Preparing for Data Privacy Expansion in 2025: Is Your Business Ready?

Smith Anderson
Contact

Smith Anderson

As we step into 2025, data privacy laws in the United States are evolving rapidly. With eight new state privacy laws taking effect, businesses face an increasingly complex web of compliance obligations—even in states without dedicated privacy regulations.

The Push for Federal Privacy Legislation Stalls—States Take the Lead

While there was initial optimism in 2024 around the passage of federal comprehensive privacy legislation, those efforts ultimately failed to gain traction in Congress. While it appears unlikely that we will see similar efforts on a federal level under the next administration, state legislatures and state attorneys general have shown an increasing willingness and ability to address data privacy at the state level. 

Eight New State Privacy Laws in 2025

This year, Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee join the ranks of states with comprehensive consumer privacy laws. These additions bring the total to 16 states, including:

  • California
  • Colorado
  • Connecticut
  • Montana
  • Oregon
  • Texas
  • Utah
  • Virginia

This count excludes sector-specific laws, like Washington’s My Health My Data Act, or those with limited applicability, such as Florida’s Digital Bill of Rights. 

What This Means for Your Business 

If your business operates in—or has customers or employees in—these states, now is the time to review your data privacy practices. Key areas to assess include:

  • Data collection: Have you provided notice or obtained consent for the data you are collecting? Are you collecting only what is necessary?
  • Data retention: How long do you keep consumer data?
  • Data protection: Are your security measures robust and up to date? When was your last security risk assessment?
  • Individual rights: Are you equipped to honor consumer rights under these laws?

While many of these state laws exempt businesses under certain revenue and consumer thresholds, others, such as the Texas Data Privacy and Security Act, have little or no minimum threshold for compliance.

State Enforcement: A Growing Priority

We expect oversight and enforcement by state regulators to take up the baton for any lag in federal action.

As an example, earlier in 2024, the New York Attorney General’s Office reminded businesses that New York consumer protection laws require websites’ representations concerning privacy to be truthful and not misleading. This guidance was especially surprising given that New York has not yet enacted a comprehensive privacy law that regulates a business’s privacy practices.

Similarly, Texas, where a comprehensive privacy law became effective in July 2024, has also been active recently in the enforcement space. Barely one month after the Texas Data Privacy and Security Act became effective, the Texas Attorney General filed suit against a major automotive manufacturer related to the alleged unlawful collection and sale of individuals' private driving data.

Also, in January of this year, Texas sued a large insurance company for violating the Texas state privacy law by unlawfully collecting drivers’ location data and then using and disclosing that data without providing notice to or obtaining consent from consumers.

Mitigating Heightened Risk for Businesses Nationwide

Businesses, even in states without comprehensive privacy laws, face increased compliance risks. To mitigate these risks, companies should assess the data they collect, understand applicable laws, and ensure their consumer representations align with their data practices. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Smith Anderson

Written by:

Smith Anderson
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Smith Anderson on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide