The seasons are changing, Christmas catalogs are arriving, the clocks have shifted back an hour (in some countries) … yes, the new year is coming. While we don’t advocate for closing the books on 2024 yet (it’s only November, after all!), now is a great opportunity to consider what’s in store for next year. On the privacy front, will there be new regulations? New enforcement? Let’s break down key trends.
In The US: More Laws, More Enforcement
A new administration is likely to bring significant changes, especially at agencies such as the Federal Trade Commission. From a regulation standpoint, we’ll likely see more action at a state level than a federal one:
- More states will adopt their own privacy regulations. This is admittedly a prediction, not a surety, but a handful of states have bills making their way through the lawmaking process. We expect at least one or two to advance and be signed into law next year, further complicating the regulatory patchwork of privacy laws in the US.
- First-time enforcement of newer state laws will cause headaches. Laws that went into effect in 2023 and 2024 may be enforced for the first time in 2025. As we’ve seen from earlier privacy laws, enforcement is a harsh but effective tool for defining key terms (like California’s fine of Sephora defining “selling data”) and the scope of laws. Compliance teams will be busy monitoring enforcement action, which will likely have ripple effects on their relationship with the marketing team and how much leeway they grant marketers to operate in regulatory gray areas.
- Noise (but not necessarily progress) around a federal law will continue. Concerns about how much data things such as connected cars capture and major security breaches like what happened with Change Healthcare are driving renewed lawmaker interest in data privacy and security. Even if a federal law passes next year (which is unlikely), there would be a multiyear lag before it’s enacted and enforced.
In The EU: A Focus On AI Investigations
We don’t expect to see any significant changes or updates to existing privacy rules in Europe in 2025. But don’t mistake that to mean the privacy waters are calm. Far from it:
- Data protection authorities will be the real privacy movers, not lawmakers. Data protection authorities’ activity will be more interesting than lawmakers’ next year. With multiple open investigations of generative AI apps (mostly OpenAI), we will likely see some decisions coming — possibly against the providers of genAI models at first but later against companies using customer and employee data to feed, prompt, or otherwise interact with genAI models, as well.
- EU AI Act enforcement will establish clearer safeguards for AI. Enforcement of the new EU AI Act will start in February, initially as a private right of action on certain requirements. But in August 2025, authorities including the EU AI Office and the data protection authorities will start enforcing requirements on general-purpose AI models/systems, and this is something to watch. For full guidance on the EU AI Act, see this report.
- The ePrivacy Directive will continue to stall. The only piece of legislation currently undergoing an update is the ePrivacy Directive (also known as the “cookie directive”), but it has been stuck at the trilogue stage for several months. The European Parliament, Commission, and Council cannot find an agreement on the final draft of the legislation. We believe that the failure to identify a viable alternative to the management of third-party cookies, and of cookies more generally, contributed significantly to the delay in the legislation.
In APAC: Strengthening Laws, Enforcing New Frameworks, And Factoring In AI
The APAC region is poised for significant advancements in data privacy regulations. Here are three key trends to watch:
- Countries will strengthen existing regulations. Long-existing privacy regulations in the region will get important updates in 2025. Australia Privacy Act reforms will introduce stronger penalties, new protections for children’s data, and stricter rules for automated decision-making. An update to the Act on the Protection of Personal Information in Japan will implement new rules for biometric data, children’s data protection, a stricter opt-out scheme, and enhanced enforcement mechanisms.
- Newer regulations will be in full enforcement. After the latest Personal Data Protection Law (PDPL) in Indonesia came into enforcement on October 17, the other two newer privacy regulations will follow suit in 2025. India’s Digital Personal Data Protection Act, effective August 2023, and Vietnam’s Personal Data Protection Decree, effective July 2023, will see full enforcement by 2025.
- AI regulation will expand. The EU may have led the way, but as AI technologies become more integrated into everyday life, APAC countries are also updating regulations to address AI challenges. New provisions will be introduced in Thailand’s Personal Data Protection Act in 2025 to regulate the use of AI. These provisions will ensure that AI systems are transparent, accountable, and do not infringe on personal privacy. Updates to China’s Personal Information Protection Law to include specific guidelines for AI technologies are expected to take effect on January 1, 2025.
If you need help making sense of the rapidly changing privacy landscape and what it means from a compliance, marketing, and customer experience perspective, schedule a guidance session! And don’t miss our webinars on our cybersecurity, risk, and privacy and B2C marketing predictions for 2025.