Omnipresent and multi-faceted online privacy can easily seem futile at times but nevertheless requires maximum attention because it's crucial for individuals, society, and a healthy democracy. At its core, privacy is the right to be left alone and to have control over one's personal life and information, and nobody is comfortable without it.

So what is its status today?  It's a convoluted affair. We have to embrace two sides of the same coin to grasp the broad picture. The conclusion is that there have been markedly more positive developments recently than in the past, but the state of privacy still needs to improve further.

On the bright side are states such as Maryland, which just this month introduced The Maryland Online Data Privacy Act, a highly significant piece of legislation that sets a new, and in many ways, more stringent standard for consumer privacy laws. It meaningfully limits personal data collection and abuse, breaking the trend of passing weak, industry-backed laws.

Specifically, consumers have a right to know what personal data a company has about them, correct inaccuracies, and ask a company to delete a user's data. A user can also tell companies to stop selling their personal data or using it for targeted advertising. And personal data controllers must limit the collection of personal data to what is reasonably necessary and proportionate to provide a specific product or service requested by the consumer.

In addition, the collection, processing or sharing of sensitive data in Maryland is now prohibited unless it is strictly necessary to provide or maintain a specific product or service requested by the consumer, a tougher stance than most other state laws. 

Other states that have made notable improvements this year include California, which is moving into legislation that would require all third-party data brokers to delete all of their personal information. Consumers currently have to identify and submit deletion requests to at least scores of individual data brokers -- an extremely time-consuming  process. The Golden State, now often considered to have the most comprehensive consumer protection laws, is also the only state with a dedicated privacy protection agency -- the California Privacy Protection Agency.

Other states that have meaningful improvements this year include Kentucky, Oregon, Colorado, Iowa, and Tennessee.

Let's turn to the negative side.  The Federal Trade Commission (FTC) has continued to take action against major technology companies regarding privacy. Companies themselves have claimed to make improvements, although the overall status of privacy controls remains a point of contention and ongoing action. This is the case among META and its subsidiaries, Amazon, and X (formerly Twitter).  In particular, it's notable that this occurs in the case of META, which paid a $5 billion privacy settlement and consent order a few years ago.

In the case of META, the FTC has alleged that the company has failed to fully comply with the settlement, including misleading parents about their children's controls and other data-sharing issues. Meanwhile, FTC has charged Amazon with knowingly duping millions of consumers into unknowingly enrolling in Amazon Prime for years because of intentional complications in the cancellation process.  This was settled for $2.5 billion just last month and appears to be finally resolved on this particular issue.

In the case of X and other companies, meanwhile, the FTC has asserted that X and other social media and video streaming operations maintain a vast surveillance apparatus with "woefully inadequate" data management policies.

Overall, victimization remains extremely common today and the overall trend shows a significant increase in the severity, volume, and the cost of these attacks over the long term. A majority of Americans have either been directly victimized or have had their data compromised in a major breach. The latter is almost as important as the former because attacks are often the first step in privacy issues.

The explosion of AI is generally seen as a minus for consumer privacy, as it significantly magnifies existing risks related to data collection, use and security. While AI offers many benefits, the technology's heavy reliance on vast amount of personal data creates new and complex challenges for keeping that data private.

AI systems, especially large language models, require and consume enormous volumes of data -- including personal and sensitive information - from a sizable array of sources. This ubiquitous and continuous data collection significantly increases the risk profile for consumers. Another issue is data repurposing without consent. Data collected for one specific purpose can be repurposed without a user's knowledge or explicit consent to train other systems -- a common privacy violation in the AI era.

And, too, AI's advanced analytical capabilities can infer highly sensitive personal information, such as health status or sexual orientation, from seemingly harmless data points, a process known as "predictive harm."  Resulting detailed profiles can be used to manipulate or discriminate against individuals.

Ultimately, numbers tell the story best. According to the Pew Research Center, 73% of US adults have experienced some kind of online scam or attack, and 64% have experienced a major data breach. In addition, the FBI's Internet Crime  Complaint Center received reports of cybercrime and online scams from well over 859,000 customers in 2024. This is a bit less than the previous year but the resulting losses were $16.6 billion, a 33% increase over 2023.

How to help resolve all this? The single most impactful effort the US could take to improve online privacy is passing a comprehensive federal data privacy law.  This would replace the current patchwork of inconsistent state laws with a uniform national standard. As it stands now. the absence of a federal mandate leaves many Americans unprotected and creates legal uncertainty for business.