In 2024, our team at BakerHostetler worked with hundreds of clients on a wide range of challenging privacy and data protection compliance issues. As the year ends, we are once again highlighting some key areas that warrant particular attention moving into 2025 – new state privacy laws, data broker laws, children’s personal data, regulatory enforcement trends, tracking technology litigation and the regulation of nonpersonal data outside the United States.
Eight New State Privacy Laws Taking Effect in 2025 – What’s New?
By 2026, about half of the U.S. population will be covered by a state comprehensive privacy law. In January 2025, new comprehensive privacy laws will take effect in Delaware, Iowa, Nebraska, New Hampshire and New Jersey. Later in the year, Maryland, Minnesota and Tennessee will implement similar legislation. While these new privacy laws generally align with the now-familiar framework of the unpassed Washington Privacy Act, we have seen growing variation in newly passed laws. Companies should be alert for key differences, including:
- Delaware, Maryland and New Jersey categorize status as transgender or nonbinary as sensitive personal data. Additionally, Maryland includes national origin in this category, New Jersey includes financial information and Delaware explicitly recognizes pregnancy.
- Maryland introduces a data minimization requirement that limits personal data collection to that which is reasonably necessary and proportionate to provide a product or service requested by a consumer. The law additionally prohibits the collection and other processing of sensitive personal data unless that data is strictly necessary for a product or service requested by the consumer. Sensitive personal data may not be sold under Maryland’s law.
- Minnesota expands consumers’ rights regarding profiling to permit consumers to question the results of profiling, review personal data used in profiling and correct it if needed, be told about the reasons for the profiling decision, and learn about actions that might have altered the outcome.
- The New Jersey Division of Consumer Affairs has rulemaking authority under its privacy law that it may exercise (but hasn’t yet).
- Nebraska’s law, like Texas’, applies broadly without requiring that a minimum number of residents’ personal data is processed or sold for a company doing business in the state to fall within its scope.
- Also like Texas, Minnesota and Nebraska offer small business exemptions for businesses meeting the U.S. Small Business Administration’s definition, with the caveat that small businesses are still subject to restrictions regarding sensitive personal data.
A few changes to existing state privacy laws should also be noted. Virginia’s Consumer Data Protection Act was amended with new protections for children’s data. Both the Colorado Privacy Act and the California Consumer Privacy Act (CCPA) were modified to include neural data as a type of sensitive personal data. Colorado also expanded biometric and children’s data protections, including through proposed rules. Of note, employees, while generally excluded from the Colorado Privacy Act, are included within the scope of the new biometric data consent requirements. The California Privacy Protection Agency (CPPA) also continues its rulemaking for data brokers, automated decision-making, risk assessments and cybersecurity audits.
For additional information on state comprehensive privacy laws, please see our Comprehensive State Privacy Laws resources page.
Data Brokers
Legislatures and regulators are increasingly aware of the privacy risks posed by data brokers. Currently, data brokers are largely unregulated, aside from a few state laws requiring data broker registries. Although definitions vary, the term “data broker” generally refers to any company that sells personal data collected from consumers with whom it does not have a direct relationship. Essentially, it is a broad definition that can apply to companies that do not traditionally think of themselves as data brokers.
California’s 2023 Delete Act amended its existing data broker registration law. The Delete Act places oversight of data brokers under the CPPA, which recently finalized its associated regulations. By 2026, the CPPA must create a portal for California residents to make opt-out and deletion requests to all registered data brokers. The Delete Act also requires data brokers to register, pay fees and disclose information about various topics, such as consumer requests, children’s data and sensitive personal data.
At the federal level, the Protecting Americans’ Data from Foreign Adversaries Act (PADFA) was passed and took effect in 2024. PADFA prohibits data brokers from transferring sensitive personal data to certain foreign countries deemed to be adversaries of the United States. The Consumer Financial Protection Bureau also recently proposed a rule to “rein in data brokers that sell Americans’ sensitive personal and financial information.” The comment period for this proposed rule is open through March 3, 2025.
Children’s Privacy Remains Under Scrutiny
2024 witnessed a significant uptick in children’s online safety laws. Several new state laws address the processing of personal data about a child, social media networks, addictive feeds, targeted advertising and age-appropriate design. Although definitions, applicability standards and exemptions from compliance vary drastically across these newer children’s privacy laws, many have begun to rely on a definition of “child” that extends to age 18. While these laws reference the federal children’s privacy laws, such as the Children’s Online Privacy Protection Act (COPPA), which remains subject to ongoing updates, active legislation and rulemaking, the state laws have requirements that extend beyond those of COPPA. These new laws not only embrace a broader definition of child but also encompass personal data about children, such as that collected through parents and others. Companies should be alert for rulemaking that could expand compliance obligations, the introduction of new legislation and increased enforcement in 2025, as children’s privacy remains a unified concern across parties in the United States.
One action companies can take now is to complete of a privacy impact assessment that specifically considers personal data related to children. This exercise can help clarify where a company’s legal obligations lie with respect to children’s personal data.
Enforcement Trends
In 2024, Texas has been building a reputation as the most aggressive state privacy regulator in the United States. In June, ahead of the effective date of the Texas Data Privacy and Security Act, the Texas Attorney General launched a major initiative, establishing a team focused on enforcing privacy laws in the state. This year the Texas Attorney General completed a significant settlement with a social media company relating to biometric data, launched investigations into the automotive industry for alleged surveillance and data sharing practices, issued notices to over 100 companies for failing to comply with the Texas data broker law, and began a lawsuit and a large-scale probe into companies for suspected violations of the Securing Children Online through Parental Empowerment (SCOPE) Act and the Texas Data Privacy and Security Act.
Enforcement also has increased in California, due in part to the dual enforcement capabilities of the CPPA and the California Attorney General’s Office. To round out the year, in November, the CPPA announced a settlement with two data brokers for violating the Delete Act. This settlement came on the heels of the CPPA’s investigative sweep of data brokers earlier this year. The CPPA also devoted efforts to publishing two enforcement advisories. A September advisory focused on dark patterns, while the first advisory addressed data minimization as it relates to consumer requests. California’s other enforcer of the CCPA contributed to this year’s CCPA enforcement news, too. In June, the California Attorney General, together with the Los Angeles City Attorney, signaled its focus on children’s data through a joint settlement against a mobile app developer for violations of both the CCPA and COPPA through the developers’ alleged collection and sharing of children’s data without parental consent. This was the second public settlement of the year from the California Attorney General, following the February announcement of a settlement with a food delivery service company for violating the CCPA and the California Online Privacy Protection Act.
The Federal Trade Commission (FTC) has been active in the privacy space in 2024, focusing on sensitive personal data such as children’s data, health data, location data and browsing data. The FTC targeted data brokers under its unfair practices authority as well as other types of data sharing, such as through tracking technologies online and in apps. FTC privacy enforcement actions addressed practices that implicate undisclosed uses of data; make misleading disclosures; create an unfair sale of sensitive data, such as geolocation data connected to sensitive locations; result in the collection and use of personal data without consumer consent; and result in the excessive retention of personal data. We’ve also seen the FTC steadily expand its oversight of artificial intelligence (AI) throughout 2024, including through its Operation AI Comply, which launched in the fall. With the change of administration and the overturn of Chevron deference by the Supreme Court, privacy in the federal agency space remains an important area to watch in 2025.
Tracking Technology Litigation
Throughout 2024, plaintiffs’ counsel continued to pursue claims alleging violations of the California Invasion of Privacy Act (CIPA) and other state laws based on the use of cookies, pixels and other website tracking technologies. Plaintiffs’ theories and the technologies to which they relate have continued to expand. From claims alleging that pixels function as a pen register or trap and trace device to claims involving website search features to claims based on pixels included in emails, it seems that few aspects of companies’ digital services are immune from these threats.
While decisions in California courts remain a mixed bag and plaintiffs’ counsel continue to keep many cases out of court by threatening mass arbitration, courts in some other states, such as Massachusetts, have started to reject the application of decades-old wiretapping laws to today’s website tracking technologies. Nonetheless, the ongoing onslaught of these claims means that businesses should continue to take proactive steps to mitigate litigation risks relating to tracking technologies.
International Data Protection – Nonpersonal Data
While the EU has long protected the free flow of data within its borders, transferring personal data outside the EU continues to be challenging. Newer legislation under the European strategy for data focuses on restricting nonpersonal, including anonymized, data flows outside the EU. Companies receiving data from the EU should be aware of the currently applicable Data Governance Act and the Data Act, effective September 2025. Broadly, these laws aim to safeguard personal data and other types of data, such as intellectual property; preserve fair competition; and boost the EU’s global economic competitiveness. The Data Governance Act regulates public sector data use, requiring similar levels of protection for outbound data transfers. The Data Act applies to data obtained from connected products offered in the EU market, restricting transfers of data that could violate fundamental rights, such as through unlawful or illegitimate government access, or to protect commercially sensitive data. The Data Act additionally allows customers in the EU to obtain access to their data, even from companies established outside the EU.
On the other side of the world, China is implementing new regulations on network data security management under its Cybersecurity Law, Data Security Law and Personal Information Protection Law early in 2025. These regulations address personal information and also “important data,” including data related to national security, critical infrastructure and cybersecurity, addressing data localization requirements and outbound data transfers.
What Else To Know?
- After a strong effort to pass the federal American Privacy Rights Act in 2024, we do not expect a similar push in 2025. However, if the new Republican-controlled Congress agrees on preemption and private rights of action, a comprehensive federal privacy law could be in play. In the meantime, expect more state privacy laws.
- In January, the Federal Communications Commission’s new rules under the Telephone Consumer Protection Act take effect. Notably, the FCC implemented a rule to eliminate the so-called “lead generator loophole” by barring companies from obtaining consent to telemarketing calls and texts from multiple marketing partners through a single consent mechanism. Although this always has been an unlawful practice, the FCC has now has explicitly stated that call consent language must clearly and conspicuously authorize calls or texts from only one entity per given consent. Further, despite the nickname, the new requirements may apply various types of companies that do not consider themselves to be “lead generators” – to the extent their current processes purport to obtain consent for multiple callers through one opt-in.
- AI laws continue to progress, with the EU AI Act poised to remain a global focal point in 2025, but the European Data Protection Board has been quick to remind companies not to lose sight of General Data Protection Regulation principles, which also support responsible AI. In the United States, the state-level introduction of AI legislation has reached a fever pitch. In 2025, we anticipate that more states will follow Colorado’s lead by passing comprehensive AI laws, while others may opt for relatively minor updates to existing laws or the enactment of narrowly focused AI laws, such as the flurry that passed in California in September.
- Consumer complaints remain an easy way to land in front of a regulator. Make sure you have processes in place for responding to consumer privacy rights requests promptly, completely and accurately. Also, make sure your public-facing disclosures, including any choices offered to consumers, are clear, correct, available and functional.
- Keep an eye on privacy reforms in Australia, Canada and the United Kingdom as well as India’s new privacy law, which has the potential to affect many companies outsourcing data processing in that country.
[View source.]
