For decades, the United States has operated without a comprehensive federal privacy law, leaving Americans’ personal data governed by an inconsistent and often contradictory web of state-level regulations. While the European Union enacted the General Data Protection Regulation (GDPR) in 2018, setting a global standard for data protection, the U.S. has remained stubbornly fragmented — a reality that affects every consumer, every tech company, and every advertiser operating within its borders.
As The Verge has extensively documented, the American approach to privacy regulation is defined less by coherent policy than by a series of reactive measures, industry lobbying campaigns, and partisan disagreements that have stalled meaningful federal action for years. The result is a country where your privacy rights depend heavily on your zip code — a Californian enjoys significantly more data protections than a resident of Mississippi or Alabama.
The State-by-State Experiment That Wasn’t Supposed to Be Permanent
California’s Consumer Privacy Act (CCPA), signed into law in 2018 and later strengthened by the California Privacy Rights Act (CPRA) in 2020, was supposed to be a catalyst for federal action. The logic was straightforward: once the nation’s largest state economy imposed strict data protection requirements on businesses, Congress would be forced to act, either to harmonize the rules or to preempt them with a national standard. Neither has happened.
Instead, a growing number of states have followed California’s lead, each crafting its own version of a privacy law with varying degrees of consumer protection. Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and more than a dozen other states have now enacted their own privacy statutes. According to the International Association of Privacy Professionals (IAPP), at least 18 states had comprehensive privacy laws on the books by early 2025, with several more considering legislation. The patchwork continues to expand, and businesses — particularly small and mid-sized ones — are struggling to comply with a growing list of overlapping and sometimes contradictory requirements.
What Congress Keeps Getting Wrong
The closest the federal government came to passing a comprehensive privacy bill was the American Data Privacy and Protection Act (ADPPA), which advanced through the House Energy and Commerce Committee in 2022 with rare bipartisan support. The bill would have established national standards for data collection, given consumers the right to access and delete their information, and created a private right of action allowing individuals to sue companies for violations. But it died before reaching a full House vote, killed by a combination of industry opposition and disagreements over federal preemption of state laws.
California’s congressional delegation, led in part by then-Speaker Nancy Pelosi, objected to provisions that would have overridden the state’s stronger protections. Business groups, meanwhile, pushed for broad preemption precisely because they wanted a single, potentially weaker, national standard to replace the growing number of state laws. This tension — between states that want to protect their own, often more aggressive, regulations and industries that want uniformity — has been the central obstacle to federal privacy legislation for years. As The Verge has reported, this dynamic shows no sign of resolving itself in the current congressional session.
The Industry Lobbying Machine and Its Preferred Outcome
Major technology companies and advertising trade groups have spent hundreds of millions of dollars lobbying on privacy-related legislation over the past decade. Their preferred outcome is not necessarily the absence of regulation — many large companies have publicly called for a federal privacy law — but rather a law that preempts state regulations and avoids a private right of action. The distinction matters enormously. A federal law without private enforcement would leave oversight almost entirely in the hands of the Federal Trade Commission (FTC), an agency that has historically been underfunded and slow to act on data privacy violations.
The FTC, for its part, has attempted to fill the regulatory vacuum. Under Chair Lina Khan, the agency pursued several high-profile enforcement actions against companies accused of mishandling consumer data, including cases against data brokers and health-related apps that shared sensitive information without consent. But the FTC’s authority is limited — it can pursue companies for “unfair or deceptive” practices under Section 5 of the FTC Act, but it lacks the kind of specific, comprehensive mandate that a dedicated privacy law would provide. With the change in administration in 2025 and new leadership at the FTC, the agency’s enforcement posture on privacy has become a subject of intense speculation among industry observers.
Children’s Privacy: The One Area Where Congress Might Actually Act
If there is one area of privacy law where bipartisan momentum exists, it is the protection of children online. The Children’s Online Privacy Protection Act (COPPA), originally passed in 1998, has long been considered outdated, covering only children under 13 and failing to address the realities of modern social media platforms. In 2024, the Senate passed the Kids Online Safety Act (KOSA) with overwhelming bipartisan support, though the bill stalled in the House amid concerns from civil liberties groups that its provisions could be used to censor content rather than protect children.
Renewed efforts to pass children’s privacy legislation have continued into 2025, with multiple bills circulating in both chambers. The political appeal is obvious — protecting children from online harms is one of the few issues that unites Democrats and Republicans — but the legislative details remain contentious. Questions about age verification, platform liability, and the scope of parental controls have proven difficult to resolve. Still, children’s privacy remains the most likely area for federal action in the near term, even as broader consumer privacy legislation remains stalled.
The Real-World Cost of Regulatory Fragmentation
For businesses, the absence of a federal standard imposes real and growing costs. Companies operating nationally must track and comply with an expanding list of state laws, each with its own definitions, exemptions, consent requirements, and enforcement mechanisms. A company that collects consumer data in all 50 states may need to maintain different consent flows, different opt-out mechanisms, and different data retention policies depending on where each user resides. Compliance teams have expanded dramatically, and the legal costs associated with monitoring and adapting to new state laws are substantial.
For consumers, the costs are less visible but no less significant. The patchwork system means that data brokers, advertisers, and technology platforms can often exploit gaps between state laws, routing data through jurisdictions with weaker protections. Consumers in states without comprehensive privacy laws have few tools to control how their information is collected, shared, or sold. Even in states with strong laws, enforcement remains inconsistent — state attorneys general have limited resources, and the sheer volume of potential violations far outstrips their capacity to investigate and prosecute.
How the Rest of the World Has Moved Ahead
The U.S. stands increasingly alone among major democracies in its failure to enact comprehensive privacy legislation. The European Union’s GDPR has become a de facto global standard, influencing privacy laws in Brazil, Japan, South Korea, India, and dozens of other countries. Canada is in the process of modernizing its own federal privacy law, and the United Kingdom has maintained strong data protection standards even after Brexit. The absence of a comparable U.S. framework has created friction in international data transfers and trade negotiations, and has led the EU to question the adequacy of American data protection on multiple occasions.
The transatlantic Data Privacy Framework, negotiated between the Biden administration and the European Commission, was designed to address some of these concerns by providing a legal basis for transferring personal data from the EU to the U.S. But the framework has faced legal challenges and skepticism from European privacy advocates, who argue that U.S. surveillance laws and the lack of a comprehensive privacy statute make it impossible to guarantee adequate protection for European citizens’ data. The durability of this arrangement under the current administration remains uncertain, adding another layer of complexity to an already fraught situation.
What Comes Next — And Why It Matters More Than Ever
The proliferation of artificial intelligence tools, large language models trained on vast datasets of personal information, and increasingly sophisticated advertising technology has made the privacy question more urgent than at any point in the past two decades. AI systems that ingest and process personal data at scale raise questions that existing state laws were not designed to answer: Who owns the data used to train a model? What rights do individuals have over AI-generated inferences about their behavior, health, or preferences? Can a consumer meaningfully opt out of data collection when their information has already been absorbed into a training dataset?
These are not hypothetical questions. They are being litigated, debated, and lobbied over right now, in statehouses and courtrooms across the country. As The Verge has noted, the stakes of getting privacy law right — or continuing to get it wrong — have never been higher. The absence of a federal framework means that the answers will continue to emerge unevenly, shaped more by political geography and industry influence than by any coherent vision of what privacy should mean in America. Until Congress finds the will to act, the patchwork will only grow more tangled, and the gap between American data protection and the rest of the world will only widen.