Privacy pros who face the patchwork quilt of United States privacy requirements – including what seems like a continuous flow of new states adding laws every few months – may consider 2025 to be a year of ‘business as usual.’ In a way it is.
This year sees Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, and Maryland adding general privacy laws between January 1 and December 31. Though this is a considerable number of new laws, 2024 saw 7 new comprehensive State privacy laws, which is a comparable number.
To add to the temptation of a blasé attitude towards 2025 in the US, the details of many of the requirements, though slightly different across the States, are similar to one another and to those laws enacted in 2024 and earlier.
However, there are some aspects of US privacy in 2025 that bear special consideration and preparation.
- Volume & velocity
- Enforcement
- Divergence
- Culture
Volume & Velocity
Despite the consistent year-on-year increases in the number of comprehensive State privacy laws, there is also a significant and parallel increase in more narrowly scoped privacy laws in biometrics, artificial intelligence, tracking technologies, and other areas.
For example, last year New York – a State without a current comprehensive privacy law – issued guidance related to advertising tracking. Other States follow suit with guidance and even enact legislation. Combined, new general purpose State privacy laws plus other, more narrow new laws that impact privacy, mean that the volume of new requirements that come about continues to increase in 2025.
Additionally, the rate of change for internal company practices, often driven by innovative technology, continues to exponentially increase. This adds complexity, risk, and Privacy Office workload volume to keep ahead of new requirements that apply.
In addition, though newly added comprehensive State privacy laws may represent a consistent increase when compared to previous years, the individual rights they bring about are additive. This means that any company, and especially a company that has taken a State-by-State approach to providing individual rights, will see increases in the numbers of requests that consumers submit. This also increases the Privacy Office workload.
How to prepare for volume
- Align on and document a plan for monitoring regulatory developments:
Since regulations that impact privacy are increasingly branching out into other areas (like technology, medical, and other areas), aligning across the company about which individuals or functional areas are responsible for monitoring the external legislative environment for changes will become critical in 2025. Assigning and documenting this responsibility will help ensure that ‘someone’ is watching on behalf of the company, and no new rules slip through the cracks. - Align on and document trigger points within the company that will, if reached, mean that new rules apply:
A company may legitimately decide in February that a biometrics, AI, or other narrowly-scoped law does not apply because there are no current practices that trigger the requirements. Then, in March, the company might implement finger scanning technology at its headquarters in Illinois, thus triggering the Illinois biometrics law. If no one in the company is watching for those triggers, the company might miss important rules surrounding that activity. To avoid this scenario, it will be useful to identify trigger points and assign internal people or teams to monitor internal changes that may bring the company in contact with those trigger points as things change within the company. - Review the current individual rights process for scalability and efficiency:
With about a third of U.S. states having passed a general privacy law that includes one or more individual rights, 2025 may be the perfect time to consider whether the company has reached a tipping point and should begin to offer individual rights across all States, or whether a State-by-State approach is still practical. Also, if there are ways to improve the compliance, efficiency, or scalability of the process of adding new states and handling individual rights requests, these improvements will help the company meet additional volume as new State laws become effective.
Enforcement
Not only will there be more laws in effect by the end of 2025, but all signs also point to more, and more aggressive, enforcement of those laws. Delaware and New Hampshire have taken steps to set up their enforcement agencies in preparation for jumping into enforcement. California flexed its regulatory muscles in 2024 on DoorDash and Tilting Point Media, and smart money is on more enforcement from that State in 2025. Texas may be vying for the heavyweight privacy regulator title, with a privacy and security initiative launched in 2024 that will continue into 2025.
More aggressive regulators are only part of the enforcement equation. Each newly enacted law brings in a new regulator, or at least a regulator with new possibilities for enforcement. Regardless of how an organization calculates the probability and risk of facing an investigation, almost no calculation can ignore the impact of additional regulators entering the field.
How to prepare for enforcement
Any privacy (or legal, or compliance) professional will argue that the best way to handle enforcement actions is to avoid them altogether. A sound, robust, and demonstrable privacy program will help predict and avoid compliance issues and provide documentation of compliance in case of a regulator inquiry. Some tools to help identify compliance weaknesses and build a robust privacy program include regular compliance assessments and maturity assessments.
Divergence
Though most of the new state laws that go into effect in 2025 contain similar requirements, the Maryland Online Data Privacy Act (MODPA) of 2024 contains some divergent rules that may present additional challenges to some companies. Specifically, the MODPA, which goes into effect October 1, 2025, takes a stricter stance on collection and uses of sensitive personal data, as well as data minimization expectations.
Though other State privacy laws also provide special protections for sensitive personal data, most allow for collection, use, and even selling with express consent. Maryland, however, prohibits selling sensitive personal data without exception. Moreover, regardless of content, a company may not process sensitive personal data unless it is “strictly necessary” to “provide or maintain a specific product or service requested by the customer.”
Even more generally, the MODPA requires that companies “limit the collection of personal data” to what is “reasonably necessary and proportionate” to “provide or maintain a specific product or service requests by the consumer to whom the data pertains,” regardless of whether a consumer consents to additional processing.
These additional restrictions represent a significant divergence from less strict requirements of other State laws. This may be a signal that States are beginning to feel that ‘standard’ general privacy laws do not go far enough. The new year is a suitable time to not only prepare for MODPA but also consider how other future State laws may continue to take stronger measures, especially related to sensitive personal data.
How to prepare for divergence
These significant differences between other U.S. State privacy laws and the MODPA mean that some companies will need to assess implications and, in some cases, limit collection/use/sharing of personal, including sensitive personal data. One way to prepare is to carefully refresh data inventory records to identify data collected, especially sensitive personal data. From there, a company can identify how MODPA overlays sensitive data collection/uses/sharing practices that currently validly rely on consent but in the future may mean adjustments for consumers in that State.
Culture shifts
Younger generations both are comfortable using technology and expect pleasing, customized privacy experiences as table stakes in their interactions with companies. Generation Z, for example, expects to be able to interact with a company across multiple media while still having their preferences and consents applied consistently, and through a good customer experience. This means that strong consent, individual rights, transparency, and preferences experiences are especially important in 2025 and beyond.
How to prepare for culture shifts
A close review of the end-to-end privacy experience with an eye to customer experience, customization, and compliance with laws will help a company prepare for the elevated expectations of current and future generations.
Summary
Though 2025 may mean more (and more, and more) of what the U.S. has experienced over the preceding two years, the cumulative consequences of both additional general and activity/data-specific privacy laws will mean privacy offices have their work cut out to stay ahead of identifying new requirements, doing the work to comply, and handling on-going compliance.
One new law, Maryland’s Online Data Privacy Act (MODPA), represents some vastly different new considerations that will require analysis and preparation in advance of the October 1 effective date. Additionally, as customer expectations continue to rise regarding a clear, consistent, and customized experience, and as the risk of noncompliance continues to increase, the business case for doing privacy well in 2025 is the highest it has ever been.
