Data Privacy: Plenty of Legislative Activity in 2025

This Wilson Sonsini memo makes some predictions about U.S. privacy, cybersecurity and consumer protection legislative and regulatory activity in 205.  This excerpt says that we will see a lot of state data privacy legislation come online during the new year, and that while we shouldn’t hold our breath waiting for the FTC to adopt its proposed privacy rule, we may see some action from Congress:

Comprehensive privacy laws will come into effect, and new ones will be proposed.  New privacy laws come into effect in 2025 in Delaware, Iowa, Minnesota, Maryland, Nebraska, New Hampshire, New Jersey, and Tennessee. Congress may also take up privacy legislation at the federal level. Previously, the FTC had proposed to issue a sweeping privacy rule, but based on Chairman Ferguson’s position that privacy legislation is more appropriately within Congress’s purview, the FTC is unlikely to complete this rulemaking. Given the incoming FTC Chairman’s position, President Trump’s support for federal privacy legislation in his first term, and the fact that the U.S. House, Senate, and presidency are under a single party’s control, the time is ripe for Congress to enact a comprehensive privacy law.

On the AI front, the memo says that federal agencies are expected to focus on practices that run afoul of existing precedent, instead of looking to adopt novel theories of liability that may be perceived as stifling innovation in AI. However, it says in the absence of federal legislation and regulation, state lawmakers will likely be eager to fill the void to address any perceived concerns within the industry.