We’ve now closed the books on 2025, so it’s time to review what happened in privacy law over the past year. At first glance, it seems like a quiet year (no new state consumer privacy laws) but quite a lot happened. Many smaller things, but they really add up.
Here’s a bird’s eye overview:
1. There were no new state consumer privacy laws.
The year 2025 was a surprising hiatus from states passing consumer privacy laws. Since 2018, about 20 states have passed such laws. 2023 and 2024 were big years, so it’s odd that 2025 went totally quiet.
Calm before the storm?
2. This was a year of revisions, rulemaking, and enforcement of existing state consumer privacy laws.
Enforcement kicked in for many state consumer privacy laws. Many states revised their laws—at least 9. None of these things captured big headlines, but there was a lot of activity.
Generally, changes included:
- Expanding the scope of applicability
- Expanded categories of sensitive data (such as adding neural data — see below)
- Stronger protections for children’s data
Also notable: Connecticut expanded its opt out from automated decisions from those that are “solely” automated to even partially automated decisions that produce significant effects on consumers.
There were also big rulemakings for California and Colorado.
3. Neural privacy went to front-of-mind.
Policymakers began thinking about neural privacy. The trend began in 2024, when Colorado added “neural data” as a category of sensitive data. In 2025, California and Connecticut added neural data as a form of sensitive data. Montana amended its Genetic Information Privacy Act to include “neurotechnology data.”
In the fall of 2025, Senators Schumer, Cantwell, and Markey introduced a bill to protect mental privacy called the MIND Act. It’s a fairly weak law, directing the FTC to study the issue then recommend something. Given Trump’s firing of the two Democratic FTC commissioners, I’m not sure looking to the FTC for balanced regulatory wisdom is quite the right move at the moment.
The big question is what “neural data” is. Most of the laws focus on data generated by measuring activity of a person’s nervous system. But this is too narrow. I presume the goal of protecting neural data is protecting privacy of the mind, but far more types of data can give rise to revealing inferences of one’s mental activity. In, Data Is What Data Does: Regulating Based on Harm and Risk Instead of Sensitive Data, I wrote about how sensitive data about people’s psychology, thoughts, and emotions can be inferred from types of non-sensitive data.
It’s what Professor Nita Farahany calls “cognitive liberty,” and it encompasses freedom of the mind. Nita wrote a great book called The Battle for Your Brain and I’ll be having a live online discussion with her on Wed, Jan 21, 2026 at 2 PM ET.
4. Children’s privacy continued to grow.
Activity on children’s privacy continued to grow, as it has been the past few years. This post has a great overview of the developments in 2025.
In Free Speech Coalition, Inc. v. Paxton (2025), the U.S. Supreme Court had upheld Texas’s age gating statute (HB 1181). The Court’s reasoning departs from its existing precedent with rather inscrutable reasoning—perhaps the shadow docket cases without any reasoning at all are better?
5. The Trump effect spread like a virus.
In 2025, Congress considered a federal 10-year ban on state AI laws, a stupid idea (and also crafted in a stupid way), and it was overwhelmingly voted down in Congress.
The Trump Administration pushed a deregulatory agenda, and it seemed to spread like a second Covid pandemic. The EU even started to talk about easing its regulation in the hope that somehow this would bring AI.
Et tu EU?
Unfortunately, the EU might be falling for the delusion that rolling back tech regulation will result in AI suddenly sprouting from its soil. It’s magical thinking that taking a few whacks at the GDPR and AI Act will somehow conjure up AI. I see it as more akin to pulling out your teeth with pliers in the hope the tooth fairy will slip AI under your pillow.
Late in 2025, President Trump issued an Executive Order attempting to deter states from passing AI laws. He lacks the power to ban state lawmaking, so the EO is best understood as a threat that could chill such lawmaking. There’s some good background about the EO here.
6. We witnessed a massive authoritarian data grab and surveillance increase.
From DOGE to ICE, we saw unprecedented authoritarian data collection. It’s still unclear just how much data DOGE got or what happened to it or how it is being used. I believe it qualifies as the greatest data breach in history.
For more of my thoughts on the issue, please read my article Privacy in Authoritarian Times: Surveillance Capitalism and Government Surveillance, 67 B.C. Law Review __ (forthcoming 2026).
7. AI dominated everything.
It was impossible to escape AI last year. I can’t even begin to discuss all the developments.
A few highlights include
- The federal TAKE IT DOWN Act, which criminalizes the non-consensual distribution of intimate digital imagery, including AI-generated deepfakes and also requires the removal of such imagery from platforms.
- California’s Transparency in Frontier Artificial Intelligence Act (SB-53), which requires disclosure of risk assessments and safety documentation from AI companies.
- More than 1,000 AI-related laws were introduced at the state level
- Several states added protections against certain AI uses, such as CO, TX, and NY.
8. The CPO and DPO roles expanded.
Based on my anecdotal assessment, the CPO and DPO roles seem to have expanded to encompass AI. Unfortunately, despite the growing number of laws and issues CPOs and DPOs face, I don’t see big budget increases, team expansions, or salary increases.
So, now on to 2026 . . .
* * * *
Professor Daniel J. Solove is a law professor at George Washington University Law School. Through his company, TeachPrivacy, he has created the largest library of computer-based privacy and data security training, with more than 180 courses.
Subscribe to Solove’s Free Substack
A supplement to Solove’s regular newsletter with more in-depth discussions
