Skip to Main Content

Keeping you informed

Data Privacy Week 2025: The Future of Privacy Law

    Client Alerts
  • January 31, 2025

Welcome back to the last installment of our three-part series for Data Privacy Week. We previously discussed the foundations of data privacy law and the current state of privacy landscape for companies, and we will now turn to focus on what is in store for the future of U.S. privacy laws.  

Federal Agency Activity  

Federal agencies such as the Federal Trade Commission and the Department of Justice are increasing their focus on the privacy arena with tailored rules for specific regulated businesses or categories of consumer data. In 2025, there are several federal agency rules that are scheduled to come into effect or undergo further consideration. As a new administration takes shape in Washington, DC, however, we will be closely watching what direction it takes regarding rulemaking around data privacy and cybersecurity. Some important currently slated activity includes: 

  • Federal Communications Commission: The FCC’s amendments to the Telephone Consumer Protection Act (TCPA) were adopted in early 2024 but will take effect on April 11, 2025. The new rules make it simpler for consumers to revoke consent to unwanted robocalls and robotexts while requiring that callers and texters honor these requests in a timely manner. 
     
  • Federal Trade Commission: The FTC is still in its Magnuson-Moss rulemaking procedure for a proposed rule regarding commercial surveillance practices, though this may be shelved by a newly appointed FTC chair. Additionally, the FTC continues to pursue an aggressive enforcement strategy to build out what data security measures constitute an unfair or deceptive trade practice.  
     
  • Department of Justice and FTC: On December 11, 2024, the DOJ and FTC withdrew the guidelines for collaboration among companies that compete with one another as concerns related to algorithmic price fixing take center stage. This comes at the same time as the DOJ and FTC focus on the rental housing, industry including through a filed Statement of Interest, which explains the legal principles applicable to claims of algorithmic price fixing.   
     
  • Securities and Exchange Commission: The SEC’s recent amendment to its regulation on the privacy of consumer financial information and the safeguarding of customer information comes into effect for large entities on December 3, 2025. The amendment deals with companies adopting written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals impacted by an incident.  
     
  • Department of Health and Human Services: On December 27, 2024, HHS issued a notice of proposed rulemaking with significant updates to the HIPAA security rule. These updates come because of the surge in reportable data breaches by covered entities, which in 2023 affect 167 million individuals, an increase of more than 1000% since 2018. 
     
  • White House: The White House published the Energy Modernization Cybersecurity Implementation Plan, which sets forth a goal of accelerating the development of cybersecurity-focused technical standards and guidance, including energy sector CPGs and NIST Privacy Framework for the electric vehicle industry. This plan builds upon federal code, which requires charging station operators to collect, process, and retain only that personal information strictly necessary to provide the charging service to a consumer.  
     
  • Consumer Financial Protection Bureau: The CFPB passed rules regarding personal financial data rights, which requires large institutions to comply by April 2026. These rules require financial institutions to provide consumers with more choices about how their data is shared with other entities. While the compliance date doesn’t fall within 2025, the courtroom battle over these rules will take place this year as financial institutions raise security concerns, especially as the CFPB takes actions against certain payment apps for allegedly failing to protect users from scams.  

There is significant regulatory activity taking place as federal agencies update existing laws to meet the new challenges in today’s marketplace. While we expect federal agencies to continue rulemaking activity, with the overturning of the Chevron deference last year by the Supreme Court, and new leadership in Washington, businesses should expect even less predictability regarding rules adopted, but not yet in effect.  

Federal Legislative Activity 

Federal agencies can bolster rulemaking authority where Congress passes legislation on the issue. Privacy legislation has been difficult for Congress in past few years after debates regarding federal preemption caused many state privacy regulators, such as the California Privacy Protection Agency, to oppose legislation that sets a federal ceiling. However, with the turning of the political tides, there is a possibility that legislation could be passed. Key legislative developments to watch include: 

  • Kids Online Safety and Privacy Act (KOSPA): Late in 2024, KOSPA was introduced, merging two pieces of legislation being considered by Congress: Children’s Online Privacy Protection Act 2.0 (COPPA 2.0) and Kids Online Safety Act (KOSA). While the Senate passed KOSPA last July, it appears the House has decided not to bring the bill to the floor, killing the chances of KOSPA before the 119th Congress is sworn in. Given the bipartisan support with respect to children’s data, there remains a decent chance that some version of the three bills will be passed by the end of 2026. 
     
  • Federal Comprehensive Privacy Bill: Some bipartisan support for a comprehensive privacy law remains present, however, there are disagreements over federal preemption, and private rights of action continue to stall progress. These obstacles are likely to persist given 19 states have passed a comprehensive data privacy law and those states are going to be hard pressed to let the federal government limit their ability to protect their residents. If a federal privacy bill is passed, we expect it to pale in comparison to the protections afforded by the previously considered by the proposed American Privacy Rights Act. 
     
  • Artificial Intelligence: There is an outcry from the business community for guidance when it comes to artificial intelligence (AI) and future regulatory interest. Both the prior administration and current one at least agrees on the importance of AI. One of the few executive orders President Trump has retained of former President Biden involves more federal land devoted to AI data centers. For now, the federal guidance ends there as President Trump repealed Biden’s first AI executive order providing some regulation on AI development and testing on his first day in office. It remains to be seen if we will see any further guidance on safe AI use for businesses.  

Navigating the Road Ahead 

Businesses that anticipate being affected by the rulemaking activity by federal agencies and possible new federal legislation should consider a proactive compliance approach. The global trend is for more privacy-related requirements to be imposed upon businesses, rather than less. Privacy has remained a difficult topic to predict given its bipartisan nature and businesses could be left flatfooted if there is an expectation that privacy-related rulemaking and legislative activities will slow down in the next few years.  

By staying informed on industry and legislative updates, businesses can more easily navigate uncertainty and position themselves for success in the evolving legal landscape. 

For more information, please contact us or your regular Parker Poe attorney. You can subscribe to our latest news and insights here