Privacy and cybersecurity are incredibly dynamic, and in 2025 we have committed ourselves to a look ahead post every six months, with the next one in July 2025. The new Congress convened on January 3, 2025, and a new administration starts on January 20. Most state legislatures reconvene in early-to-mid January. If you track privacy and/or cybersecurity law developments, there could not be a more exciting, or consequential, time. With that said, during the first half of 2025 we anticipate the following trends:

  • There are 20 general state privacy laws, including the Florida Digital Bill of Rights, which have a $1 billion revenue threshold. General privacy laws in Delaware, Iowa, Nebraska, and New Hampshire went into effect on January 1, 2025, and the New Jersey Data Privacy Act goes into effect on January 15, 2025.  Tennessee, Minnesota, and Maryland follow, in the second half of the year. It’s quite possible that letters from state regulators will quickly follow, reminding companies to update the applicable state supplemental privacy notices or inquiring about updates to said notices. In addition, existing state data privacy laws and regulations continue to evolve. For example, the formal comment period on the changes to existing California Consumer Privacy Act (CCPA) regulations and proposed regulations for cybersecurity audits, risk assessments, and automated decision-making technology ends on January 14, 2025.
  • Federal legislative relief to the panoply of general state privacy laws, unfortunately, is not on the way. The American Privacy Rights Act of 2024 died on the vine, as did the American Data Privacy and Protection Act (2022). Both were comprehensive, bipartisan bills, but each preemption was the long pole in the tent.
  • In December, President-elect Donald Trump said that he would elevate current Commissioner Andrew Ferguson to chair of the Federal Trade Commission. In a Concurring and Dissenting Statement regarding Gravy Analytics/Venntel and Mobilewalla, which involve data brokers collecting and selling precise geolocation data, Ferguson made it clear that the FTC Act is not a comprehensive privacy law. He wrote: “Comprehensive privacy legislation involves difficult choices and expensive tradeoffs. Congress alone can make those choices and tradeoffs.” After the departure of current Chair Lina Khan, and the appointment of a new Republican commissioner, the focus of the FTC will likely shift, and it now seems unlikely that the 2022 Advance Notice on Proposed Rulemaking on Commercial Surveillance and Data Security will result in any new rules.
  • In the past few months, the California Privacy Protection Agency (CPPA) has announced its first settlements, with four data brokers who failed to register with the CPPA. California and Vermont require data broker registration this month, Texas within 90 days of the data broker’s initial registration, and Oregon by December 1, 2025.  
  • CPPA released two advisory opinions. In April, it advised businesses on their application of data minimization in fulfilling consumer requests. Then, in September, it advised businesses on the importance of implementing user interfaces with symmetrical choices, using clear, easy to understand language in offering privacy choices. In both cases, CPPA underscores the necessity for businesses to operationalize consumer rights in a manner that complies with CCPA.
  • Biometrics is another focus area, not only for the FTC, but also for state legislatures and regulators. For example, the biometric amendment to the Colorado Privacy Act (CPA) goes into effect on July 1, 2025, and while the CPA does not generally apply to employees, the biometric amendment does.
  • Through December 20, 2024, 575 security incidents involving unsecured protected health information affecting 500 or more individuals had been reported to Health and Human Services. Through the same date in 2023, 265 incidents had been reported. On December 27, 2024, the Office of Civil Rights at HHS issued a Notice of Proposed Rulemaking to modify the HIPAA Security Rule. In addition, healthcare cybersecurity legislation seems likely, if not almost certain, in 2025.
  • In Europe, the AI Act was enacted, marking the first significant regulation of AI. The AI Act establishes a risk-based framework categorizing AI systems by potential harm, imposing strict requirements on high-risk systems. And, near the end of 2024, the European Data Protection Board issued its opinion on the processing of personal data in AI, outlining that AI developers can use legitimate interest as a basis for processing.

As we move into 2025, the first steps toward compliance will center on developing and refining public-facing documents (like privacy policies), implementing clear and easy to understand consent mechanisms (where required), and ensuring efficient processes for responding to consumer requests. With the expansion of state privacy laws and emerging regulations on AI and biometrics, businesses should prioritize these foundational steps while addressing deeper, but equally if not more consequential, compliance measures, such as data privacy and cybersecurity risk assessments, data processing agreements, and compliant use of automated decision-making technology, including profiling. By addressing these initial requirements, businesses can position themselves to navigate the evolving data privacy and cybersecurity landscape.