The State of Consumer Data Privacy Legislation in 2025

The Gist

• Consumer trust hinges on data privacy. 83% of consumers prioritize data protection, and 67% have updated privacy settings, signaling heightened awareness.
• Global privacy laws are expanding. 82% of the world's population is now covered under privacy laws, with GDPR remaining the most influential regulation.
• DSA & DMA set new standards. These EU laws enhance advertising transparency, impose content moderation obligations, and curb anti-competitive practices.
• U.S. privacy landscape remains fragmented. The ADPPA remains stalled, leaving businesses to navigate a patchwork of state privacy laws.
• New state laws in 2025. Delaware, Iowa, Nebraska, and others are implementing privacy laws, further complicating compliance for businesses.
• AI personalization faces increased scrutiny. Businesses must balance AI-driven personalization with privacy regulations to maintain consumer trust.

Editor's note: This article, originally published in 2023, was updated March 3, 2025 to reflect changes in the consumer data privacy regulatory landscape.

Recent studies reiterate the critical importance of data protection in maintaining consumer trust.

According to PwC's 2024 Voice of the Consumer Survey, 83% of respondents consider data protection a top priority influencing their trust in brands.

Additionally, Cisco's 2024 Consumer Privacy Survey revealed that 67% of consumers have reviewed or updated their privacy settings on various apps and platforms in the past year, reflecting growing awareness and concern over data privacy.

The CMSWire State of Digital Customer Experience 2024 report finds that with generative AI, organizations consider the data privacy (58%) to be the top risk ahead of cybersecurity problems (49%), protecting intellectual property (48%) and the related risk around copyright issues (plagiarism at 41%).

This article will look at the current state of consumer data privacy legislation, its impact and how brands are adapting to these regulations. 

Table of Contents

• Global Data Privacy Laws: The Competitive Advantage of Proactive Compliance
• The Digital Services Act (DSA) and the Digital Markets Act (DMA)
• The American Data Privacy Protection Act (ADPPA)
• New State Data Privacy Legislation and the Call for Federal Coherency
• Upcoming State Data Privacy Laws in 2025
• Core Questions About Data Privacy and Consumer Trust

Global Data Privacy Laws: The Competitive Advantage of Proactive Compliance

According to a recent IAPP report, as of February 2025, approximately 82% of the global population—equivalent to about 6.64 billion people—are protected under national data privacy laws, with 144 countries having enacted such legislation. Although privacy legislation in the United States has definitely impacted online businesses, the European General Data Protection Regulation (GDPR) has had the greatest impact on brands thus far—one can rarely visit any business website without being presented with a cookie acceptance prompt. 

With GDPR enforcement intensifying and new privacy laws emerging globally, businesses that adopt forward-thinking privacy strategies will gain a competitive edge. Implementing GDPR-level protections across all markets, even where not legally required, can help companies avoid compliance headaches down the road.

Ray Walsh, digital privacy expert at Comparitech, told CMSWire, "The patchwork quilt of privacy laws across the US is creating a compliance nightmare that drives up business costs and leads to uncertainty. The good news? Companies can get ahead of competitors by proactively adopting the strictest privacy standards across all regions.”

Walsh suggested that by enforcing GDPR-level protections, even in places where they’re not yet required, businesses can cut costs and avoid last-minute compliance scrambles.

The Digital Services Act (DSA) and the Digital Markets Act (DMA)

Similarly, two new bills have been introduced in Europe that have the potential to impact online businesses across the globe. The Digital Services Act (DSA) and the Digital Market Act (DMA) form a single set of rules that apply across Europe. The goals of the two bills are:

• Create a safer digital space in which the fundamental rights of all users of digital services are protected

• Establish a level playing field to foster innovation, growth and competitiveness, both in the European Single Market and globally

Through the DSA and DMA, the European Union has established a modern legal framework that prioritizes the safety of users online, upholds fundamental rights and promotes a fair and open online platform environment. The DSA will introduce transparency around advertising, ensuring that it is clearly labeled, and that consumers know who is placing the ad and why they are seeing it. It will also impose a complete ban on targeted advertising of children based on their personal data.

The DSA and DMA have significantly impacted digital regulations in Europe, but their influence extends beyond EU borders. Global businesses must align their operations with these new standards, especially when dealing with content moderation, advertising transparency and anti-competitive practices. 

Navigating the DSA and DMA: New Compliance Challenges for Global Tech

Nicky Watson, founder and chief architect at Syrenis, told CMSWire, "The DSA and DMA set a high bar for tech companies globally as they aim to provide robust protections for users, demanding greater transparency in online content and stricter rules for large platforms regarding their market behavior. For instance, the DSA’s requirements on content moderation and risk assessments forced companies to rethink how they design and manage their platforms, and ensure they are not inadvertently promoting harmful content.” Watson added that the DMA introduced rules to curb anti-competitive practices, which is particularly relevant for businesses with large market shares.  

Key Dates for DSA Compliance

• Feb. 17, 2023 – All online platforms and search engines were required to publish their average monthly active user counts to determine their designation under the DSA.
• Aug. 25, 2023 – Platforms with over 45 million monthly active users (VLOPs and VLOSEs) were required to comply with DSA obligations, including enhanced content moderation, increased transparency, and user protection measures.
• Feb. 17, 2024 – Platforms below the 45-million-user threshold were required to comply with DSA rules.

WhatsApp reported approximately 46.8 million average monthly active users in the EU as of December 2024, surpassing the 45-million-user threshold. Consequently, WhatsApp has been designated as a VLOP and is subject to the DSA's stricter regulations. Non-compliance with the DSA can result in significant penalties, including fines of up to 6% of a company's global annual revenue.

Therefore, it's imperative for all online platforms operating within the EU to understand their obligations under the DSA and ensure timely compliance to avoid substantial fines and operational disruptions. 

Related Article: 4 Customer-Centric Strategies for Improving Data Privacy

The American Data Privacy Protection Act (ADPPA)

The American Data Privacy Protection Act (ADPPA), if enacted, will preempt the California Consumer Privacy Act (CCPA), and is designed to "Promote U.S. Innovation and Individual Liberty through a National Standard for Data Privacy.” The proposed act drew the attention of California State Attorney General Rob Bonta, who stated that the ADPPA threatens to preempt California's law with a weaker federally imposed privacy act.

According to a February 2023 Vericast survey, 39% of consumers feel powerless in controlling how brands use their personal data, and 23% say they are unsure what kinds of information brands collect overall.

The ADPPA promises to change that, as it specifies that consumers would have the right to know how their personal data will be used and which third parties will receive it. Consumers would have the right to correct and download their user data, and businesses would have up to 90 days to process these requests.

Consumers would also have the right to take legal action against businesses that are in violation of the Act for four years after its execution. The ADPPA, which was introduced in 2022, did not advance during the 117th Congress, which adjourned on January 3, 2023. As of February 2025, the Act remains pending, with no further legislative action taken.

New State Data Privacy Legislation and the Call for Federal Coherency

As of 2025, 20 U.S. states have enacted comprehensive consumer data privacy laws, eight of which are set to take effect this year. Because of the myriad of different privacy rules and regulations that are in place in the United States, a consortium of technology and corporate trade groups, including the U.S. Chamber of Commerce and the Consumer Technology Association, came together in a campaign titled United for Privacy. They stated that the current privacy legal landscape is a “conflicting patchwork of privacy laws” that will cost the U.S. economy over $1 trillion over the next decade. Their website decries that “We need a uniform national privacy law that would protect consumers’ data and privacy no matter where they live and provide businesses certainty about their responsibilities.” 

As of March 2025, a comprehensive federal data privacy law has not been enacted in the United States. Consequently, individual states continue to establish their own regulations governing the handling of sensitive consumer data. This decentralized approach requires businesses to deal with a complex and varied legal system to ensure compliance across different jurisdictions.

As of January 2025, Delaware, Iowa, Nebraska, New Hampshire and New Jersey have had new data privacy legislation that became law. Later this year, Tennessee, Minnesota and Maryland will follow suit with laws of their own. This expansion reflects a growing trend toward state-level data privacy regulation in the absence of a comprehensive federal law. Businesses operating across multiple states must work within this complex and evolving legal nightmare to ensure compliance with varying state-specific requirements. 

This year, a new wave of state privacy laws is taking effect, introducing stricter data rights for consumers and new compliance requirements for businesses, further complicating the already fragmented U.S. privacy legislation:

Learning Opportunities

Webinar

Sep

25

CMS Briefing: A Live Look at What’s Next in AI-Driven Platforms

Learn how leading organizations are using AI‑driven tools to publish faster, personalize smarter and stay secure.

Register

Webinar

Sep

25

Call Spoofing Trends Financial Institutions Can't Afford to Ignore

Don't let robocalls sabotage your customer relationships. Learn how to secure your voice channel.

Register

Webinar

On demand

Ready or Not: How Data-First Organizations Are Unlocking Agentforce Potential

Learn how to cut through the noise, activate Agentforce and build a Salesforce AI strategy that actually delivers.

Watch Now

Webinar

On demand

CX Reality Check: What Your Customers Are Really Thinking

Register now and get the insights you need to not just meet rising expectations, but exceed them.

Watch Now

Webinar

On demand

Content Leaders Collective: What a Good CCMS Actually Looks Like

Discover how content leaders transform clunky systems into growth engines — and why your competitors are ahead.

Watch Now

Webinar

On demand

From Hype to High-Impact CX Strategies That Actually Scale

Turn buzzworthy AI and outsourcing trends into measurable CX wins with fresh 2025 data.

Watch Now

Webinar

Sep

25

CMS Briefing: A Live Look at What’s Next in AI-Driven Platforms

Learn how leading organizations are using AI‑driven tools to publish faster, personalize smarter and stay secure.

Register

Webinar

Sep

25

Call Spoofing Trends Financial Institutions Can't Afford to Ignore

Don't let robocalls sabotage your customer relationships. Learn how to secure your voice channel.

Register

Webinar

On demand

Ready or Not: How Data-First Organizations Are Unlocking Agentforce Potential

Learn how to cut through the noise, activate Agentforce and build a Salesforce AI strategy that actually delivers.

Watch Now

View all

Upcoming State Data Privacy Laws in 2025

Several U.S. states are enacting new data privacy laws in 2025, introducing stricter regulations on how businesses collect, process and store consumer data. Below is a breakdown of key laws and their effective dates.

Effective January 1, 2025

• Delaware Personal Data Privacy Act (DPDPA): Applies to entities conducting business in Delaware or targeting its residents. Covers those processing personal data of:
  • At least 35,000 consumers
  • 10,000 consumers if over 20% of gross revenue comes from selling personal data
• Iowa Consumer Data Protection Act (ICDPA): Applies to entities processing personal data of:
  • At least 100,000 consumers
  • 25,000 consumers if over 50% of gross revenue comes from selling personal data
• Nebraska Data Privacy Act (NDPA): Applies to entities conducting business in Nebraska, with no minimum data processing threshold, provided they are not classified as small businesses under federal guidelines.
• New Hampshire Privacy Act (NHPA): Applies to entities processing personal data of:
  • At least 35,000 consumers
  • 10,000 consumers if over 25% of gross revenue comes from selling personal data

Effective January 15, 2025

• New Jersey Data Privacy Act (NJDPA): Applies to entities processing personal data of:
  • At least 100,000 consumers
  • 25,000 consumers if any revenue is derived from selling personal data

Effective July 1, 2025

• Tennessee Information Protection Act (TIPA): Applies to entities with:
  • Annual revenue exceeding $25 million
  • Processing personal data of at least 175,000 consumers
  • 25,000 consumers if over 50% of gross revenue comes from selling personal data

Effective July 31, 2025

• Minnesota Consumer Data Privacy Act (MCDPA): Applies to entities processing personal data of:
  • At least 100,000 consumers
  • 25,000 consumers if over 25% of gross revenue comes from selling personal data

Effective October 1, 2025

• Maryland Online Data Privacy Act (MODPA): Applies to entities processing personal data of:
  • At least 30,000 consumers
  • 10,000 consumers if over 20% of gross revenue comes from selling personal data

The Business Impact of Evolving State Privacy Laws and AI Regulations

These laws generally grant consumers rights such as accessing, correcting, deleting personal data and opting out of data sales. Businesses are required to provide clear privacy notices and implement data protection measures. Notably, Delaware and New Jersey's laws also apply to certain nonprofit organizations.

The growing patchwork of state privacy laws is creating significant challenges for businesses operating across multiple jurisdictions. With varying requirements from state to state, compliance has become a moving target, requiring businesses to invest in legal expertise to avoid penalties and operational disruptions.

Ben Michael, attorney at M & A Criminal Defense Attorneys, told CMSWire, "It can be difficult for companies to juggle varying privacy laws from state to state. Different states can have vastly different laws, but compliance is still extremely important."

Data privacy laws impact more than just regulatory compliance—they can also have a detrimental effect on personalization and the customer experience. AI-driven personalization is under increasing scrutiny due to tighter data collection regulations. Businesses must adapt by using ethical AI practices, ensuring transparency and collecting only the minimum necessary data to maintain consumer trust.

"As AI-driven personalization becomes a central pillar of modern marketing, businesses are facing growing scrutiny around how they collect, process and use consumer data,” said Watson. “New privacy restrictions, such as those limiting targeted advertising and data collection, require companies to consider how they leverage AI without overstepping.” 

Core Questions About Data Privacy and Consumer Trust

Editor's note: Key questions surrounding evolving data privacy laws and their impact on businesses and consumer trust.

Why is data privacy a critical factor in consumer trust?

Recent studies show that 83% of consumers prioritize data protection when engaging with brands, and 67% have actively reviewed their privacy settings, highlighting growing awareness and concern.

How are global data privacy laws shaping business strategies?

With 144 countries enacting privacy legislation, businesses must navigate a complex regulatory landscape, ensuring compliance while maintaining customer experience and operational efficiency.

What impact do the Digital Services Act (DSA) and Digital Markets Act (DMA) have on global businesses?

These EU regulations introduce stricter content moderation, transparency in digital advertising, and anti-competitive measures, forcing global businesses to align with new standards.

Why has the U.S. failed to implement a comprehensive federal privacy law?

The American Data Privacy Protection Act (ADPPA) remains stalled, leaving businesses to manage an inconsistent patchwork of state privacy laws, increasing compliance complexity and costs.

What challenges do businesses face with new state-level privacy laws?

With states like Delaware, Iowa, Nebraska and others enacting new regulations in 2025, businesses operating across multiple jurisdictions must develop adaptive compliance strategies to avoid legal risks.

How does AI-driven personalization intersect with evolving privacy laws?

New privacy restrictions limit data collection for AI-driven personalization, requiring companies to adopt ethical AI practices and transparent data usage policies to maintain consumer trust.

What steps should businesses take to future-proof their privacy strategies?

Companies must proactively align with GDPR-level protections, implement robust data governance frameworks, and stay ahead of emerging regulations to ensure long-term compliance and customer confidence.