As federal privacy legislation continues to stall in Congress, one truth is becoming increasingly clear for businesses: the states aren’t waiting. Across the United States, legislatures are actively shaping the rules around consumer privacy, biometric data, AI systems, and digital likeness rights. For companies operating nationally, or globally, the result is a patchwork of laws, regulations, and enforcement regimes that can be as daunting as it is dynamic.

The state-level surge

Jurisdictions like California, Virginia, Colorado, and Utah have already laid the groundwork with comprehensive consumer-privacy laws, from the CCPA to the CPRA. But in 2025, the legislative spotlight has shifted to AI-specific issues: deepfakes, chatbots, algorithmic decision-making, and digital-avatar rights are now under scrutiny. Several states are also exploring the frontier of biometric and neuro-data, along with children’s rights in metaverse and digital-twin contexts.

What’s striking is the pace and breadth of activity. Where once privacy law focused on “data at rest,” today the conversation is about “data in action”, how AI collects, interprets, and acts on personal information. With federal legislation still in flux, states are stepping in, leaving companies to navigate a maze of overlapping and sometimes conflicting rules.

Implications for companies

For firms operating across multiple states, compliance is no longer a checkbox exercise. Each jurisdiction may define sensitive data differently, set unique thresholds for risk assessments, or grant distinct consumer rights. Companies must decide whether to build systems compliant with the strictest state laws, or develop modular platforms capable of adapting to each regime.

Operational risk is real. A company that believes it is compliant in one state could find itself in violation elsewhere the moment a new AI disclosure requirement or biometric rule comes into force. Pre-emption adds another layer of uncertainty: some states bar local regulation, others encourage it. The message is clear: state, and sometimes municipal, laws require constant monitoring.

Yet amid complexity lies opportunity. Firms that invest early in “privacy-by-design” architectures and multi-jurisdictional readiness may gain a competitive edge. Agility in compliance can become a selling point, demonstrating trustworthiness to consumers and regulators alike.

Lessons for global players

For non-US companies, the United States is not a single compliance zone but a mosaic of mini-jurisdictions. Successful navigation demands a collaborative approach: regulatory affairs, legal counsel, and privacy teams must track state legislation as rigorously as federal proposals. Platforms for data processing should be adaptable, ready for Virginia’s updates tomorrow and California’s amendments next year. Monitoring enforcement trends is equally important, civil penalties or private-right-of-action lawsuits in one state often presage similar scrutiny elsewhere.

Looking ahead

The question is not whether federal privacy law will eventually emerge, but how states will respond when it does. Will they scale back, harmonizing rules nationwide? Or double down, competing to set higher standards? For companies and privacy professionals, this uncertainty underscores the need for foresight, planning, and operational flexibility.

This patchwork is less glamorous than a new AI launch, yet its implications are profound. Firms that assume their federal compliance efforts are sufficient are stepping onto a complicated, evolving landscape. The state-level frontier of AI and privacy regulation in the U.S. demands attention, strategy, and above all, agility.