By late 2025, roughly two dozen states had enacted comprehensive consumer privacy laws, and a fresh wave took effect during the year, deepening a compliance environment that businesses increasingly describe as unmanageable. The statutes share a common vocabulary, consumer rights to access, delete, correct, and opt out, obligations around sensitive data, and duties on entities that sell or share personal information, but they diverge in thresholds, definitions, exemptions, cure periods, and enforcement. In the continued absence of a federal comprehensive privacy law, this state-led patchwork has become the de facto national framework, assembled without a central architect.
The interstate-compliance problem is the practical consequence. A company operating nationwide must reconcile overlapping and sometimes conflicting obligations, calibrating disclosures, data-subject-request workflows, and vendor contracts to the strictest common denominator or maintaining a costly state-by-state matrix. Smaller firms face the sharpest burden, lacking the legal capacity to track a moving target across dozens of jurisdictions, each with its own regulator and its own theory of enforcement.
A framework without an architect
A Council on Foreign Relations report argued that fragmented subnational regulation of a borderless data economy produces both compliance drag and uneven consumer protection, strengthening the long-running case for federal preemption paired with a baseline standard. In a Lawfare analysis, observers have noted that the state laws are functioning as policy laboratories, generating innovations, particularly around sensitive data and automated decision-making, that a future federal statute may draw on, even as the interim costs mount. An Atlantic Council commentary noted that inconsistent privacy regimes complicate not only commerce but also cross-border data governance and the United States' posture in international data-flow negotiations.
The deeper tension is between the virtues of experimentation and the costs of fragmentation. State laboratories can surface better rules, but a data economy indifferent to state lines pays a real price for the resulting incoherence, and consumers receive protection that varies by ZIP code.
The Journal has long tracked the substantive standards now migrating across these statutes. Volume 7, Issue 1's "The Standard for Biometric Data Protection" examines how a category of sensitive data, central to many of the newest state laws, should be governed, while Volume 8, Issue 1's "Medical Big Data in Japan" offers a comparative lens on data-governance regimes that reward close study as U.S. states experiment. Their analysis of how to define and protect sensitive information speaks directly to the fault lines dividing today's state laws.
As the patchwork hardens, the enduring point is that coherent data protection depends on coherent standards, whatever the level of government that sets them. For that foundational treatment of sensitive-data governance, we point readers to JLCW Volume 7, Issue 1.
– JLCW Research Desk