The 2025 Privacy Landscape: Transitioning Priorities

The 2025 Privacy Landscape: Transitioning Priorities

As we move from an eventful 2024 into 2025, to keep your privacy program running smoothly, it is crucial to reflect on the past year’s privacy developments and prepare for the ever-evolving regulatory landscape. This post will highlight important lessons learned from 2024 and provide insights to help organizations navigate 2025 priorities effectively.

Reflecting on 2024: Key Privacy Developments

2024 saw significant legal privacy developments that brought immediate global impacts. By noting these events, we can identify takeaways to guide our strategies for 2025.

Artificial Intelligence in 2024: Continued Momentum

AI dominated 2024’s privacy discourse, with energy and enthusiasm reminiscent of the GDPR’s 2016 release. Rapid advancements in AI raised significant compliance concerns across industries.

In the United States, President Biden’s Executive Order on Artificial Intelligence turned one year old in October 2024 Key initiatives launched include:

• Establishment of the US AI Safety Institute by the Department of Commerce.
• Release of guidelines on AI risks and safety measures.

However, in January 2025, President Trump rescinded the executive order.

U.S. states also developed many of their own AI regulations, such as Colorado’s SB24-205, which requires both developers and deployers of “high-risk” AI systems to use “reasonable care” to avoid discriminatory algorithmic practices.

Globally, the EU AI Act entered force on August 1^st, establishing a comprehensive framework for the development and deployment of AI technologies. It is the most prominent international framework in a crowd of similar frameworks including entries from the United Kingdom, Canada, New Zealand, South Korea, Singapore, Australia, and others.

The privacy community responded by investing in expertise, culminating in the IAPP’s launch of its AI Governance Professional certification. This credential aims to transform abstract frameworks into positive privacy outcomes, a crucial step as AI continues to evolve. It is crucial that the privacy community maintain this momentum and leverage it to bring the perspectives shared in 2024’s privacy conferences into 2025’s conference calls.

U.S. State Laws: A Complicated Patchwork

2024 began with a promising but unsuccessful congressional effort at a federal data privacy law. Meanwhile, state legislatures expanded the US “Privacy Patchwork” to 19 state laws, increasing complexity.

Many state legislatures continued to follow California’s lead, but this year also saw states diverge from preexisting regulatory models.

KEY DEVELOPMENT INCLUDED:

• Oregon’s right to request a list of specific third parties to which a business has disclosed their personal information.
• Minnesota’s requirement for data inventories, mirroring GDPR practices.
• Maryland imposed a restrictive data minimization requirement that data collection be limited to the products and services a consumer requests.
• Expanded or adjusted the definition of “sensitive personal information” in various states.
• Virginia amended its privacy law to account for children’s privacy, serving as a reminder that states can diverge from their own preexisting approaches as quickly as one another.
• Washington State’s My Health My Data Act entered force in March widely expected to bring a wave of litigation and copycats.

Texas emerged as a prominent privacy enforcer as well. The Attorney General announced a new enforcement team focused on privacy laws and soon announced several enforcement actions against prominent organizations such as TikTok and Meta. The alleged violations involved multiple laws, including Texas’ Capture or Use of Biometric Identifier Act, the Securing Children Online Through Parental Empowerment Act, and its Data Broker Law. Texas moved quickly and aggressively with its enforcement actions. So far, it has followed the trending regulatory priorities of children’s privacy, biometric data, AI, and data broker oversight

State regulatory authorities were unified in their priorities. The coalition of 14 state Attorneys General filed lawsuits against TikTok for allegedly harming young people’s mental health and misleading the public about the safety of its platform. The coalition includes California, who likewise announced a widespread investigation into data brokers’ compliance with the California Delete Act.

The FTC shared many of the same regulatory priorities as the states, with an additional focus on data security and the collection and processing of certain types of data (e.g., location data). With a new incoming administration, it was unclear whether these priorities would be disrupted, accelerated, or left to continue.

Privacy in the EU: Not Slowing Down

The EU maintained its focus on controlling the flow of data over its borders, expanding restrictions to even anonymized data moving outside of the EU. The EU’s Data Act, effective September 2025, will complement the Data Governance Act, further restricting data transfers that carry a risk of violating data subjects’ fundamental rights. This Act even allows EU data subjects to access their data from companies established outside of the EU. In the private sector, Google required ad publishers in the EEA and UK to use a TCF-compliant Consent Management Platform.

Looking Ahead to 2025: Key Trends and Strategies

2025 is shaping up to be a mixed bag across the privacy regulatory landscape. The U.S. seems poised to give us more of the same issues we saw in 2024, although diverging starkly from the global privacy landscape. 

Continued U.S. State Consumer Privacy Laws 

The US will see a continuation of the privacy regulation patchwork across the country with the enforcement of eight new state privacy laws. These laws will enhance consumer rights, reflecting a global trend towards transparency in data practices. However, the absence of comprehensive federal privacy regulation remains a significant gap.

Five states have laws with enforcement dates in January: Iowa, Delaware, New Hampshire, Nebraska, and New Jersey. Two states, Tennessee and Minnesota, will have laws that will be effective in July, while Maryland’s Online Data Privacy Act will not be enforced until October. By the end of 2025, 17 U.S. states will have their own consumer privacy laws.

Global Regulatory Divergence 

The US continues to diverge from its economic counterparts around the world. As Anu Bradford discusses in Digital Empires, the three regimes emerging continue to be the U.S. patchwork and opt-out model; the EU’s GDPR regulatory-based opt-in model; and China’s state-driven model.

• Regulatory Approach
  • The U.S. favors a laissez-faire approach.
  • China enforces strict state control.
  • The EU implements detailed regulatory frameworks. 
• Data Control
  • The U.S. allows companies to manage data with minimal restrictions.
  • China mandates data localization,
  • The EU emphasizes user consent and data protection. 
• Impact on Tech Companies
  • U.S. companies enjoy greater operational freedom.
  • Chinese companies operate under stringent state oversight.
  • EU companies must comply with rigorous privacy standards. 

Countries like Brazil and South Africa seem to fall closer to the EU’s regulatory approach with a few nuances. India’s data protection bill tries to balance a regulatory approach with an eye towards driving innovation. The US remains the singular superpower without federal privacy regulation. 

Operational Recommendations for 2025

From AI to new privacy laws and regulations, it is easy to get overwhelmed when narrowing down what privacy elements you should focus on. As privacy experts, we must help organizations find a way to balance the customer experience with protecting personal data. To do so, Myna has identified five top privacy operational recommendations to prioritize for 2025.

• Data Inventory/Data Mapping
  • Identify and document the flow of personal data across systems and third-party relationships.
  • Evaluate risks, demonstrate compliance, and enforce accountability.
• Review and Update Privacy Policies and Notices
  • Regularly update external notices (e.g., online privacy notices) and internal policies (e.g., data retention policies).
• Implement A Robust DSAR Program
  • Define and document governance processes to ensure compliance with data subject rights requests.
• Perform Privacy Risk Assessments
  • Identify risks associated with new or revised processing activities and ensure compliance with in-scope regulations.
  • Failure to identify when a PRA is required can cause an organization to be out of compliance with in-scope regulations and expose them to regulatory actions. 
• Assess Privacy Programs Against a Recognized Framework
  • Select a privacy framework that aligns with organizational goals and regulatory requirements and benchmark against it.

Enhancing or establishing a robust privacy program is a complex task. By performing data mapping exercises, reviewing, and updating privacy notices, implementing a DSAR program, performing privacy risk assessments and assessing your privacy program against renowned frameworks, organizations can create an efficient and compliant privacy program. 

For more information, please contact Wills Catling at: william.catling@myna.com