poor incident response. At the federal level, the FTC relied on Section 5 of the FTC Act to frame security failures as unfair or deceptive practices, while signaling a shift toward more targeted enforcement focused on deception, fraud, and data security. On December 1, 2025, the FTC announced a settlement with Illuminate Education Inc. (Illuminate) following the education technology provider\u2019s security incident. According to the FTC, Illuminate misrepresented \u201cthat it implemented reasonable measures to protect personal information against unauthorized access.\u201d As part of the settlement, Illuminate is required to implement a data security program and delete unnecessary data.
\nState AGs also remained active, using Unfair or Deceptive Practices (UDAP) statutes and breach notification laws to pursue enforcement. These enforcement actions included Massachusetts\u2019 August 2025 settlement against a property management company following multiple security incidents. According to the Massachusetts AG, Peabody Properties, Inc (Peabody) failed to adequately protect Massachusetts residents\u2019 personal information and violated the state\u2019s data breach notification statue by unlawfully delaying required notifications to the AG and consumers. At both the state and federal level, organizations should expect increased oversight and prioritize risk assessments, employee training, and breach readiness. Repeat offenders face escalating penalties, making proactive compliance essential.
\n***
\n2025 was a year of substantial change in the regulation of data privacy, in ways that were both expected and unexpected. While no federal privacy legislation or state comprehensive privacy laws emerged, highlights from the past year included critical federal regulations and significant state enforcement actions. Companies affected by these developments\u2014likely most companies of any meaningful size in the United States\u2014will need to understand their current compliance obligations as well as anticipate the potential legislative and regulatory changes ahead in 2026.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

The Top Ten US Data Privacy Developments from 2025 https:\/\/www.wilmerhale.com\/en\/insights\/blogs\/wilmerhale-privacy-and-cybersecurity-law\/20260128-year-in-review-the-top-ten-us-data-privacy-developments-from-2025 Publish Date: 2026-01-28 15:16:00 Source…<\/p>\n","protected":false},"author":1,"featured_media":182434,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.wilmerhale.com\/-\/media\/2d09123adc1344b0a18a09da4e06fdbe.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,30,24,28],"class_list":["post-182433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-breach","tag-cybersecurity","tag-data-security"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182433"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=182433"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182433\/revisions"}],"predecessor-version":[{"id":182435,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/182433\/revisions\/182435"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/182434"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=182433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=182433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=182433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}