U.S. Privacy and Data Protection Updates | Insights | Q4 2025 (State Law)

2025 Privacy Enforcement: What Businesses Need to Know Now

State privacy regulators spent 2025 sending a clear message: enforcement has moved from theory to action. In the continued absence of a comprehensive federal privacy law, state attorneys general and privacy regulators are using broad enforcement powers to set potential national standards for data practices.

For any business that handles consumer data—whether through e-commerce, SaaS products, mobile apps, adtech, or data brokerage—the latest trends make it more important than ever to have experienced privacy counsel in your corner. Kronenberger Rosenfeld frequently helps companies translate fast‑moving legal developments into practical privacy programs.

State Privacy Enforcement Grew Up in 2025

A central theme of 2025 was the shift from “wait and see” to active enforcement. Regulators stepped up investigations and settlements under an expanding patchwork of state privacy laws, using their authority to define baseline expectations for how businesses collect, use, share, and retain data. Regulators paid particular attention to whether companies make it genuinely easy for consumers to exercise their rights—especially opt‑out rights for data sales, targeted advertising, and profiling.

California vs. Texas: Two Enforcement Playbooks

The 2025 enforcement landscape also highlighted how state strategies are diverging, with California and Texas illustrating two distinct models.

California’s Structured, Playbook‑Driven Approach

California’s privacy regulators have pursued a methodical approach. They tend to:

• Announce priority areas (such as data brokers, children’s privacy, or opt‑out mechanisms).

• Notify affected businesses and conduct sector “sweeps.”

• Bring representative cases that resolve with meaningful but measured penalties and detailed remedial obligations.

For businesses, this model offers some transparency: once priorities are announced, there is at least an opportunity to assess risk and remediate before facing potential legal action.

Texas’s Public, Headline‑Oriented Strategy

Texas, by contrast, has leaned into public, politically charged enforcement. High‑profile actions and press‑forward messaging are used to shape business behavior and send signals to voters and industry alike.

Other states have also been ramping up enforcement. For companies operating nationwide, these trends matter. The same data practice might generate quiet, process‑heavy scrutiny in one state and create risk in another. Coordinated compliance planning—with an eye on both structured investigations and reputational exposure—has become increasingly valuable. If your company operates in multiple states or relies on adtech, analytics, or data partnerships, assume that a single practice may be viewed very differently by different regulators.

California: Delete Act and Broker Sweeps

In California, enforcement of the Delete Act and related obligations led to investigative sweeps and actions against multiple data brokers. For data‑driven businesses, the message is straightforward: understand whether you function as a data broker under state law, and if so, take your registration, disclosure, and deletion/opt‑out obligations seriously.

GPC as a Litmus Test for Serious Opt‑Outs

At the same time, multi‑state coalitions are treating Global Privacy Control (GPC) and similar browser or device signals as a litmus test for whether businesses truly respect opt‑out rights. A coordinated investigative initiative launched in 2025 to examine how companies honor GPC signals, putting technical implementation choices—tag manager configurations, consent tools, and internal routing of opt‑out flags—squarely in enforcement sights. Our firm frequently assists clients, from product counseling to drafting compliant disclosures and coordinating opt‑out testing.

Children’s Privacy and Sensitive Data Protections Intensified

Children’s privacy remained a top priority in 2025, with states pushing beyond traditional COPPA‑style baselines. New and amended laws extended heightened protections and consent standards to minors up to age 18, tightened rules around targeted advertising to young users, and experimented with age‑verification requirements and youth‑friendly default settings.

Consider a mobile wellness app that tracks mood, sleep, and location for teen users. Under emerging state regimes, that app may face:

• Heightened consent requirements for minors and their guardians.

• Restrictions on targeted advertising based on health or location inferences.

• Scrutiny of any data sharing with advertisers, insurers, or data analytics providers.

At the same time, states borrowed concepts from Washington’s “My Health My Data”–style laws to bolster protections for sensitive health and location information. Regulators are increasingly focused on geo-location‑based tracking—particularly when insurers, advertisers, or app developers use mobile data to infer behaviors or risk profiles. This has led to both public enforcement actions and a growing wave of private litigation.

Interstate and International Cooperation Filled the Federal Gap

While the Federal Trade Commission regulates data privacy and security issues, without a comprehensive federal privacy statute, states turned to collaboration to reduce regulatory gaps and inconsistencies. For businesses, this means that a practice scrutinized in one state is more likely to attract attention elsewhere. California has also leveraged its economic status to build direct relationships with foreign privacy authorities, including regulators in jurisdictions like the United Kingdom, South Korea, and France. These ties complement frameworks such as the EU–U.S. Data Privacy Framework and underscore a core reality: many mid‑market U.S. companies now face multi‑global privacy expectations even if they consider themselves “domestic.”

Why You Should Involve a Privacy Lawyer Now

The combination of overlapping state laws, evolving interpretations of concepts like “sale,” “sharing,” and “profiling,” and the risk of both regulatory and private actions makes legal guidance a necessity rather than a luxury. Whether your business is implementing Global Privacy Control, revisiting data retention and minimization, or responding to a regulatory inquiry, engaging experienced privacy counsel early can reduce exposure, streamline internal processes, and align your data strategy with long‑term business goals.

Practical Steps for 2026 Compliance

To turn 2025’s enforcement themes into an actionable plan for 2026, businesses that handle consumer data should consider prioritizing the following steps:

• Map data flows, including third‑party sharing, to identify where “sale,” “sharing,” and “profiling” definitions might apply under state laws.

• Review opt‑out mechanisms—especially for cross‑site advertising—and ensure that tools properly detect and honor Global Privacy Control signals.

• Update privacy policies and notices to reflect state‑specific obligations, minors’ protections, and any data broker or sensitive data activities.

• Review third-party contracts as well as internal policies and procedures.

• Reassess children’s and teen‑focused products or marketing to ensure appropriate age gates, consent flows, and content/ads practices.

• Develop a response playbook for regulatory inquiries or investigative sweeps, including document holds, communications strategy, and stakeholder alignment.

Kronenberger Rosenfeld helps clients convert these checklists into tailored, defensible roadmaps—integrating legal requirements with real‑world engineering, product, and marketing constraints. Contact us today through ouronline submission form to learn more.

FAQs: U.S. State Privacy Enforcement and Your Business

What is driving the increase in state privacy enforcement in 2025?
The lack of a comprehensive federal privacy law has pushed states and their attorneys general to fill the regulatory vacuum through aggressive use of existing consumer protection and privacy statutes. At the same time, a maturing ecosystem of state privacy laws gives regulators clearer hooks to challenge opaque data practices, particularly in areas like targeted advertising, data brokerage, and sensitive data collection.

Do smaller or regional businesses need to worry about these laws?
Yes. Many state privacy laws apply based on the volume and nature of data processing rather than company size, and enforcement actions have not been limited to the largest tech platforms. Even regional or niche businesses can fall within scope if they rely on online tracking, data‑driven advertising, or third‑party data services, making a right‑sized compliance program essential.

What is Global Privacy Control, and why does it matter?
Global Privacy Control is a browser‑ or device‑level signal that communicates a user’s preference to opt out of the sale or sharing of personal information. Several state regulators now treat honoring GPC as a core compliance requirement, and coordinated investigations launched in 2025 suggest that failure to respect the signal may become a focal point of future enforcement.

How can Kronenberger Rosenfeld help my company with privacy compliance?
Kronenberger Rosenfeld advises companies on complying with state and federal privacy laws, drafting and updating privacy policies, assessing adtech and data‑sharing arrangements, and responding to regulatory inquiries and litigation. The firm’s attorneys track fast‑moving developments—from children’s privacy to health and geolocation data—and help businesses design practical, risk‑based privacy programs that align with product and growth strategies.

If your organization collects, shares, or monetizes consumer data—whether through ecommerce, SaaS offerings, mobile apps, or data‑driven advertising—now is the time to engage experienced privacy counsel. Kronenberger Rosenfeld can help assess your current posture, prioritize remediation, and position your business for the next wave of enforcement. To discuss your privacy risk profile or a specific enforcement concern, contact the firm through our online case submission form and speak with an attorney about a tailored compliance strategy.