Attorneys
What we saw in 2024:
2024 was the year of data privacy enforcement. The Federal Trade Commission (FTC) brought at least four enforcement actions in 2024 that addressed sensitive location data. These enforcement actions underscore the need to establish appropriate information security practices and to obtain affirmative consent for the sharing of sensitive data. The FTC further required companies to establish a sensitive location data program and address consumer rights requests.
The office of the Texas Attorney General also brought a series of major enforcement actions in 2024, reaching sizable settlements. Similarly, California’s Attorney General also brought noteworthy enforcement actions, one of which was against a popular food delivery Application, Doordash, regarding the disclosure of personal information to third parties and properly disclosing those practices to consumers.
What is coming in 2025:
The US state privacy law landscape continues to evolve in a “patchwork” fashion, with several comprehensive data privacy laws enacted and entering into force in 2024 and 2025 and some states with existing laws passing amendments.
Several new data privacy laws became effective January 1, 2025 or will become effective later this year:
- Iowa Consumer Data Protection Act (ICDPA) – effective January 1, 2025
- Delaware Personal Data Privacy Act (DPDPA) – effective January 1, 2025
- Nebraska Data Privacy Act (NDPA) – effective January 1, 2025
- New Hampshire Privacy Act (NHPA) – effective January 1, 2025
- New Jersey Data Privacy Law (NJDPL) – effective January 15, 2025
- Tennessee Information Protection Act (TIPA) – effective July 1, 2025
- Minnesota Consumer Data Privacy Act (MCDPA) – effective July 31, 2025
- Maryland Online Data Privacy Act (MODPA) – effective October 1, 2025
Additionally, several more states, including Kentucky, have data privacy laws, which will take effect in early 2026.
2025 will also bring increased focus on protecting the personal data of teens. Since the federal Children’s Online Privacy Protection Act was originally passed, the United States has been primarily focused on protecting data of children under 13. Now, website and online service operators covered by COPPA will be required to obtain separate verifiable parental consent to disclose children’s personal information to third-party companies related to targeted advertising or other purposes and business may only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected.
Data collectors/businesses collecting consumer data should be prepared for:
- Compliance with even more U.S. state-specific privacy laws
- Increased enforcement actions
- More stringent global privacy and security regulations
- A continued rise in ransomware attacks
- Increased consumer awareness of data rights and control
- Keeping track of consumer rights that may vary across states, such as the right to opt-out of targeted advertising
- Updating existing privacy policies and internal policies to comply with newly enacted legislation, even in states with existing comprehensive privacy laws
- Updating websites to include mechanisms for exercising consumer rights
With still no federal comprehensive data privacy statute, it is even more important that businesses be in the know of each state’s data privacy laws (not just the state in which they are located) to protect their users’ rights and themselves against enforcement. McBrayer’s data privacy and cybersecurity attorneys will be keeping a close eye on newly enacted and developing legislation across the U.S. in 2025.
