Building on last week’s post about trends we saw in 2024, we’re looking ahead to 2025 this week to see what’s coming and what companies need to know now to get ahead.
US State Privacy Laws Effective in 2025
A slew of state privacy laws has already come into effect this year, and we expect 3 more to become effective in the second half of 2025. Here’s a list:
- Delaware Personal Data Privacy Act (effective January 1,2025)
- Iowa Consumer Data Protection Act (effective January 1,2025)
- Nebraska Data Privacy Act (effective January 1,2025)
- New Hampshire Data Privacy Act (effective January 1,2025)
- New Jersey Data Privacy Act (effective January 15,2025)
- Tennessee Information Protection Act (effective July 1,2025)
- Minnesota Consumer Data Privacy Act (effective July 15,2025)
- Maryland Online Data Protection Act (effective October 1, 2025).
There are bills currently being considered in Oklahoma, Ohio, Michigan, Pennsylvania, and Maine. So, we may see privacy laws being enacted in at least a few of these states in 2025.
We won’t go into the individual state laws in detail, but we will note some general trends across the states.
3 General Trends in 2025 Privacy Laws
Companies Must Honor Universal Opt-Out Signals
A universal opt-out signal allows consumers to set their privacy preferences once using their device or browser settings. This signal is then passed by the user’s device or browser to website operators, who are expected to detect and respect that signal, for instance by opting the consumer out of targeted advertising or certain forms of data collection. Increasingly, state laws are requiring companies to honor these signals, helping to give consumers more control over their privacy, by allowing them to manage their privacy settings across multiple sites without having to adjust them individually on each platform.
Delaware’s state privacy law requires businesses to start honoring these signals by January 1, 2026. Meanwhile, laws in California and Colorado already require this functionality.
The universal opt-out message will typically request that the website operator does not track the user’s activity across the internet, collect personal data for targeted advertising, or sell the user’s personal data.
The Global Privacy Control (GPC) is a type of universal opt-out signal that has been adopted by Colorado lawmakers as the signal of choice. Honoring the signals sent from the GPC is a good starting point for businesses looking to improve compliance this year.
Expect More User Rights Requests
As more consumer privacy laws come into effect, your company will likely need to respond to increased user privacy right requests.
If you haven’t already, you should streamline your processes for receiving and responding to these requests.
It’s also worthwhile reaching out to legal counsel to review your obligations under the new state laws, especially if you’ve been relying on exemptions to refuse user requests. Delaware’s new law offers fewer exemptions than similar state laws.
Dark Patterns Generally Banned
With the singular exception of Iowa, all the state laws effective in 2025 prohibit dark patterns to obtain user consent. Given the widespread use of dark patterns over the past decade and the recent lawmaking that prohibits these as well as significant enforcement activity, we recommend conducting a review of your consumer-facing website and marketing to identify and remove any design choices that prompt users to make choices that aren’t in their best interest or, worse automatically assign them.
Action Items For Business Leaders
Here’s what to do next to improve your privacy compliance in 2025:
Evaluate Current Consent and Opt-Out Mechanisms
Review existing processes to identify any gaps in how your business handles consumer opt-out requests, especially regarding universal opt-out signals.
Implement Universal Opt-Out Recognition
Prioritize functionality that supports the GPC or comparable signals so users can easily signal their opt-out preferences.
Streamline User Rights Requests
Establish clear procedures for receiving, validating, and responding to user requests regarding access, correction, deletion, or portability of personal data.
Train Internal Teams
Provide education for customer-facing staff, IT, human resources, and legal teams on new data privacy laws, focusing on consistent and timely handling of consumer inquiries.
Assess Consent Flows for Dark Patterns
Conduct an audit of all consumer-facing interfaces to identify designs that might undermine genuine consent or automate consent in ways that confuse users.
Revise User Interface Designs
Replace any questionable elements with straightforward, user-centric prompts that facilitate a transparent and informed choice.
Engage Legal Counsel
Seek expert review of your practices, especially around exemptions your organization currently uses, to ensure continued compliance under stricter laws like Delaware’s.
If you need help getting ahead of this year’s privacy changes, reach out. Our team is available to assist.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.