2025 was a pivotal year for privacy and cybersecurity compliance. While expectations were high for sweeping legislative changes, the reality was more nuanced. Here’s a quick look back at what happened—and what legal professionals should prepare for in 2026 and beyond.
Despite 13 states introducing privacy bills, none passed new comprehensive legislation. Political disagreements, competing priorities like AI regulation, and resistance from both business groups and privacy advocates contributed to this pause. Still, compliance work continued as states amended existing laws—Connecticut expanded sensitive data definitions, California finalized rules on automated decision-making and cybersecurity audits, and New Jersey proposed regulations designed to clarify its privacy law.
By January 2026, 20 states will have comprehensive privacy laws in effect. Expect stalled bills to resurface in 2026 sessions, and while a federal standard remains unlikely in the near term, states will keep pushing to fill the gap. Businesses should prepare for ongoing amendments and enforcement activity, making proactive compliance planning essential.
Protecting children online remains one of the most pressing issues in digital policy. With growing concerns about social media, data collection, and age verification, lawmakers have sought to strengthen safeguards—but progress has been uneven.
Children’s privacy dominated discussions at both federal and state levels. Proposals like COPPA 2.0 and the Kids Online Safety Act gained attention but stalled amid partisan disagreements and concerns over state preemption. Legal challenges to age verification laws in states like California and Maryland added uncertainty.
Expect renewed efforts in Congress during the next session and clarity from court rulings on age verification laws. If upheld, enforcement could ramp up quickly, so businesses should monitor developments and be ready to adapt policies for children’s online safety.
Across the Atlantic, the European Union continues to shape global privacy standards. The GDPR has long been considered the gold standard, but recent proposals signal a shift toward balancing innovation with compliance.
The EU introduced its Digital Omnibus package, proposing targeted amendments to GDPR and related regulations. Changes aim to simplify compliance, enable AI innovation, and streamline breach reporting. While industry groups welcomed the move, privacy advocates warned of weakened protections.
The legislative process will extend into 2026, with implementation likely starting in late 2027. Organizations should track these changes closely, conduct gap analyses, and plan for harmonized reporting requirements.
With evolving laws on data protection, children’s online safety, and global privacy frameworks, legal professionals face increasing complexity. Non-compliance can lead to significant penalties, reputational damage, and operational risk. Staying informed is no longer optional—it’s a strategic necessity.
Comprehensive state privacy legislation
State-level privacy laws have been a cornerstone of U.S. data protection since the California Consumer Privacy Act (CCPA) set the standard in 2020. Businesses have faced mounting compliance challenges as more states adopted similar frameworks. So, what happened in 2025?
Looking back:
Despite 13 states introducing privacy bills, none passed new comprehensive legislation. Political disagreements, competing priorities like AI regulation, and resistance from both business groups and privacy advocates contributed to this pause. Still, compliance work continued as states amended existing laws—Connecticut expanded sensitive data definitions, California finalized rules on automated decision-making and cybersecurity audits, and New Jersey proposed regulations designed to clarify its privacy law.
A look ahead:
By January 2026, 20 states will have comprehensive privacy laws in effect. Expect stalled bills to resurface in 2026 sessions, and while a federal standard remains unlikely in the near term, states will keep pushing to fill the gap. Businesses should prepare for ongoing amendments and enforcement activity, making proactive compliance planning essential.
Children’s online safety
Protecting children online remains one of the most pressing issues in digital policy. With growing concerns about social media, data collection, and age verification, lawmakers have sought to strengthen safeguards—but progress has been uneven.
Looking back:
Children’s privacy dominated discussions at both federal and state levels. Proposals like COPPA 2.0 and the Kids Online Safety Act gained attention but stalled amid partisan disagreements and concerns over state preemption. Legal challenges to age verification laws in states like California and Maryland added uncertainty.
A look ahead:
Expect renewed efforts in Congress during the next session and clarity from court rulings on age verification laws. If upheld, enforcement could ramp up quickly, so businesses should monitor developments and be ready to adapt policies for children’s online safety.
EU Digital Omnibus Regulation
Across the Atlantic, the European Union continues to shape global privacy standards. The GDPR has long been considered the gold standard, but recent proposals signal a shift toward balancing innovation with compliance.
Looking back:
The EU introduced its Digital Omnibus package, proposing targeted amendments to GDPR and related regulations. Changes aim to simplify compliance, enable AI innovation, and streamline breach reporting. While industry groups welcomed the move, privacy advocates warned of weakened protections.
A look ahead:
The legislative process will extend into 2026, with implementation likely starting in late 2027. Organizations should track these changes closely, conduct gap analyses, and plan for harmonized reporting requirements.
Why staying ahead matters for privacy compliance
With evolving laws on data protection, children’s online safety, and global privacy frameworks, legal professionals face increasing complexity. Non-compliance can lead to significant penalties, reputational damage, and operational risk. Staying informed is no longer optional—it’s a strategic necessity.
How VitalLaw® helps you stay ahead
In a rapidly changing regulatory environment, VitalLaw is your trusted partner for privacy compliance and cybersecurity risk management. With the latest in legislative changes, expert analysis, and practical guidance, VitalLaw helps you:
- Monitor emerging privacy laws and amendments across jurisdictions.
- Access briefings and editorial insights on critical topics like children’s privacy and GDPR changes.
- Plan compliance strategies with resources tailored to evolving requirements.
- Stay proactive on cybersecurity audits and risk assessments with actionable insights.
As privacy and cybersecurity laws continue to shift, VitalLaw ensures you’re prepared—not just for today, but for what’s next.
