With federal privacy legislation that could set a uniform national standard stalled in Congress, attorneys say retailers face a “patchwork” of nearly a dozen state privacy laws set to take effect over the next year.
“We still do not have an overarching federal privacy law,” Julia Tama, co-chair of the privacy and data security practice at Venable, said. “And in the absence of that federal privacy law, while Congress continues to debate whether they’ll pass one, we’re seeing the states continuing to pass their own privacy laws at a pretty rapid clip.”
Explore the health of American consumers and the retail industry with leaders from major retail brands, prominent economists and consumer experts. Learn more and register to join.
“There’s good news and bad news when we think about what companies are supposed to do with this patchwork of laws that’s coming into effect. The good news is, there really are still a lot of similarities,” Tama said. “The bad news, of course, is they’re not identical and there are numerous differences.”
Tama spoke at this year’s NRF Retail Law Summit, which was held March 4-6. In other sessions, an attorney from Marsh McClennan said retailers should settle more claims before they turn into lawsuits; attorneys from Skadden warned that securities litigation is on the rise; and the head of the Consumer Product Safety Commission said the end of exemptions from tariffs and inspection for small purchases from China will make safety enforcement easier.
New state privacy laws have already taken effect this year in Delaware, Iowa, Nebraska, New Hampshire and New Jersey, with additional measures set to come in July in Tennessee and Minnesota followed by Maryland in October and then Indiana, Kentucky and Rhode Island in January 2026. Starting with California half a dozen years ago, more than 20 states have enacted broad “omnibus” privacy laws while others have passed narrower measures on issues such as health data, children and social media.
Tama said the majority of the measures are centered on consumer rights and focus on providing notice to consumers, giving consumers the right to access, correct or delete data, or to opt out of practices involving sales or targeted advertising. Many also place restrictions on the processing of sensitive data, often requiring consent or an opt-out option. But details vary from state to state, and even definitions and terminology can be different.
“Not all states have the same roster of consumer rights,” she said. “And they don’t always have the same exceptions or safe harbor.”
Emma Blaser, a partner in the privacy and data security practice at Venable who joined Tama in presenting a detailed overview of each of the new laws, said the message for retailers is clear: “Privacy regulations … are rapidly evolving, and retailers need to stay ahead of the key developments.”
At the federal level, the Federal Trade Commission has brought hundreds of private and data security cases in recent years — even without an overall federal privacy law — but that could be about to change.
President Donald Trump has chosen commission member Andrew Ferguson, who dissented from many of the decisions on the grounds that he believed they exceeded the FTC’s authority, as the body’s new chairman. Given the shift in administrations and the choice of Ferguson, “They’ll still be enforcing privacy laws, but the approach may be less aggressive than in prior years, more with a focus on clear statutory authority rather than novel privacy enforcement,” Blaser said.
Selling precise location data, privacy issues involving children, and enforcement of recent regulations prohibiting fake reviews by people who don’t have actual experience with a product or service are expected to be among FTC priorities, she said.