2025 Is the Year to Get Your Privacy House in Order

Although privacy has been much talked-about in the last five years, compliance in the US has remained a bit of a moving target.  California set the bar high, and early, and in many ways remains the arbiter of best practices.  Other states have been slow to follow, and for the last five years or so, many small and mid-sized companies have deferred thinking about privacy compliance by rationalizing that they were too small, or not handling enough data, to work toward privacy compliance.  Starting now, however, it is going to become increasingly difficult to avoid privacy matters.  

WHY IT MATTERS

As we start 2025, nearly half of all US states have passed some form of comprehensive privacy law.  About half a dozen major laws are already in effect.  In 2025, dozens of privacy milestones will become legally required, as new laws go live and existing laws are upgraded.  By the end of 2026, some or all of the following are happening in dozens of states:

• New privacy laws will take effect
• New risk audit requirements under existing privacy laws will be phased in
• New opt-out requirements designed to curtail targeted advertising will take effect
• Grace periods to cure violations under existing laws will be phased out
• New types of data will be regulated under amendments to existing laws
• New types of tech tools (such as universal opt-out mechanisms) will be required
• Data breach notice requirements will include increased disclosure mandates and shorter reporting deadlines

…and more.  

In addition, California and other states will start regulating AI and there will be some degree of overlap between risk assessment/AI regulation, and privacy compliance.  Also, medical privacy, biometric privacy, and children's privacy and online media usage continue to spur new legislative and regulatory activity across the country.  

It will be increasingly difficult even for small and medium-sized companies to avoid doing business in states with privacy laws.  Even for those that remain unregulated, the very high likelihood is that large enterprise customers will require privacy compliance in their supply contracts.  The time is now to get ahead of these issues.