What’s In Store for Data Privacy in 2025?
By David LeDuc
The new year ushered in a new political environment in Washington, and a likely shakeup in the data privacy landscape. The incoming Trump administration and Republican congressional leaders have signaled a different regulatory and legislative approach, even as states continue to push the boundaries of privacy legislation and regulation. Single-party control doesn’t always mean harmony, however—i.e., the social media rift over high-skilled immigration that erupted at the end of 2024. We’re still likely to see divergent viewpoints at the federal level, while the state landscape in many ways might not look all that different.
Following is a detailed look forward towards potential U.S. data privacy legislative and regulatory activity in 2025. Key themes throughout include a reset in both federal policymaking and regulatory activity, a continuation of state legislatures breaking new ground, and a continued focus on data brokers likely to include many ad-tech companies.
1. Federal regulatory reform is likely to have the biggest material impact on U.S. data privacy practices.
President-elect Trump ran on a pro-business platform that promoted robust deregulation, so the new administration and Republican Congress have been poised since November to reshape the federal regulatory environment. While heavily regulated sectors like energy and financial industries will no doubt dominate early reform efforts, data privacy will also likely see a modified approach.
The first step is for Congress and the Trump Administration to identify which regulations are subject to repeal under the Congressional Review Act (CRA)—reportedly more than 60 CRA petitions are already being considered! So, what’s in scope for data and technology? Not the FTC’s Health Breach Notification Rule (HBNR), as that was finalized in May 2024, well ahead of the summer deadline. However, the FTC’s “Click to Cancel” rulemaking is quite likely at the head of the firing line. The Consumer Financial Protection Bureau (CFPB) Open Banking Rule is also a potential candidate, as is a rule finalized at the end of 2024 by the Department of Justice (DOJ) to limit the sharing of bulk sensitive data. But application of the CRA can be challenging, as it prohibits new regulations that are “substantially the same” absent new legislative authorization–of course, substantial sameness isn’t defined. The new DOJ Rule doesn’t diverge substantially from the prior Trump administration’s national security policy, and the open banking rule may also have some elements deemed worth retaining, even if others are likely deemed to go too far. To be sure, it’s hard to predict how the regulatory scalpel—or sledgehammer—will be wielded by an incoming regime, particularly with respect to substantial new regulations such as these.
More impactful than CRA repeal of certain Biden administration regulations (sledgehammer), could be in the form of tweaks and/or repeal of White House policies (scalpel), such as President Biden’s Executive Orders on AI and security, as well as a major reform of soft policies across federal agencies. It has been a major FTC trend over the last several years to evolve the agency’s policy through less formal procedures such as guidance (including regulatory interpretations and blog posts), and steering the marketplace through expansive settlement agreements.
Incoming FTC Chairman Andrew Ferguson will not need to go through a lengthy confirmation process as a sitting commissioner, but it will probably take a couple months to confirm Trump appointee Mark Maedor and establish a Republican majority. In terms of future priorities, incoming Chairman Ferguson’s opinions (particularly re: Video Streaming Report and recent location settlements) provide the best indication of his disagreement with the current FTC’s approach. In general, the commission can be expected to revert to a more traditional policymaking and enforcement approach, including less reliance on bold Section 5 unfairness actions around data privacy and AI.
The DOJ, CFPB, and Health and Human Services (HHS) also developed new data regulations in 2024 that are likely to be under the regulatory microscope. The recently-proposed CFPB Rule expanding the Fair Credit Report Act (FCRA) is likely to be called-out by the incoming administration as overly expansive. The HHS’ informal policymaking on website tracking already hit a wall in 2024 and isn’t likely to reappear in similar form any time soon.
What to watch: Among many questions, perhaps the most important are those pertaining to the regulation of data brokers and national security. The Protecting Americans Data from Foreign Adversaries Act (PADFAA) was enacted in the first half of 2024, and the DOJ Rule on bulk sensitive data are parallel policies that are both consistent and conflicting. PADFAA was hastily crafted with significant ambiguities and misplaced authority to the FTC. This is an area ripe for either more thoughtful legislative alignment or regulatory adaptation at the FTC and DOJ—or both. Regardless, new data sharing restrictions in response to national security concerns were the biggest federal policy developments of 2024, so implementation by the new administration could add a new layer of regulation not contemplated a year ago.
2. Federal legislation is likely to see a much-needed reset, even if single party control in Washington doesn’t provide a glide-path for federal privacy legislation.
The last two Congresses failed to advance data privacy legislation. The American Privacy Rights Act (APRA), a comprehensive bill derived from the American Data Privacy Protection Act (ADPPA) introduced in the 117th Congress, lacked support in both the Committee and the full House. A children’s privacy bill got closer; a combined legislative package of COPPA 2.0 and the Kids Online Safety Act (KOSA)–known as KOSPA–overwhelmingly passed the Senate, but ultimately failed due to lingering concerns about overreach and First Amendment scrutiny.
New Congressional leadership, Sen. Commerce Committee Chair Ted Cruz (R-TX) and House E&C Chair Brett Guthrie (R-KY), have both included data privacy on their list of priorities, and both were vocal opponents of APRA. Early indications suggest strong odds for a new, less expansive approach to data minimization, departing from a substantial ban on secondary uses of data, and likely trimming tangential provisions such as AI and civil rights protections for a more tailored approach.
To be sure, both incoming chairs could quickly identify a set of policy priorities more pressing than data privacy, so this may not be the first issue out of the gates. In addition to a jam-packed agenda, the biggest obstacle for a national consumer privacy law remains the lack of consensus around preemption and a private right of action. So, while there is much reason for optimism about narrower, more pragmatic data privacy legislation, a uniform national consumer privacy law replacing the state patchwork could still be elusive.
What to watch: Decisions about scoping for new privacy legislation could have outsized impact. First, whether to pursue a single measure, or separate packages like we saw in the last Congress that separated children’s privacy and online safety from comprehensive privacy reform. Early indications are that we’ll see a version of the latter, with Republican congressional leaders potentially splitting out a revised version of KOSA. This is a very practical approach given KOSA’s focus on platforms and children’s safety, rather than data privacy. Regardless of whether this effort is met with quick success or bogs down in partisan debate, it could provide a pathway for a national framework that is streamlined and less controversial.
Second, potential regulation of data brokers in new consumer privacy legislation is particularly important for digital advertising, and worthy of refreshed discussions. Data broker regulation has not been a partisan issue. Texas Attorney General Ken Paxton has been a national leader on data broker enforcement at the state level, and incoming Chairman Cruz has expressed support for these efforts. A much-anticipated “Texas-style” privacy bill can be expected to include data broker regulation, so the formula for these provisions are critical for many ad-tech companies potentially within the scope.
3. Like it or not, state legislatures will remain at the forefront of privacy legislative debates.
Suddenly, the unpredictable state legislative environment is looking somewhat consistent compared to the above, but that’s not to say we should expect a batch of cookie-cutter state privacy laws. Assuming that we don’t see a preemptive consumer privacy law enacted in the first months of 2025 (a fair bet), a dozen or more state legislatures are once again poised to fill the void. Several familiar states are jumping right back into privacy legislation. Maine and Vermont came very close last year, but both met vetoes. All eyes should be on these states as they revisit modified approaches to core issues that will determine whether they substantially depart from a largely consensus core framework that has evolved across most states.
Another noteworthy trend is the shift towards perpetual data privacy legislating. That is—unlike years past when states would typically legislate on an issue and then move on—California, Connecticut, and Colorado lead the pack among states committed to continually tweaking their laws. Most notably coming in 2025, the Connecticut legislature has already begun the process to amend its law, again. Of course, we haven’t seen a year go by since enactment of the CCPA that dozens of bills weren’t considered to amend the statute–2025 won’t be different. Center stage in California for the digital advertising industry is likely to be a second run at AB 3048, one of several vetoed measures in 2024, requiring opt-out preference signals across browsers and mobile devices. The CPPA Board voted unanimously in December to task the agency with promoting similar legislation in 2025.
What to watch: In addition to data minimization being a highly-debated provision in several states, there will likely be some other new twists in 2025, potentially including opt-in requirements in several states, despite having been rejected across legislatures over the last several years. Somewhat under the radar screen, we already have 11 states with enhanced privacy protections for kids’ data expanding beyond the once consistent COPPA standard (most of which were enacted as components of comprehensive legislation). And nearly as many states have enacted expansive sensitive health data provisions in one form or another. Of course, AI legislation is the state legislative X-factor, quite likely surpassing data privacy in many states, while also potentially having significant impacts on data processing activities and “consequential decisions.”
Although an outsized focus on sensitive children’s and health data isn’t new across the states, the change of leadership in Washington may motivate some blue state legislatures to fill in perceived gaps that were hoped to be addressed at the national level, leading to an uptick in both sensitive data and AI legislating across states. This could be a very disruptive policy outcome, producing more laws that further splinter digital media offerings across the states, akin to the effect My Health My Data has had in Washington.
4. State legal compliance will continue to grow more complex, with more robust engagement from state AGs.
As of January 15th, five new state comprehensive privacy laws have come into play. Delaware, Iowa, Nebraska, and New Hampshire all saw their laws take effect on January 1, and New Jersey’s law followed just a couple weeks later. This brings the total number of state privacy laws currently in effect to 14. Importantly, this month also ushers in three new states requiring businesses to honor consumer requests via opt-out preference signals (aka OOPS/UOOMs): Connecticut, Montana, and Texas. In total, this new requirement will be effective in seven states in 2025 (including original states California and Colorado, plus new laws in Nebraska and New Hampshire). Arguably, 2025 could be the year that “GPC becomes a thing” as additional states will be looking to GPC as a candidate OOPS that helps effectuate opt-out rights while potentially enforcing against companies that are not honoring GPC.
In 2024, we saw a ramp-up of state regulatory activity, powered by the broad set of new laws gradually coming into force over the last several years. Even if this didn’t result in many formal actions, activity will carry over into 2025 (plus new state laws activating more state AGs). Keeping with the recent trend, 2025 will surely be the heaviest year for state regulatory enforcement thus far. With a likely shift in the FTC enforcing its statutory authority (sans more expansive interpretations), this is another area where the change in Washington could alter the trajectory of priorities and practices across the states.
While only a handful of states have broad regulatory authority (California, Colorado, and New Jersey), state regulatory developments are likely to be as robust as ever. The CPPA is engaged in dual-track regulations, including both the CCPA and Delete Act, where the agency is also in the midst of developing a consumer opt-out mechanism. Also notably, New York Attorney General Letitia James was tasked with developing regulations for their nation-leading Child Data Protection Act (CDPA)–the August 2024 advanced rulemaking notice laid the groundwork for draft regulations which are likely in the first half of 2025.
What to watch: All eyes have been on draft CCPA regulations over the last year, and more recently the rulemaking process focused on automated decisionmaking technologies (ADMT), as well as cyber and privacy risk assessments is now formally underway. We could see final CCPA regulations this year—or not—given the level of complexity and controversy. However, flying under the radar for some, the agency has already promulgated a first set of regulations under the Delete Act and is required to complete the accessible deletion mechanism (DROP) by Jan 1, 2026 (with operative date mid-2026). While the CCPA regulations will be broadly impactful, particularly due to expansive ADMT provisions not reflected in any state laws, the DROP and related regulatory requirements advanced substantially over the course of 2025 are likely to be major game changers for digital advertising businesses.
The New York CDPA regulations could also be a game changer for the children’s (and teens) privacy landscape. In 2024, these regulations were initially contemplated in parallel with updated COPPA regulations at the FTC. However, with the FTC undergoing a review and reset of policymaking activity, New York could be standing alone with new treatment of concepts such as child-directed (and teen-directed) sites and services. In light of almost a dozen varying state children’s privacy laws and these pending regulations, the need for a uniform national standard can’t be overstated.
Conclusion and Disclaimer
As the saying goes, don’t hate the player, hate the game. These are best guesses offered the second week of January 2025, rather than my wishes or those of the NAI. Hopefully, 2025 will be a year of change ushering in a clear, pragmatic national data privacy law. However, if history is an indicator, companies should balance renewed optimism with practical planning and engagement with policymakers and other stakeholders, like the NAI!
The NAI welcomes a legislative reset at the federal level and remains committed to promoting a much-needed national framework, while also continuing to engage at the state level to help guide pragmatic new laws and regulations.
