Privacy Pros Predict Surge in Privacy Laws, Claims Under Old Laws
In addition to an increase in privacy laws, 2025 is expected to bring an escalation of privacy and data protection claims under old laws, said International Association of Privacy Professionals (IAPP) members on a webinar Wednesday.
Sign up for a free preview to unlock the rest of this article
“We're seeing policymakers around the world get increasingly hawkish, a bit more mercenary, and they view a lot of these issues relating to the use, misuse and abuse of data through a more strategic," geopolitical and "transactional lens,” said Joe Jones, IAPP director-research and insights. “The era when we saw the GDPR copied and pasted around the world is over. We’re seeing much more interesting, more dynamic, more complex gaps and overlaps and tensions and conflicts with this ... latest generation of privacy law.”
Many newer state laws are more nuanced and context-specific, said Ashley Casovan, managing director of the AI Governance Center at IAPP. “We're not seeing big, comprehensive bills for AI legislation,” she said. “We are seeing that they are specific to types of harms that exist [and] certain types of domains.” They also are intersectional, relying on other legislation like existing consumer protection laws, she said.
Jim Dempsey, IAPP Cybersecurity Law Center managing director, said both the federal government and the states regulate privacy, data protection and cybersecurity. “In the absence of federal action ... we have substantial state action,” he said. “Thirty-one states now have statutes specifically requiring businesses to adopt data security practices for personal information. Of those 31 statutes, some are the comprehensive privacy laws [or] data protection laws … but a number of states also have freestanding data security mandates for personal information.”
There's also “increasing creativity” when it comes to enforcement approaches and leveraging older, non-privacy laws for privacy harms, said Caitlin Fennessy, vice president-chief knowledge officer at IAPP.
Dempsey pointed to laws that prohibit unfair or deceptive acts or practices (UDAP) in commerce, sometimes called mini-FTC acts, as an example. The 50 states, Washington, D.C., and the U.S. territories all have a version of this law, he said. Attorneys general “love to proceed under these UDAP laws, because unfair or deceptive is potentially very, very broad, and I think almost all the states take the same position that our [FTC] takes, which is that it is an unfair practice to take information from a consumer and then fail to protect that information with reasonable measures.”
In addition to new or updated laws, Jones predicted “maturing, toughening and more exacting scrutiny, enforcement and litigation" on privacy. There is foreshadowing of a new era of private enforcement through individuals bringing more complaints and through class actions, he said, which will result in more judicial reasoning and enforcement of important issues.
“Consumer behaviors are changing,” Jones said. “Consumers move with their feet. Where there are data breaches, where there's a perceived threat to privacy and data protection, individuals act on that, and that is something that organizations are increasingly aware of and trying to be savvy about.”