Data Protection in the U.S. – 2025 Year in Review

Written by: Jennifer A. Beckage, Esq., CIPP/US, CIPP/E and Lee Merreot, Esq., CIPM, CIPP/US, CIPP/E, CDPO

For businesses operating in the United States, 2025 was a year of heightened scrutiny and evolving obligations. The U.S. remains unique: unlike the EU’s unified General Data Protection Regulation (GDPR) framework, it offers a patchwork of state and federal laws to address data security, privacy, and AI. This complexity—combined with rising litigation and regulatory actions—makes compliance a moving target for global organizations.

California Sets the Tone

California continued to lead U.S. privacy enforcement, and two cases in particular illustrate why international companies should pay attention.

American Honda Motor Co. became the first public enforcement action by the California Privacy Protection Agency (CPPA) under the CCPA. Honda was fined $632,500 for failing to honor opt-out preference signals and allegedly imposing excessive verification hurdles for consumer requests. The settlement required Honda to redesign its user experience and overhaul ad-tech contracts to meet statutory requirements. [1]

Similarly, Tractor Supply Co. agreed to pay $1.35 million after regulators found its privacy notices inadequate and opt-out mechanisms ineffective.[2]

These cases illustrate that regulators are targeting not just data misuse but also user interface design—penalizing “dark patterns” and poor consent flows. For international organizations, this signals that compliance is not just about having a privacy notice; it’s about how choices are presented and honored in practice. U.S. compliant notices, policies, and practices are critical.

Children’s Data and AI Litigation

The Federal Trade Commission finalized major amendments to the Children’s Online Privacy Protection Act (COPPA) in June 2025, expanding the definition of personal information to include biometrics and requiring separate parental consent for third-party disclosures, including targeted advertising.[3] These changes raise the bar for ed-tech, gaming, and mixed-audience platforms, and reflect a broader trend toward stricter controls on sensitive data.

Meanwhile, artificial intelligence litigation surged. In The New York Times v. OpenAI, a federal court ordered the production of millions of anonymized ChatGPT logs, rejecting privacy objections and expanding discovery obligations around AI training data.[4] This case underscores the growing tension between transparency and privacy in AI systems—a theme that resonates globally as the EU AI Act began to take effect.

Patchwork Expansion and Litigation Trends

By the end of 2025, 20 states enforce consumer privacy laws, with eight new statutes taking effect this year.[5] Each law introduces unique thresholds and consent requirements, making compliance for multinational companies increasingly complex. At the same time, class actions and regulatory investigations are on the rise, targeting privacy missteps, biometric data use, and AI practices. Plaintiffs are stretching old laws—like video privacy and wiretap statutes—to new technologies. Helpful news for businesses operating in the U.S. is that courts are demanding greater specificity in pleadings.

For international businesses, this means higher litigation risk and the need for robust arbitration strategies. However, certain arbitration clauses and class-action waivers may not be enforceable under U.S. law, so boilerplate terms often fail to provide adequate protection.[6]

Accessibility and Risk Reduction

Beyond privacy, U.S. law imposes accessibility obligations under the Americans with Disabilities Act (ADA). Websites and mobile apps must provide accessible experiences for individuals with disabilities. Noncompliance can trigger lawsuits and reputational harm. The last year has seen a surge in accessibility litigation, with a statute that provides for the recovery of attorneys’ fees. Implementing accessibility standards (such as WCAG 2.1) is relatively low cost compared to potential litigation exposure, making ADA compliance a high-impact, low-effort risk mitigation step.[7]

The Trump Administration Factor

While no sweeping federal privacy, security, or AI laws emerged in 2025, executive orders and policy signals suggest a deregulatory posture—emphasizing innovation and reducing compliance burdens. This could slow momentum for a national privacy statute, leaving states to continue to drive enforcement. For example, states have amended numerous laws to address AI, and some states have their own comprehensive AI laws, again creating a patchwork of laws despite federal efforts to cut red tape and foster innovation. For the foreseeable future, the U.S. will remain a jurisdiction of fragmented rules and aggressive state-level oversight, rather than a cohesive federal regime.[8]

AI Legislation and Data Protection in 2025

Artificial intelligence is increasingly being regulated in the U.S., but there is currently no federal law governing AI or its impact on personal data. Instead, states have taken varied approaches, again resulting in a patchwork of requirements. In 2025, over half of states have adopted or proposed laws on AI governance, oversight, and transparency. California, Texas, and Colorado are among those setting standards for disclosures and risk management, while compliance deadlines and specific obligations differ widely.[9][10]

This fragmented landscape means organizations must monitor state developments and adapt compliance programs accordingly. With Congress declining to set a national framework [11], state laws will continue to shape AI governance, requiring flexible, multi-jurisdictional strategies.

What This Means for International Organizations

• If your organization processes the personal information of U.S. citizens, litigation and regulatory investigations are on the rise, so understanding specific notice and processing requirements is critical to avoid damages and fines
• Obtain an analysis of what U.S. laws apply to your organization so you can anticipate legal and compliance obligations to help avoid risk
• Review privacy notices and terms of use for state-specific compliance requirements; compliance with the GDPR does not necessarily equal U.S. compliance because states have a variety of nuances
• Audit consent flows and remove dark patterns
• Update vendor contracts to meet CCPA and other U.S. state and federal requirements and flow down obligations
• Implement ADA accessibility standards through technical design actions and updated online and internal policies
• Address U.S. requirements in policies and in online notices and other consents relating to AI use
• Consider robust cyber insurance and tech E&O insurance as litigation and regulatory fines escalate

Attorney Advertisement

References

[1] California Privacy Protection Agency, American Honda Motor Co. Enforcement Action, CPPA (2025), https://cppa.ca.gov.;
[2] California Privacy Protection Agency, Tractor Supply Co. Settlement, CPPA (2025), https://cppa.ca.gov.;
[3] Federal Trade Commission, FTC Finalizes COPPA Rule Changes, FTC (June 2025), https://ftc.gov.;
[4] U.S. District Court for the Southern District of New York, The New York Times v. OpenAI, Court Order (2025), https://courtlistener.com.;
[5] International Association of Privacy Professionals, 2025 U.S. State Privacy Law Overview, IAPP (2025), https://iapp.org.;
[6] U.S. Courts, Class Action Trends and Arbitration Enforcement, Administrative Office of the U.S. Courts (2025), https://uscourts.gov.;
[7] U.S. Department of Justice, ADA Website Accessibility Guidance, DOJ (2025), https://ada.gov.;
[8] White House, Executive Orders on Technology and Privacy, Federal Register (2025), https://federalregister.gov.;
[9] California Privacy Protection Agency, American Honda Motor Co. Enforcement Action, CPPA (2025), https://cppa.ca.gov.;
[10] California Privacy Protection Agency, Tractor Supply Co. Settlement, CPPA (2025), https://cppa.ca.gov.;
[11] Federal Trade Commission, FTC Finalizes COPPA Rule Changes, FTC (June 2025), https://ftc.gov.;