Priorities Podcast: "Privacy Enforcement Really Woke Up" in 2025

Host: Keely Quindlen (StateScoop)
Guests: Coben Zweigfelken (Managing Director, IAPP), David Bolero (Weston Fellow, IAPP)
Date: January 7, 2026

Episode Overview

This episode explores the dynamic landscape of state-level data privacy legislation and enforcement in 2025, as well as previewing what’s to come in 2026. Host Keely Quindlen speaks with IAPP privacy experts Coben Zweigfelken and David Bolero, who break down the growing complexity of privacy law amendments, analyze significant enforcement trends, and discuss the evolving regulatory environment—especially regarding children’s data, sensitive data categories, data brokers, automated decision-making, and regulatory challenges around artificial intelligence (AI).

Key Discussion Points & Insights

1. The State of Privacy Legislation in 2025

[02:47] David Bolero:

• Unlike previous years, 2025 did not see the passage of any entirely new comprehensive privacy laws at the state level; instead, it was the year of "bills coming online" and widespread amendments.
• Seven new state laws became effective in 2025 (Delaware, Iowa, Maryland, Minnesota, New Hampshire, New Jersey, Tennessee), marking the largest single-year expansion.
• Nine privacy laws were amended, often to strengthen protections for minors (Connecticut, Montana, Oregon), redefine categories of "sensitive data," or expand consumer rights.
• "Connecticut’s overhaul" is highlighted for:
  • Expanding the right to access, especially regarding automated decision-making technologies.
  • Broadening consumer rights.
• Quote [03:30]:
  “2025...the year where bills came online as seven states had their bills come online ...and the year of amendments, nine privacy bills were amended... expanding their rights—with Utah introducing... the right to correct...” — David Bolero

2. 2025: The Year Privacy Enforcement "Woke Up"

[04:40] Coben Zweigfelken:

• Enforcement took off: 2025 marked a shift from lawmaking to enforcement, with older state privacy laws now being actively applied.
• Overlap between consumer protection laws and privacy-specific laws is becoming more visible, as state attorneys general leverage both tools.
• Major enforcement cases:
  • Texas lawsuit against Arity (driving-related data, insurance sector)
  • Cases involving connected devices and children's data (e.g., Roku, Snap)
  • Increased scrutiny and lawsuits against data brokers, especially in California under the Delete Act
  • Consumer-facing websites saw enforcement around privacy compliance (California vs. Todd Snyder, Tractor Supply; Connecticut vs. Ticket Network)
• Funding is vital: States with dedicated privacy enforcement teams, like Texas, are “punching above their weight.”
• Quote [04:54]:
  "It's the year that privacy enforcement really woke up in the states for these comprehensive consumer privacy laws." — Coben Zweigfelken

3. What’s Coming Online in 2026

[09:02] Coben Zweigfelken:

• Final group of previously-passed state laws (Indiana, Kentucky, Rhode Island) takes effect Jan 1, 2026, bringing all 19 state laws online.
• Unique features:
  • Indiana: Casinos (like riverboat casinos) are exempt—a notable carveout.
  • Kentucky & Indiana: Generally industry-friendly, in the mold of Utah/Virginia.
  • Rhode Island: Requires companies to list all third parties to whom data is sold or may be sold, setting a new disclosure standard.
• Amendments like Connecticut’s (notably significant), coming into force July 1, 2026.

4. Regulatory Developments to Watch

[12:08] David Bolero:

• New Jersey: Awaiting final privacy regulations (expected early 2026). Drafts resemble Colorado’s rules.
• California:
  • Launch of Drop system for data broker registration and consumer opt-out, supported by a public awareness campaign.
  • Major regulatory focus on:
    • Automated decision-making technologies (ADMT)
    • Cybersecurity audits (with requirement for independent auditors and corrective action plans)
    • Risk assessments tied to these technologies, demanding transparency for consumers.
    • Key standard: Silence or inaction by a consumer does not count as valid consent.
• Quote [13:54]:
  “California is taking that little pro-consumer route of making it easier for the consumers to participate within their process of exercising their rights...” — David Bolero

5. Federal AI Executive Order and Implications

[16:32] Keely Quindlen, David Bolero, Coben Zweigfelken:

• Discussion on President Trump’s executive order concerning federal preemption of state AI laws.
• Uncertainty exists about whether federal actions will target state ADMT-related privacy laws and how “artificial intelligence” definitions might come into play.
• Regulations around ADMT (automated decision-making technology) in California and other states could face future Department of Justice scrutiny.
• Quote [17:33]:
  “Many companies might raise this as, hey, the definition is broad enough that AI might be covered through it… this is something that's going to end up in the courts.” — David Bolero

6. 2026 Enforcement and Policy Trends

[20:05] Coben Zweigfelken:

• Anticipated continuity in enforcement focus:
  • Connected devices
  • Children’s data (especially as new kids’ privacy laws aren't discussed in depth but will remain front-and-center)
  • Data related to vehicles and location (“driving-related data”)
  • Emerging focus: AI chatbots and their impact on children, with Texas already initiating investigations.
  • Discussion on variable pricing based on personal data—as a legislative and enforcement focus.
  • Enforcement activity closely tied to state resources and team size: California, Connecticut, Texas, and the upcoming Minnesota team are called out.
• Quote [21:20]:
  “Enforcers...we haven't heard any new big themes... we'll see connected devices still at the top of the agenda, children's data still up there... another thing...variable pricing seems to be getting a lot of policy attention...” — Coben Zweigfelken

7. Legislative Prospects for 2026

[23:54] David Bolero:

• States to watch for new comprehensive privacy laws:
  • Pennsylvania: Bipartisan bill, modeled on Virginia’s industry-friendly approach.
  • Massachusetts: Three bills (especially S.2619, which dropped private right of action to move forward).
  • Georgia & Oklahoma: Saw early-year activity—could return in 2026.
  • Vermont: Passed a strong bill in 2024 (vetoed but poised for reintroduction, still has private right of action).
• Federal legislation remains possible, with IAPP monitoring stakeholder demands.
• Quote [24:02]:
  “...we are watching specifically at five states that have more possibilities...And the other thing that I'm looking to is the federal level. We do know...that a new bill might be introduced.” — David Bolero

Notable Quotes

• "2025... the year where bills came online as seven states had their bills come online...and the year of amendments, nine privacy bills were amended..."
  — David Bolero [03:30]

• "It's the year that privacy enforcement really woke up in the states for these comprehensive consumer privacy laws."
  — Coben Zweigfelken [04:54]

• "California is taking that little pro-consumer route of making it easier for the consumers to participate within their process of exercising their rights..."
  — David Bolero [13:54]

• "Many companies might raise this as, hey, the definition is broad enough that AI might be covered through it… this is something that's going to end up in the courts."
  — David Bolero [17:33]

• “Enforcers... we haven't heard any new big themes... we'll see connected devices still at the top of the agenda, children's data still up there... variable pricing seems to be getting a lot of policy attention...”
  — Coben Zweigfelken [21:20]

• "...we are watching specifically at five states that have more possibilities... And the other thing that I'm looking to is the federal level. We do know...that a new bill might be introduced."
  — David Bolero [24:02]

Timestamps for Key Segments

• 02:47 – 2025 legislative and amendment highlights (David Bolero)
• 04:40 – Enforcement trends and overlap with consumer protection (Coben Zweigfelken)
• 09:02 – What’s coming online: new laws & amendments in 2026 (Coben Zweigfelken)
• 12:08 – Forthcoming regulations in NJ and CA (David Bolero)
• 16:32 – Federal AI executive order and preemption risks (Group discussion)
• 20:05 – 2026 enforcement focuses: AI, kids’ data, variable pricing (Coben Zweigfelken)
• 23:54 – Legislative prospects for 2026 & key states to watch (David Bolero)

Takeaways

• 2025 was a landmark year for enacting and amending privacy laws, and marked the true beginning of large-scale enforcement at the state level.
• 2026 will see all 19 state privacy laws online, new regulatory requirements (especially in CA and NJ), and continued enforcement expansion—especially targeting kids’ data, data brokers, and fairness in pricing.
• Federal intervention on AI and privacy regulation creates new uncertainties, particularly affecting states with advanced ADMT regulation.
• Key states to watch in 2026: Pennsylvania, Massachusetts, Georgia, Oklahoma, Vermont, and ongoing federal discussions.

Insight for IT and Privacy Leaders:
The privacy regulatory landscape is expanding and shifting from drafting to enforcement. Organizations need to ensure not only compliance with technical requirements, but transparency in automated decision-making and data handling. State-specific nuances—especially in California—require extra attention, with regulatory clarity around data brokers, sensitive data, and consumer opt-outs continuing to evolve. Federal preemption and new legislative pushes could further reshape compliance obligations in the near future.