Data privacy: 2024 review and 2025 predictions

State privacy laws multiplied relentlessly in 2024 and show no signs of slowing in 2025. The practical advice for most companies is to move toward a harmonized, state-agnostic privacy policy structure rather than maintaining individual state callouts — with specific carve-outs only where legally required. Oregon stands out with a unique right: consumers can request a list of specific third parties that have received their data (excluding service providers and affiliates), and Oregon has been actively sending inquiry letters to companies since the law took effect in the summer of 2024. The broader pattern is that rights vary meaningfully across states and need to be tracked and updated as new laws take effect. Data brokers and wiretapping were the two biggest enforcement themes of 2024. California’s expanded data broker definition — which broadens the scope well beyond traditional data sellers to include brands that purchase and then sell third-party data — is expected to take effect in April 2025 after administrative law review, with a significant increase in registration fees tied to supporting the California Delete Act. On wiretapping, with roughly 90% of litigation volume concentrated in California, the most effective risk mitigation is a genuine consent defense: a clear opt-in mechanism that accurately reflects what is actually happening on the website, not generic banner language that doesn’t match actual data collection practices. Two sleeper issues are likely to define early 2025. The age threshold triggering minor-specific consent requirements has expanded in many states from COPPA’s under-13 to under-18, putting brands that actively target teenage audiences in legally uncertain territory with no clear industry standard yet emerging. Separately, many privacy policies still reflect cookie-era disclosure language and haven’t been updated to reflect API-based data sharing with social media platforms — a significant gap relative to current marketing practices. Enforcement predictions for 2025: increased and visible sweeps from newly legislated states signaling their presence, continued rulemaking, and sustained regulatory focus on the established hot zones of sensitive data, sales, interest-based advertising, and third-party shares.

**Colleen:** Hi, Alyssa. How are you? Hi. Good to see you. Likewise. Hope you're doing well on this final crunch week before the holidays. **Alysa:** Oh my goodness. It's how many privacy policies can you turn out in three days? I don't know. We'll find out. **Colleen:** It's probably our last Privacy Huddle of the year, so might as well do a little recap of the hottest topics. Let's go ahead and dive in starting with state specific laws. Obviously, no shortage of those in 2024. 2025 looks like it will be the same. I would love to hear just as these continue to amass, how are you advising businesses to approach these, whether as a whole, whether by specific state, any best practices or examples? **Alysa:** Sure. And, obviously, it's gonna really depend on the business and where they're starting from. I think if you go back to early days with just California, companies at that point were — I think a lot of them were just standing up privacy programs, and so their privacy policy might have had a California section or a California, Virginia, Colorado, Connecticut section. I think as we get so many more states, more and more are going into a state agnostic approach. Right? You might have a US states section and try to really harmonize as much as possible. You have to do individual callouts on a few points. Maybe that's an easier privacy policy to just manage and update over time. But you still have some who have a state by state approach, and that's not wrong so long as the devil's in the details and making sure if you're calling out particular states, you don't want to leave out a state that is effective. And they are not all written the same, and the rights are not all the same on some of the key points. And so you just do wanna make sure that you are tracking — I love myself a chart — have your chart that you just keep updating over time so you've got a really good sense on what's right and what needs to be tweaked. **Colleen:** I'd love to call out the Oregon one specifically. Right? That's a unique requirement with the third party list. What's the gotcha there? What should companies do to make sure they can handle that Oregon requirement? **Alysa:** Sure. And that one's a big issue because Oregon's been sending out letters to lots of companies. That law went into effect this past year over the summer. Oregonians have the right to request a list of specific third parties. So that is a right that needs to be identified in the privacy policy. You need to think about the privacy portal. So if somebody reads your privacy policy, goes to your privacy portal, how do they see that right, and how can they exercise that right? And then the company needs to provide that right. And the way that Oregon defines it, service providers are not included, affiliates are not included. It largely are the companies that are the recipients of sales and shares and targeted advertising, with maybe a few unique twists depending on the company and the individuals or companies they're sharing with. **Colleen:** Thanks, Alyssa. Speaking of US states, another big issue recently has been data brokers and the future of where these data broker laws are going to go — from back with the California Delete Act to recent CPPA conversations. Alisa, what's the rumor mill saying for how current laws are gonna go, and then are more states gonna adopt things like this? **Alysa:** So data brokers continue to be in the spotlight. I agree that data brokers are going to continue to be highly regulated. That is not going to change in terms of easing up the requirements. California amended the definition of a data broker. That has not fully gone through the APA process to get filed by the secretary of state. So it's not effective January one. Catch your breath. Ideally, if it goes through the final steps, it should be effective April first. And the definition of what is a data broker got a lot broader. We've talked about this in prior huddles. So that's just a really key thing to look at in terms of the data you append, making sure you're not selling it. And then old information, three years or older, aging customer data, you also wanna make sure you don't trigger the data broker definition that way. But the price for registration, if you are a data broker, went up significantly. And I know some have asked, well, is that price point — are we gonna see that across other states that have data broker registries? I don't think so. The cost was ostensibly to support the Delete Act, which is particular to California. CPPA has rulemaking, so there's an ongoing process to really have those types of changes, whereas you'd need a statutory change for most of the other states. While I think data brokers are gonna be more regulated, I don't see just across the board increases to the cost of registration. **Colleen:** From a brand or reputation standpoint, what do you think is gonna be the effect from, maybe consumer opinion if an increased number of brands do have to classify themselves as data brokers? Do you think that's gonna have an impact on consumer habits or purchases? **Alysa:** Well, I think it's a nudge. So what I'm hearing from a lot of companies, if they don't see their business as a data broker, then they're really evaluating the kinds of data that they are getting and what would be onward flows to not trigger the definition of a data broker — to your point because the law changed — rather than say, okay. The law changed. It applies to me this way. I do see behavioral changes if it's not gonna materially be a negative impact to the business to make those changes. **Colleen:** Another major issue this past year has been wiretapping. No shortage of different lawsuits and variations across states. How do you think enforcement has shifted since this became an issue for brands, and what do you think we'll continue to see into the new year? **Alysa:** Yeah. So, unfortunately, there's not a silver bullet here unless California and some of the other state legislatures amend their laws. We're gonna see more of these. We're gonna see more case decisions. We've seen some case law that has said you cannot use the wiretap laws of that state like Massachusetts to bring forth those claims. So we could see other court decisions that help give some clarity in particular states. I just think it's about ninety percent of the volume of these is in California. We're gonna wrestle with that. There's — you know — maybe the legislature will amend California's law, but even that — that's a tough hill to climb, and I don't think we should count on it. **Colleen:** This wiretapping issue has been a major one on the Ketch side with our customers, and they're consistently coming to us for perspective and advice on how technology can help with this. What general advice are you giving to companies just for managing pixels, trackers, tags? How can they approach that in a better way to guard as much as they can against these suits? **Alysa:** Well, one, nothing is risk free. Right? So the silver bullet to wiretap is having a consent defense. That's an opt in — a clear demonstration of consent. Unlike state privacy laws, wiretap doesn't define what consent means. But at a minimum, you want something to point to to say, have we captured consent? And so that's why we've seen a lot of banners pop up. Now I will also say we've seen a lot of banners pop up with confusing language or language that doesn't really sync with what is happening on the page. So I think the most important risk mitigator is that you understand what is happening on your website and how that relates to the wiretapping claims so that you can make risk based decisions on how you wanna handle that, including if you wanna use a banner, what's the right language, what's the right choice that you wanna present. Sometimes even in your purchase flow or user flow, you have additional opportunities to have some transparency and have somebody agree to the privacy policy with some call outs. So I think there's a variety of things you can do. It's not one easy plug and play. The case law is moving really fast. There's, like I said, a lot of different kinds of claims. So this is a good one to make friends with your outside counsel and have some good strategic discussions and also be able to relay that info to the business so that they know what they're getting into. **Colleen:** The next one on my list is, I think, a big issue, and I've heard you talk about it as a sleeper issue — this issue of sensitive data specifically relating to teens and minors. This one is becoming confusing and very nuanced for brands with different ages out there of what is a child, what is a minor. What's the latest, and how are you advising your clients to tackle this one? **Alysa:** So maybe just to zoom out a little bit — I think for a long time, many were certainly familiar with COPPA and under-13 standards, and that wasn't an issue for a lot of businesses because under-13s are not their target audience. And then we had California change it to under-16s. Well, now we have a number of states that redefine that to under-18. And that is a big deal because you have a lot more retailers and brands who in fact are targeting high school teenage users — ad campaigns all around teenage users. And the issue is you need consent if you are dealing with a minor before you collect their personal information. And so you think about most home pages for most brands, it's not opt in consent. And so there's not a really clear answer there. I don't see many companies wanting to raise their hand and go right to an age verification. And so these are conversations to have on how companies are gonna approach. It's a good trade association conversation to have. We don't have standardization, so I think we're gonna see a lot of creative options by companies over this next year. **Colleen:** That seems like a very challenging answer, to be honest. If I put myself in the brands' shoes, I don't know quite what to do. **Alysa:** Right. Right. Well, your team's your target audience. And the law in some of these states is a little different. Some of the states have been challenged by courts because it's too loosey goosey — it's my legal term standard — in terms of is it likely to be used by teens, by minors. But I think that's step one, is really thinking about who is your audience, what's the low hanging fruit. Do you have ad campaigns that are all about targeting teens? I think that's very different than thinking about, I don't know, a wellness type product, and maybe there's a possibility that teens might be using. So I'd start with actual knowledge, but I would not finish my analysis at actual knowledge. I would think about some of these other factors. **Colleen:** Closely related to that is, of course, social media platforms and the data collection related to that. Speaking of the revenue side of the business being involved, couldn't be more pressure today for brands to be present on social media platforms. So how should privacy leaders think about making sure their privacy policies are ready for that kind of presence? **Alysa:** Yeah. So I think this is another sleeper issue because I think people have the bolt-on part of the privacy policy that's been around for a long time around cookie practices. And for some companies, that might be three paragraphs or more. And yet if you think about the advertising practices with social media platforms, tags and pixels on page are one part of it. But a lot of it now is sharing identifiers in other ways via APIs. And I don't think a lot of privacy policies have been modernized to really speak about digital ad practices and data sharing in the way that a lot of companies are doing it. So I think taking a really good look at what your marketing practices are and the data sharing practices are, and then looking at your privacy policy in terms of who you share with and the categories of information that you are sharing with third parties and really thinking — do we have consistency with what we're doing. **Colleen:** Well, let's end with one final question. Thank you for that whirlwind. Looking into 2025, your predictions for early in the year — what can we expect to see in the headlines? **Alysa:** Well, just think — we've had a number of these states that have laws on the books and have been enforced maybe with a lighter touch over the last several years. I think in the first half of the year, we're gonna see an increased enforcement that's visible. I think we're gonna see more sweeps from some of these new states that have new laws on the books just to say, hello. We're here. We saw that — you think about when CCPA was first enacted, we saw California do quite a bit of that. And so I do think we're gonna see more of that. I keep looking at the state attorney general's websites that have privacy laws because we see FAQs start popping up on a lot more of those states. We're gonna see rulemaking. So we wanna definitely watch that and think about what's the risk on enforcement related to some of the new final rulemaking, including amended definitions to the CCPA. So just thinking through all of the big issues — sensitive personal information, sale, interest based advertising, shares. Those, we've already seen those enforced so much in the past. That's not going to change, so I really wanna make sure that my house is in order at least as to those top enforcement issues. **Colleen:** Thank you for all these nuggets of wisdom and, actually, for all the nuggets of wisdom over 2024. It's been a pleasure having you on the Privacy Huddle, of course, and we will see you in the new year. **Alysa:** Sounds great. Happy day.