Today is Privacy Day! Like many of our privacy colleagues, we have marked the occasion by reflecting on the biggest privacy stories of 2024 and how we think they will shape the conversation around privacy in 2025.
Here are our Top 3:
What role will privacy play in the proliferation of AI regulation around the world?
How will the ever expanding US state privacy laws, and the eye-popping settlements generated by state privacy regulators, impact businesses in the US?
How will President Trump’s approach to foreign policy affect EU-US data flows?
Read on for our analysis and recommendations. If you have questions on these or any other privacy or data governance issues, please reach out!
The Beginnings of AI Regulation Around the World
In 2024 we saw the start of a trend that will surely continue in 2025 and beyond - governments around the world attempting to govern the expansion of AI.
The most notable example is the EU AI Act, which became law on August 1, 2024 (with most provisions fully enforceable by August 2, 2026). But the trend is not limited to the EU. In the United States, several states have already passed AI legislation (Colorado, California, Utah), while at the federal level Congress has more than 120 AI related bills under consideration. Many other countries have similarly already passed AI legislation (e.g., China, South Korea) or have bills working through their respective legislative processes (e.g., Argentina, Brazil, Canada, Chile, India, Japan, Peru, Taiwan).
While most of these regulations are not privacy laws per se, we still see three reasons to consider this the most important development in privacy for 2024:
First, many AI models are used to make predictions or decisions related to individual persons and/or rely on personal data for training, testing, and operation. Some of the new AI regulations address this fact directly. Consider Article 10 of EU AI Act, which imposes strict data governance on such “high risk” systems. Where new AI laws do not regulate the use of personal data directly, they will have to be interpreted in close parallel to existing data privacy laws.
Second, while many governments have expressed an intention to regulate AI, most simply do not have existing functions equipped to enforce such regulations. We believe existing privacy regulators will emerge as the vanguard for AI enforcement. There are already signs of this in the EU, where member state DPAs have been very active in the creation of the AI Act, but even more so in countries like Singapore and South Korea, where the local data protection agencies are already using their authority to publish guidance on AI.
Third, just as governments lack existing functions to govern AI, so do most companies. We’re already seeing a trend of companies turning to privacy legal and compliance teams to build their internal AI governance capabilities. The IAPP 2024 governance survey confirms our observation: 69% of Privacy Officers surveyed said that in 2024 they were assigned responsibility for AI governance.
While it is too early to assess the wisdom or impact of these new AI legislative efforts, we do already see two positive aspects of the EU AI Act:
The Act takes a risk-based approach, requiring “Fundamental Rights Impact Assessments” for new AI systems (very similar to the Data Protection Impact Assessments required by GDPR) and limiting the regulatory burden in accordance with the risk profile of the system.
The Act exempts AI systems that are “specifically developed and put into service for the sole purpose of scientific research and development.” (See Article 2(6)). This clause creates a nice synergy between the AI Act and the GDPR, which already allows secondary processing of personal data for scientific research.
We are also encouraged by the trend of relying on privacy professionals for enforcement and building the necessary AI governance. Privacy is a mature discipline, well practiced in balancing the fundamental rights of individuals against the interests of business and society as a whole. Moreover, a well functioning privacy program will already provide the foundational elements needed for good AI governance.
United States: Further Fragmentation at the State Level + Increased Enforcement
The other big story for 2024 was the increased fragmentation of privacy regulation and enforcement in the United States.
In the absence of a federal privacy statute, states continue to pass their own laws. Heading into 2024, 5 states already had their own privacy laws in force (California, Colorado, Connecticut, Utah, Virginia). By the end of 2024, we had 3 more (Montana, Oregon, Texas) with eleven more passed and scheduled to go into effect by January 1, 2026 (Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, Rhode Island, Tennessee).
While there are many similarities between these laws, there are also some unexpected differences that may create challenges for companies building multi-state privacy compliance programs. For example:
The definitions of “sensitive data” subject to heightened protection varies state by state.
Some states define a “sale” of data to be any exchange for “valuable consideration” while others limit the definition of sale to exchanges for “monetary” consideration (see below on California settlement with DoorDash for why this is a very important distinction).
And some states have introduced new operational requirements or limitations. For example, Maryland imposes a data minimization requirement that is more stringent than the norm, and Minnesota’s new privacy law requires the keeping of GDPR-like data inventories.
In addition to all the new state laws, in 2024 we also saw a significant increase in state-level enforcement activity, especially in Texas and California. These state AGs are making clear that the days when companies could consider privacy a paper requirement are long gone. Enforcement is now a very real and very expensive risk.
In Texas, the Attorney General launched a new “Data Privacy and Security Initiative to Protect Texans’ Sensitive Data from Illegal Exploitation by Tech, AI, and Other Companies.” In 2024, the AG reached a $1.4 billion settlement with Meta related to use of facial recognition technology and initiated actions against General Motors (sharing personal information with insurers) and TikTok (sharing minor’s information). Already in 2025, the AG has filed a complaint against Allstate, claiming the insurance company “amassed the data of at least 45 million Americans” without proper consent.
In California, the Attorney General reached a settlement with DoorDash based on allegations the company shared customer data with a marketing cooperative in exchange for the ability to market to customers of other members of the cooperative. The AG alleged that DoorDash failed to meet the CCPA disclosure requirements for “sales” of data, even though the company received no monetary compensation from the cooperative. Under the settlement, DoorDash agreed to pay a $375,000 fine and submit to strong injunctive relief, including ongoing monitoring by the California AG.
We believe this is the last year that a state-by-state approach to US privacy compliance will be manageable. An integrated approach ahead of the next round of the new state laws coming into effect will help ensure compliance with this increasingly complex patchwork of state laws and enforcement in an operationally pragmatic way.
Cross-Border Data Transfers - The Impact of Changing Geo-Politics
The third emerging trend from 2024 that we think will shape the conversation around privacy in 2025 is the threat of changing geo-politics on the free flow of data across borders, especially from the EU to the United States.
To understand the concern over EU data flows we need to go back to the Schrems II decision of 2020. In that case, the European Court of Justice invalidated “Privacy Shield,” the then prevailing legal framework for GDPR compliant data transfers from the EU to the US. The Court’s decision was based largely on its finding that US intelligence agencies had access to personal data without sufficient oversight to protect the privacy of EU citizens. The US and the EU spent three years after Schrems II negotiating a new “Data Privacy Framework” to ensure the free flow of data. That framework went into place at the end of 2023 and one of its key features was the creation of a US Privacy and Civil Liberties Oversight Board tasked with ensuring that US intelligence agencies did not access EU data inappropriately.
So what happened in 2024 that we think potentially threatens the new Data Privacy Framework and the stability of EU to US data flows in 2025? First, Donald Trump was re-elected and declared that all Biden-era international agreements would be re-examined. Then, in his first days in office, President Trump did indeed remove all Democratic-selected members from the Oversight Board, leaving only one Republican appointed member to perform the Board’s duties.
We will be watching this story develop over the coming weeks. Will President Trump refill the empty Oversight Board seats or will the Board be dismantled? If he does refill the seats, will the Board perform its duties in a way that satisfies the European Court of Justice? If the answer to either of these questions turns out to be “no,” then the Data Privacy Framework may be short-lived.
Amid this uncertainty, it is a good idea for companies to diversify the pathways they rely on for EU-US data transfers. This can be done with Standard Contractual Clauses or another of the approved cross-border transfer solutions available in addition to the Data Privacy framework. Strong policies that protect EU personal data to a European standard will also be helpful.
Comments