2025 has all the ingredients for a critical year in privacy: new laws coupled with active regulators and legislators—both of whom are likely eager to get onto artificial intelligence (AI). As a companion piece to our 2024 recap, this alert highlights the new compliance obligations and dips its toes into crystal-ball predictions about new rulemaking, legislation, and enforcement. Stay tuned for the companion alert in which Camila Tobón covers what to watch for in AI.
 
Compliance: New requirements and more states
  
This year will see at least eight states’ comprehensive privacy laws take effect. Many of these laws generally rehash what was done in other states:

• Delaware (January 1). A Connecticut model with a few twists, including providing a right to request the categories of third parties to whom the controller disclosed the consumer’s personal data.
• Iowa (January 1). A Virginia-lite model—privacy assessments are not required; consent is not needed to process sensitive data; and there is no right to correct data, opt out of profiling, or appeal a decision (and the law is unclear on whether there is a right to opt out of targeted advertising).
• Nebraska (January 1). A Texas model, including the unique trigger that applies the law to everyone but small businesses.
• New Hampshire (January 1). A Connecticut model, except the cure period does not sunset (instead, after a year, the attorney general has discretion on whether to offer a cure period).
• New Jersey (January 15). A Colorado model—complete with mandatory rulemaking (which the New Jersey Division of Consumer Affairs says is coming later this year).
• Tennessee (July 1). A Virginia model with the unique addition of an affirmative defense for a company who “reasonably complies” with the National Institute of Standards and Technology’s Privacy Framework (or similar safeguards). 

But two states broke notable new ground:

• Maryland (October 1). The law prohibits selling sensitive data and has the strictest data-minimization requirements yet—e.g., sensitive data can be processed only if “strictly necessary” to provide a product/service. [Although the law takes effect October 1, 2025, it only applies to activities occurring starting on April 1, 2026.]
• Minnesota (July 31). Controllers must maintain policies and identify a person responsible for compliance, while consumers have enhanced rights in connection with profiling—e.g., questioning the result and reviewing the underlying data.

Many of these new laws also embrace a couple of new trends: diverging definitions of sensitive data (e.g., adding nonbinary status) and increased protections for minors (e.g., raising the age threshold from 16 to 18).

Privacy compliance isn’t all about new states—some of the old-timers have some new tricks as well. For example, Connecticut started requiring compliance with universal opt-out signals (which they lovingly call OOPS) on January 1, and Colorado’s enhanced obligations for biometric data (which even apply in limited respect to employee data) will take effect on July 1. Oh, and California’s expanded data-broker definition takes effect this year, which could create data brokers out of unsuspecting companies. [An issue not to take lightly given the recent enforcement activity in California.]

Rulemaking: Back in vogue

States are again picking up the privacy rulemaking baton. New Jersey will start its rulemaking process sometime this year, while California is wrapping up the initial notice-and-comment period in mid-January to (i) update existing rules and (ii) create new rules on insurance, risk assessments, cybersecurity audits, and automated decisionmaking technology. Given the scope of those rules, and the estimated $3.5 billion in new compliance costs in year one, the California Privacy Protection Agency (CPPA) is likely to hold multiple rounds of public comments.

But 2025 rulemaking will not be just a state affair. Although the Federal Trade Commission’s (FTC) proposal on privacy rulemaking is likely dead, keep an eye on the recent proposal to overhaul the Health Insurance Portability and Accountability Act of 1996's Security Rule. [We covered this in a recent alert.] The U.S. Department of Health and Human Services Office for Civil Rights is seeking to replace much of the current rule’s flexibility with a more prescriptive approach that aligns with industry norms on topics such as encryption, data mapping, and multifactor authentication. It is an open question how the incoming administration will view the draft rule—and they will be deciding whether to adopt a final rule—but there is bipartisan support to strengthen those safeguards.

Legislation: State and federal officials pursue different aims

This is the year that federal legislation makes it across the finish line. Right? Anyone? Okay, comprehensive federal legislation is unlikely. But there is bipartisan momentum in Congress for overhauling children’s online privacy after states made their mark in the field on topics such as duty of care, privacy defaults, advertising limitations, and social media restrictions. Given that the Senate recently passed the Kids Online Safety and Privacy Act by an overwhelming margin (91-3), and influential conservatives outside Congress are behind the legislation, it is likely that bill makes a return in 2025. As a refresher, that bill (among other things) required parental controls, gave minors a right to delete, banned targeted marketing to minors, and created a duty of care for website operators.

At the state level, the steady march of comprehensive privacy laws seems like a fait accompli. [Unless legislators get sidetracked by the fancy new kid on the block, AI legislation.] The question is what does the next wave of bills look like? The Virginia and Colorado/Connecticut models initially dominated the scene—until Maryland and Minnesota introduced novel twists, and Vermont grabbed attention with a private right of action (although the bill got vetoed). Were those aberrations or a sign of things to come?

Enforcement: The FTC charts an uncertain path while states ramp up

The big question is where does the FTC go from here? Chair Lina Khan led an active campaign targeting large swathes of privacy issues—with an emphasis on data brokers and sensitive data. But Commissioner Andrew Ferguson, the incoming chair, has a different view of the FTC’s role. Although he voted for every privacy enforcement action, he expressed suspicion of the FTC’s role in privacy regulation, and his purported agenda includes plans to “stop abusing FTC enforcement authorities as a substitute for comprehensive federal privacy legislation.” The FTC is likely to abandon privacy regulation efforts and may be less active in privacy enforcement (at least for those who are not “big tech”), which may create an opening for states to fill. 

States will likely be at the forefront of enforcement this year. When it comes to comprehensive privacy laws, the greatest risk likely lies in Colorado, Connecticut, and California because their cure periods are now off the books. Other states may throw compliance plans awry with guidance that shifts expectations. [For example, Oregon’s recent advisory suggested that the use of AI with personal data generally requires a data protection assessment.] But comprehensive laws are not the entire ballgame: watch out for regulators in states without such laws following New York’s lead by linking privacy violations with consumer protection frameworks. Of course, no prediction is complete without addressing Texas, home to the most active privacy regulator this side of the Atlantic. Following a robust 2024 (where the state targeted data brokers, location data, children’s data, and more), the state’s new privacy team shows no signs of slowing down. Companies with Texas ties should be on high alert.