State-by-State: The New Privacy Regulations of 2025

Data privacy regulations are expanding fast. Privacy and data governance continue to be top-of-mind for regulators, consumers, and businesses. This is especially true as new technologies – like the ubiquitous use of AI – change the data landscape.

As different states scramble to keep up with consumer sentiment and real privacy concerns, new regulations continue to pop up. Each state may take a slightly different approach, with varying levels of impact on companies and their data governance practices. In 2025, at least eight new state privacy laws will go into effect, signaling a broader shift toward decentralization but aggressive privacy oversight, especially amid the rise of AI-driven data processing.

Why This Matters

For organizations handling personal data across jurisdiction, the 2025 rollout brings operational and strategic challenges, including but not limited to:

• Growing Complexity: More states coming up with more rules mean more confusion for organizations doing business in multiple states. With no federal privacy law, companies must navigate diverging state mandates, often with subtle but critical differences in scope and enforcement.
• Expanded Consumer Rights: Many of the new laws provide consumers with rights to access, delete, correct, and opt out of data collection, sharing, or profiling.
• Increased Enforcement Risk: Companies must adapt to the increasing number of new rules or risk fines and reputational damage.
• Security & Governance Implications: Newly introduces laws are increasingly intertwined with security, requiring security and privacy teams to conduct assessments, ensure risk-based safeguards, and have clear accountability frameworks in place.

The 2025 Privacy Law Rollout

The eight new state-specific privacy laws are rolling out throughout the year, with several already hitting in Q1. Additionally, earlier state-specific privacy laws have rolling implementation dates in 2025. Overall, Maryland is slated to be the strictest of the new crop of laws and is compared by many with California’s now infamous CCPA/CPRA.

Here’s a quick snapshot of what’s coming and how it may impact you:

Key Analysis:

• Data Protection Assessments (DPAs) are becoming the norm.
• Risk-based Accountability: Oregon’s requirement for DPIAs is not isolated, several other states are considering similar provisions, ultimately pushing companies to have a formalizes risk framework.
• Right to Cure provisions are disappearing, making enforcement risk(s) higher.
• States are expanding laws to profiling, AI, and biometric data.
• Child-focuses legislation (MD & CO) signals a broader regulatory trend.

How are you approaching the new privacy laws?

With the new privacy laws rolling out, many clients are preparing for the new demands that will be placed on their organizations. Data governance is top-of-mind in an urgent way, as executives consider the implications of non-compliance. Many of the new rules also require regular privacy risk assessments to ensure continued compliance as technologies change.

Diligence around privacy and data governance risks, including all those mentioned above, will be critical. Looking ahead to how privacy and data protection regulations may evolve will be important in planning your forward-looking data strategy.

Support for your privacy compliance needs

Tevora’s privacy and data governance experts are actively assisting clients impacted by these new privacy regulations. Whether you’re looking for a scalable privacy program or performing targeted assessment ahead of these new laws, Tevora offers:

• Privacy Program Maturity and Gap Assessments with road mapping
• State-Specific Readiness
• Data Mapping and Data Flow Development
• Privacy Impact and Risk Assessments (PIA/DPIA)

Let Tevora support your compliance efforts in 2025.