With Inauguration Day just around the corner, we are likely to see a host of new legislative and enforcement initiatives at the federal level. The Federal Trade Commission (FTC) will shift certain priorities under incoming Chairman Andrew Ferguson’s direction. And at the state level, legislatures and state attorneys general (state AGs) will continue to be active, enacting and enforcing a slate of new laws. As we ring in the new year, companies should be mindful of the new laws, regulations, and enforcement priorities that will likely impact them. Below are the top 10 U.S. privacy, cybersecurity, and consumer protection developments to watch out for in 2025:

  1. Comprehensive privacy laws will come into effect, and new ones will be proposed. New privacy laws come into effect in 2025 in Delaware, Iowa, Minnesota, Maryland, Nebraska, New Hampshire, New Jersey, and Tennessee. Congress may also take up privacy legislation at the federal level. Previously, the FTC had proposed to issue a sweeping privacy rule, but based on Chairman Ferguson’s position that privacy legislation is more appropriately within Congress’s purview, the FTC is unlikely to complete this rulemaking. Given the incoming FTC Chairman’s position, President Trump’s support for federal privacy legislation in his first term, and the fact that the U.S. House, Senate, and presidency are under a single party’s control, the time is ripe for Congress to enact a comprehensive privacy law.
  2. Artificial intelligence (AI) regulation and enforcement will be more targeted. Although the incoming FTC Chairman has signaled that he doesn’t want to overly regulate AI, the FTC will continue to hold companies accountable for deceptive or exaggerated marketing claims related to AI. The FTC has brought cases on a bipartisan basis when businesses use AI to inflate ratings and reviews, make unsubstantiated claims about the capabilities or accuracy of the technology, or make deceptive claims about AI’s abilities to promote security or safety. To the extent that federal agencies focus on AI, we expect that they will be focused on practices that run afoul of existing authorities, rather than adopting novel theories of liability that may be perceived as stifling innovation.
  3. States will step up to regulate AI. Absent federal legislation and regulation, state lawmakers will likely be eager to fill the void to address any perceived concerns within the industry. The California Privacy Protection Agency initiated a formal automated decision-making technology rulemaking, with the comment period closing on January 14. Utah’s AI Policy Act, which went into effect in May 2024, requires disclosures when consumers are interacting with certain AI systems. And Colorado’s AI Act, which goes into effect on February 1, 2026, includes transparency, governance, and other requirements on high-risk AI systems, defined as those that make, or are a substantial factor in making, consequential decisions. Companies that develop or deploy AI systems that help make decisions related to education, employment, lending, healthcare, housing, insurance, legal services, or government services would be primarily affected by the requirements of the Colorado law. The law also requires consumer-facing developers and deployers to provide notice to consumers when they are interacting with an AI system, unless it would be obvious to a reasonable person.
  4. The FTC will continue to focus on children’s data. The FTC proposed significant changes to the Children’s Online Privacy Protection Act (COPPA) Rule at the end of 2023, but the amendments to that rule have not yet been finalized. Children’s privacy issues have bipartisan interest, so the FTC will likely issue final amendments to the COPPA Rule in some form. Notably, while the proposed COPPA Rule would allow schools to consent to the use of EdTech services in lieu of parental consent in certain circumstances, the incoming FTC Chairman has stated that he “see[s] nothing in COPPA’s text that limits parents’ statutory right to notice and consent when their children are online at school….” We expect the final COPPA Rule to be significantly different from the proposed Rule announced in 2023.
  5. States will continue ramping up minors’ privacy and online safety legislation and enforcement. Companies that collect information from minors under 18 or have social media features should take note: State legislatures were particularly focused on minors’ privacy and safety legislation in 2024, and we expect the same zeal for this issue in 2025. Indeed, as states begin their new legislative sessions, we have already seen new proposals on this topic. The obligations under each proposal will vary, though some common provisions under the laws already passed include requirements to collect and/or verify age, parental consent requirements, and data collection and usage restrictions. Some existing laws, like the Maryland Age-Appropriate Design Code (Maryland AADC), which largely went into effect in October 2024, require businesses to set privacy-protected defaults for minors using their services. Given the lack of a legal challenge to the Maryland AADC to date, other states may try to pass similar legislation this year. State AGs are likely to continue bringing actions in this space.1
  6. Data brokers will be in the federal spotlight. Although the fate of the Consumer Financial Protection Bureau’s rule to address the sale of sensitive personal and financial information by data brokers is uncertain, other data broker requirements will be ripe for enforcement. The recently enacted Protecting Americans’ Data from Foreign Adversaries Act, which prohibits data brokers from sharing sensitive personal information with foreign adversary countries (Russia, China, North Korea, and Iran) or entities controlled by such countries, is now in effect. Typically, when the FTC is charged with enforcement, as it is here, the FTC follows quickly with investigations. Additionally, the Department of Justice’s final rule for Executive Order 14117, which prevents access to bulk sensitive personal data by certain countries of concern and imposes cybersecurity requirements to protect bulk sensitive data, will come into effect.
  7. Cybersecurity enforcement will continue to be a priority, with new regulations finalized for critical infrastructure. We are likely to see a continued emphasis on cybersecurity enforcement from state AGs, and the rapid growth of data breach class actions is likely to continue as well. While there is broad speculation that some federal agencies, such as the Securities and Exchange Commission, may shift their approaches under the new administration, active regulation and enforcement will likely continue from the Departments of Defense, Justice, and Health and Human Services, as well as the Cybersecurity & Infrastructure Security Agency. For example, the Cybersecurity Incident Reporting for Critical Infrastructure Act regulations will likely be finalized, and those regulations will sweep in a broad range of businesses under the umbrella of “critical infrastructure.”
  8. After more than a decade, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule will be updated. For the first time since 2013, the Department of Health and Human Services has proposed changes to the HIPAA Security Rule. The rule aims to augment cybersecurity for electronic protected health information through various revisions to existing language and by requiring additional security controls. For example, the proposed revisions would eliminate the distinction between “required” and “addressable” specifications, require inventories of relevant technology assets, and specify that electronic protected health information generally must be encrypted at rest and in transit.
  9. Regulators will continue focusing on subscription services. Although the FTC’s amended Negative Option Rule faces legal challenges, the FTC has been focused on a bipartisan basis on enforcing the existing Restoring Online Shoppers’ Confidence Act, which requires subscription-based services to provide clear and conspicuous disclosures of negative option features, informed consent, and simple cancellation. California also recently amended its auto renewal law, which would impose many similar requirements as the FTC’s amended Negative Option Rule. Businesses operating in California should prepare to comply with these amendments when they become effective on July 1, 2025.
  10. Tracking technology class action lawsuits will continue, though with mixed results for plaintiffs. In 2024, we saw increased class action litigation alleging lack of adequate consent for the use of online tracking technologies under state wiretapping and related privacy laws such as the California Information Privacy Act. We expect this trend to continue and for plaintiffs to continue developing and testing novel interpretations of these laws. The firm’s litigation practice has secured judgments defending clients in similar lawsuits, which may set precedent clarifying the proper bounds for these practices. Still, companies should speak with counsel about how to best implement and disclose their use of these technologies.

Wilson Sonsini Goodrich & Rosati routinely advises clients on data, privacy, and cybersecurity laws and regulations and counsels companies facing enforcement actions. For more information about the developments mentioned above, or any other advice concerning U.S. privacy and cybersecurity regulation, please contact Maneesha MithalChris OlsenDemian AhnRebecca Weitzel Garcia, or another member of the firm’s data, privacy, and cybersecurity practice.

[1] Wilson Sonsini Goodrich & Rosati routinely counsels companies navigating the complex state minors’ privacy and safety landscape. Members of the firm’s data, privacy, and cybersecurity and litigation practices are happy to discuss how to best help your company navigate these developments. Select client alerts on the topic include: Video Game App Developer Agrees to Pay $500,000 for Children’s and Minors’ CCPA, COPPA, and Ads Violations; New York Legislature Passes a Pair of Bills to Protect Children’s Privacy Online; Maryland Passes Age-Appropriate Design Code (with an update upon the Act’s effective date); State Social Media Law Patchwork Emerging: Florida Passes Law to Restrict Minors’ Use of Online Services; Utah Passes New Versions of Social Media Laws for Minors in Response to Challenges; and Time to Hit the Books for Student Privacy Compliance: College Board Agrees to Pay $750K for N.Y. Student Privacy Violations.