145 AI Laws Passed in 2025 as Privacy Teams Face Growing Compliance Burden
State legislatures enacted 145 AI-related laws in 2025, with more than 1,000 additional bills introduced or revised, according to DataGrail's Privacy and AI Trends Report 2026. The surge in regulation is outpacing the capacity of privacy teams to manage it.
For a medium-sized company receiving 5 million annual website visitors, manually handling data subject requests costs an average of $1.5 million per year. Data subject request volumes have climbed for five consecutive years, stretching organizational resources thin.
Shadow AI Creates Hidden Exposure
Of 2,400 business software providers advertising AI capabilities, 63.6% did not disclose third-party AI subprocessors in their legal documentation. This gap leaves organizations exposed to shadow AI risks they may not know exist.
DataGrail found that 32.8% of AI systems participate in at least one high-risk activity, including processing sensitive data and making automated decisions. The flexibility of AI applications makes it difficult to anticipate which use cases will create compliance problems.
Opt-Out Compliance Remains Weak
California reported consent management settlements totaling $4.3 million in 2025, excluding non-public settlements. Investigations into tracking pixels and session replay software generated more than 1,400 class action lawsuits the same year.
Despite legal requirements in more than 10 U.S. states to honor universal opt-out mechanisms like Global Privacy Control, 63% of websites fail to do so. Regulators are treating a user's failure to interact with a cookie banner as invalid consent for tracking, and enforcement actions are increasing.
Data Broker Deletion Requests Spike
Deletion requests to data brokers rose 398% in 2025 compared to 2024, averaging more than 2,000 per month. Since 2021, deletion requests have increased 567%.
Industries handling health, financial, and location data received the highest volume of data subject requests. Professional services firms received 4.6 times more access requests than average organizations.
California's Risk Assessment Mandate
Beginning this year, California requires organizations to conduct privacy risk assessments and submit results for annual audits starting in April 2028. Each review must be personally attested to by a company executive under penalty of perjury.
The requirement applies to any processing activity that may pose privacy risks, with AI initiatives requiring particular attention. In 2025, 42% of companies abandoned AI projects, citing data privacy concerns as a leading factor.
Privacy teams have reported headcount reductions of up to 33% while managing expanding compliance obligations. Organizations are planning to use AI to support privacy-related tasks as a response to resource constraints.
For managers overseeing compliance, privacy, or AI initiatives, understanding these trends is essential. Learn more about AI for Management and AI for Legal to address these challenges.
Your membership also unlocks:
