Eye On Data Privacy

As we enter 2025, the data privacy landscape in the United States continues to evolve rapidly, which presents new challenges and opportunities for businesses. With a wave of new state privacy laws taking effect and increased enforcement actions focusing on sensitive data, business owners, financial leaders, and senior management in mid-market firms must stay informed and proactive in their approach to data privacy compliance. Keep reading to learn what business leaders should know about the shifting U.S. privacy law landscape.

In 2024, GBQ Business Technology Solutions Team helped clients in the education, real estate, financial, and manufacturing sectors with regulatory requests from Texas or contractual obligations from customers in Colorado and Texas. And, today, discussions continue with other clients surprised by audit requests (from Texas) and requirements for formal Data Protection Impact Assessments (DPIA) from Colorado. We believe these requests will ramp up.

Read Also: When Focusing On Security, Don’t Forget Privacy

New State Privacy Laws On The Horizon

The patchwork of state privacy laws in the U.S. is expanding, with several new comprehensive privacy laws set to take effect in 2025. These laws will significantly impact how businesses collect, use, and protect consumer data.

Key States To Watch

Delaware, Nebraska, New Hampshire, and Iowa implemented comprehensive privacy laws on Jan. 1, 2025. These laws generally grant consumers rights such as access, correction, deletion, and data portability, while imposing new obligations on businesses.

Maryland’s Online Data Privacy Act (MODPA) will take effect on Oct. 1, 2025, introducing stringent data minimization requirements. The MODPA applies to companies handling personal data of at least 35,000 Maryland residents annually or 10,000 residents if more than 20 percent of the company’s revenue comes from selling personal data.

Minnesota’s Consumer Data Privacy Act (MCDPA)** will also come into force, introducing unique provisions such as the right to question profiling decisions that produce legal or similarly significant effects on consumers.

Currently In Effect

Taking Effect In 2025

Taking Effect In 2026

  • California: California Consumer Privacy Act (CCPA)
  • Virginia: Virginia Consumer Data Protection Act (VCDPA)
  • Colorado: Colorado Privacy Act
  • Connecticut: Personal Data Privacy and Online Monitoring Act
  • Utah: Utah Consumer Privacy Act (UCPA)
  • Texas: Texas Data Privacy & Security Act (TDPSA)
  • Florida: Digital Bill of Rights
  • Oregon: Oregon Consumer Privacy Act
  • Montana: Montana Consumer Data Privacy Act
  • Iowa: Iowa Consumer Data Protection Act (Jan. 1, 2025)
  • Delaware: Delaware Personal Data Privacy Act (Jan. 1, 2025)
  • Nebraska: Nebraska Data Privacy Act (January 1, 2025)
  • New Hampshire: New Hampshire Privacy Act (Jan. 1, 2025)
  • New Jersey: New Jersey Data Privacy Act (Jan. 15, 2025)
  • Tennessee: Tennessee Information Protection Act (July 1, 2025)
  • Minnesota: Minnesota Consumer Data Privacy Act (July 31, 2025)
  • Maryland: Maryland Online Data Privacy Act (Oct. 1, 2025)
  • Indiana: Indiana Consumer Data Protection Act (Jan. 1, 2026)
  • Kentucky: Kentucky Consumer Data Protection Act (Jan. 1, 2026)

Common Themes and Variations

While many of these laws share similarities with existing frameworks, such as the California Consumer Privacy Act (CCPA), they also introduce unique provisions that businesses must carefully consider:

    • Data Minimization: Maryland’s law sets a high bar, requiring businesses to collect only data that is “strictly necessary” for providing requested services, especially for sensitive data.
    • Sensitive Data Protection: Several states are placing increased emphasis on the protection of sensitive personal information, often requiring explicit consent for its processing.
    • Universal Opt-Out Mechanisms: Some states, such as Colorado, are mandating the recognition of universal opt-out signals, which could significantly impact targeted advertising practices.

Increased Enforcement And Focus On Sensitive Data

As these new laws come into effect, we’re also seeing a marked increase in enforcement actions, particularly concerning the handling of sensitive data.

State-Level Enforcement

State Attorneys General are ramping up their privacy enforcement efforts, including:

  • Texas is building out what it claims will be the “largest” Attorney General’s team focused on aggressive enforcement of privacy laws.
  • Connecticut’s Attorney General issued reports detailing enforcement activities, including violation notices focusing on privacy policies, sensitive data, and information related to teens.
  • California’s Privacy Protection Agency (CPPA) announced enforcement sweeps in unexpected sectors like streaming apps and connected vehicles.

Federal Enforcement Trends

The Federal Trade Commission (FTC) has also intensified its focus on privacy violations, particularly those involving sensitive data:

  • Health Information: The FTC has begun enforcing the Health Breach Notification Rule, arguing that unauthorized disclosures of health data can constitute a breach.
  • Location Data: In FTC v. Kochava, the Commission argued that the collection and disclosure of location data can constitute an injury under Section 5 of the FTC Act.
  • Sensitive Data Inferences: There’s growing recognition that sensitive information can be derived from seemingly innocuous data, leading to expanded definitions of what constitutes sensitive data.

Implications For Mid-Market Firms

For mid-market firms, these developments present challenges and opportunities. Here’s what business leaders should focus on:

  1. Conduct a Data Audit
    Understanding what data your organization collects, processes, and shares is crucial. Pay special attention to any data that could be considered sensitive under the new laws.
  1. Update Privacy Policies and Notices
    Ensure your privacy policies and consumer notices are clear, comprehensive, and compliant with the new state laws. This may include providing more detailed information about data collection practices and consumer rights.
  1. Implement Strong Data Protection Measures
    With an increased focus on sensitive data, investing in robust security measures is more important than ever. This includes both technical safeguards and employee training.
  1. Prepare for Consumer Rights Requests
    Develop or update processes to handle consumer requests for data access, deletion, correction, and opt-outs efficiently and in compliance with varying state requirements.
  1. Conduct Regular Data Protection Assessments
    Many new laws require businesses to perform data protection assessments, especially for high-risk processing activities. Implement a regular schedule for these assessments.
  1. Monitor Enforcement Actions
    Stay informed about enforcement trends and actions in your industry. Use these insights to proactively address potential compliance gaps in your own organization.
  1. Consider Data Minimization Strategies
    In light of stricter data minimization requirements, review your data collection practices. Only collect and retain data that is necessary for your business purposes.
  1. Prepare for Increased Scrutiny on Data Sharing
    With new restrictions on data sharing and selling, especially for sensitive information, review and potentially revise your data-sharing agreements and practices.

Conclusion

The evolving privacy landscape in the United States presents significant challenges for mid-market firms, but it also offers opportunities to build trust with consumers and differentiate from competitors. By staying informed about new state laws, understanding enforcement trends, and taking proactive steps to enhance data protection practices, businesses can navigate this complex environment successfully.

As we move further into 2025, it’s clear that privacy compliance is not just a legal necessity but a business imperative. Organizations that prioritize data privacy and protection will be better positioned to thrive in an increasingly privacy-conscious marketplace.

Remember, while compliance may seem daunting, it’s an investment in your business’s future. By embracing these changes and building a culture of privacy within your organization, you can turn data protection into a competitive advantage.

Protect Your Business, Your Employees, & Your Customers

GBQ’s Business Technology Services team consists of builders, breakers, operators, and auditors experienced in IT strategy, enterprise risk, cybersecurity, productivity solutions such as data analytics, as well as IT audit and assurance. For more information or assistance with IT strategy, digital transformation, digital risks, cybersecurity, or other IT matters, contact us today.

By Doug Davidson, CISA, Director of Business Technology Solutions


Learn more about the importance of data security. Check out these resources:

Strong Internal Controls And Audits Can Help Safeguard Against Data Breaches

Fourth-Party Risk: Who Has Your Information

Protecting Healthcare Data: Implementing The HIPAA Security Rule With NIST Guidelines

« Back