2025 Data Privacy Updates
New State Data Privacy Laws Effective in 2025
Are your data privacy policies up to date? In 2025, eight states will effect new data privacy laws. Of these, five state privacy acts became effective this month. The new statutes and 2025 effective dates are listed below.
These eight states join California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia in comprising the 17 states with comprehensive data privacy laws in effect by October. In addition, the Massachusetts Safeguard Regulation of 2010 remains in effect. On January 1, 2026, three more states will join their ranks: Indiana, Kentucky, and Rhode Island, having passed data privacy legislation in 2023 and 2024.
Importantly, of the 18 states that will have comprehensive data privacy laws or regulations this year, Massachusetts, Nebraska and Texas have the lowest applicability thresholds. To be subject to the requirements of any of these three states, one need only “conduct business” in, and process the data of one consumer within the state, although Nebraska and Texas provide an exemption for small businesses as defined by the U.S. Small Business Administration (SBA). Moreover, Massachusetts includes “employee” in its definition of “consumer.” Businesses with a national reach, particularly those that conduct transactions online, are advised to comply with the privacy laws of all three states as a pre-emptive measure.
Given the rapid rate at which the state privacy landscape is evolving, it is more important than ever to remain vigilant about compliance. Now is a good time for companies to revisit their data privacy policies and related notices. We recommend conducting periodic review to ensure that policies remain up-to-date not only in light of the changes in the law, but also to reflect any changes in companies’ practices.
European General Court Issues Data Transfer Decision Against the European Commission
On January 8, the European General Court rendered a decision against the European Commission regarding the use of a Facebook login function to access a Commission-controlled website. The Court found that personal data was transferred when the website unlawfully collected the user’s IP address along with browser and terminal information through the Facebook portal. Although the monetary award was only €400, the decision is likely to have far-reaching precedential effects.
According to the Court, the Commission “neither demonstrated nor claimed that there was an appropriate safeguard, in particular a standard data protection clause or contractual clause" that would have rendered the transfer lawful. Data privacy experts noted in particular that this decision confirms that a company may be held responsible for using third-party tools that collect and transfer IP addresses illegally. Practitioners are emphasizing the need for establishing appropriate safeguards.
Experts are similarly concerned that the Court’s monetary penalty for the “non-material damage” caused by this single transfer could expand exponentially in the context of class action lawsuits, as well as incentivize potential applicants to seek monetary damages for claims of dubious merit.
The Commission may appeal the decision to the Court of Justice of the European Union.
More information is available here.
The Court’s decision is available here.
These are only general summaries of the topics, and are not legal advice. Please do not hesitate to contact us if you have any questions or concerns.