ARTICLE
14 October 2025

2025 Brought Us Eight US "Comprehensive" Privacy Laws, What's Next?

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
For those keeping track of the growing list of US state "comprehensive" privacy laws, you know that the Maryland law (the Maryland Online Data Privacy Act or MODPA) went into effect on October 1st.
United States Maryland Privacy
Dave Thomas and Kathryn Smith
Your Author LinkedIn Connections
Dave Thomas’s articles from Sheppard Mullin Richter & Hampton are most popular:
  • within Privacy topic(s)
  • with readers working within the Retail & Leisure industries
Sheppard Mullin Richter & Hampton are most popular:
  • within Energy and Natural Resources topic(s)

For those keeping track of the growing list of US state "comprehensive" privacy laws, you know that the Maryland law (the Maryland Online Data Privacy Act or MODPA) went into effect on October 1st. This rounds us out for US state privacy laws in 2025, bringing the total to 17 (or 16, if you discount Florida). Next up will be Indiana, Kentucky, and Rhode Island (all on January 1, 2026).

While we have provided extensive information about these laws as they were passed, including this post and our online state law tracker, it's worth keeping in mind a few practical steps, especially as we wait for our next round, and undoubtably ongoing changes to the existing laws.

  1. Have a regular cadence for reviewing your privacy policy. States -like Maryland- have specific content requirements. There is also exposure under deceptive trade practice laws if the policies are incorrect.
  2. Review how and when you will provide "rights" like access and correction. Will the fact that a growing number of jurisdictions provide these rights tip you into the realm of offering them to all individuals?
  3. Review your collection and storage practices. How are you addressing data minimization requirements, like those in Maryland? What about your treatment of sensitive information and your data sales practices? Are you meeting the growing patchwork of obligations that apply to digital targeting? What about the complex matrix of obligations for collection and use of children's information?

Maryland -and other states- have attempted to reduce risk for businesses by creating cure periods (in Maryland the cure period is 60 days, but that sunsets on April 1, 2027) and not providing private rights of action. However, not all privacy risks in the US stem from these comprehensive state laws. And those laws do not necessarily have cure periods, and may also provide for private rights of action. The steps above may thus help in the face of this complex state patchwork.

Putting it into Practice: October for many entities is the height of planning for the coming year. The growth of the US privacy law patchwork does not seem to be slowing down, and putting in place methods for addressing privacy notice, choice, and other data practices is a good thing to have on the schedule for 2026.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Dave Thomas
Dave Thomas
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More