.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read Now
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
Heraclitus said that “The only constant in life is change,” but privacy professionals don’t need to turn to ancient Greek philosophy to grasp this concept. We can just use our eyes and observe our colleagues, industry, governments, and world. Data privacy is constantly changing, and 2025 won’t be an exception.
Knowing that data privacy is changing and knowing how it’s changing, however, are two very different things.
Here at Osano, we’re lucky enough to interact with a great many privacy professionals, businesses, and thought leaders in different industries and countries. As a result, we have a unique vantage point over the privacy landscape. Here's what we expect to see in 2025.
1. Goodbye Chief Privacy Officers; Hello Multi-Hyphenates
When the GDPR went into effect in 2018, many organizations believed that it would lead to the creation of a relatively new role—the privacy professional.
There are certainly enough responsibilities associated with privacy compliance to justify the creation of this role. At the same time, it’s true that privacy is a multi-disciplinary domain; there is virtually no element of the business that isn’t impacted by or relevant to data privacy.
Businesses are waking up to the efficiencies that can be gained by treating privacy as a holistic, cross-functional responsibility. New innovations, like AI, are adding to the privacy professional’s book of responsibilities as well. As a result, organizations are forgoing purely privacy-focused CPOs in favor of cross-functional, multi-hyphenate roles.
We explored this trend when Osano CEO Arlo Gilbert interviewed Google’s most recent CPO, Keith Enright, on an episode of The Privacy Insider podcast. Since Enright left, Google has not backfilled the role.
Other major organizations like Mastercard, Zoom, and IBM are tweaking their CPO roles to package them with new AI responsibilities and other compliance domains.
According to the International Association of Privacy Professionals (IAPP), over 80% of privacy professionals gained responsibilities in 2024 alongside their existing privacy day jobs. In 2025, we expect this trend to continue and perhaps even intensify as best practices around AI management mature.
Maybe you’re soon to be a Senior Head of Privacy, Trust, GRC, AI, and Other Acronyms as Applicable?
2. AI Regulation Builds Up Momentum
In the 2000s and early 2010s, personal data processing was a bit like the Wild West. It took until 2016, with the adoption of the GDPR, for legislatures to become aware of the dangers associated with unrestricted collection and processing. After the GDPR went into effect in 2018, the need for modern comprehensive privacy protections became clear to the rest of the world.
Legislatures don’t appear to be making the same mistake with AI. When ChatGPT came out in late 2022, regulators were off to the races, acknowledging the danger that LLMs and other novel AI technologies could pose to citizens and their rights. In the intervening years, new regulations and laws around AI have been released. In 2025, we expect this momentum to continue, and more businesses will have to contend with new requirements.
As of this writing, six American states have some kind of AI regulation in effect, with three more in the works. Colorado’s AI Act (CAIA) is among the most comprehensive. Although it goes into effect in early 2026, developers and users of AI systems will likely need a long runway to prepare for compliance.
Like the CAIA, the EU’s AI Act enters fully into force in 2026. However, elements of the law go into effect over the course of 2025 as follows:
- Prohibitions on AI systems that pose unacceptable risks take effect on February 2, 2025. These are systems that are simply too risky to deploy and are banned outright, including social scoring, biometric categorization systems, and untargeted scraping of facial data.
- Requirements for general-purpose AI models take effect on August 2, 2025. Among other requirements, developers of genAI will be obligated to assess and mitigate systemic risks, provide ample documentation on things like training data, provide adequate security, and more.
3. Our Bet: The Majority of States Will Have a Privacy Law; We Won’t See a Federal Privacy Law
Seven states passed comprehensive data privacy laws in 2024 and in 2023. If that pace continues in 2025, we could see 26 out of 50 states with their own privacy law. With more than half of US jurisdictions covered by a privacy law, it’ll be increasingly likely that businesses will be subject to at least some of these laws.
This explosion in state data privacy regulation also implies the implosion of a federal data privacy law’s prospects. As we’ve seen with proposed legislation like the APRA and ADPPA, states like California don’t want a weaker federal bill that essentially downgrades the privacy protections it offers to its citizens. The more states that have skin in the game, the less likely a nationwide law will be passed.
This isn’t ideal for businesses, as compliance with a single law would surely be easier than complying with potentially dozens. Check out our guide to US data privacy laws for a state-by-state overview.
4. SRRs Take Center Stage
2025 may very well be the year of subject rights requests (SRRs).
The IAPP reports that in 2023 (the latest year for which they have data), the average organization received around 3,000 SRRs. In North America specifically, that figure jumped to around 3,500.
To be fair, this figure is drawn from a sample of organizations employing IAPP members and is therefore biased toward organizations with enough privacy responsibilities that they employ a privacy professional. Nevertheless, with eight new data privacy laws coming online in 2025, more organizations are going to be on the hook for SRR response.
Not only do more laws mean more organizations must honor SRRs, but they also translate to more consumer awareness. When residents in a newly covered jurisdiction hear about their new rights or the enforcement priorities of their state’s Attorney General, some portion will decide to exercise their subject rights.
As new laws come online, consent management will be important as well. However, more organizations understand the need for consent management (at least superficially). Seeing cookie banners on every website lends a lot to that awareness. In contrast, SRRs happen behind the scenes. Thus, it’s likely a number of organizations will be surprised by and unprepared for their new responsibilities to data subjects.
5. As Always, Regulatory, Sectorial, and Private Enforcement Is on the Rise
As we covered earlier, eight new laws are coming online in 2025—and we can expect the attorneys general in those jurisdictions to show that they’ve got bite to match their bark. That will certainly be the case with California and Texas.
The California Privacy Protection Agency (CPPA) has announced a number of investigatory sweeps in 2024, and there’s every reason to expect that to continue in 2025. The state is also the only jurisdiction in the US (thus far) to issue financial penalties for non-compliance with its comprehensive data privacy law, the California Consumer Privacy Act (CCPA; Sephora in 2022, DoorDash in early 2024, and Tilting Point Media in mid-2024).
While Texas hasn’t issued any enforcement actions under the Texas Data Privacy and Security Act (TDPSA) as of this writing, the Texas Attorney General’s office has been very vocal about its intention to do so. The Texas Attorney General, however, has secured a settlement against an AI company for deceptive trade practices and issued a penalty against TikTok under the SCOPE act, which protects children’s data.
In terms of private enforcement, the plaintiff’s bar has repurposed the VPPA and various wiretapping laws to go after companies using tracking pixels on their websites. California, Arizona, and Florida are particularly known for such wiretapping cases.
While this line of litigation has been very popular in 2024, it may become a degree less common, at least in Massachusetts, where the state Supreme Court ruled that the Wiretap Act does not cover website tracking technology. This ruling could influence other courts in the coming year—if not, we can expect more lawsuits of this nature.
Last but not least, we can expect GDPR enforcement to continue apace. As of November 2024, there have been over 5.3 billion euros in GDPR penalties spread out over more than 2,200 fines.
Prepare for These Changes with Osano
Whether you’re a seasoned privacy pro or just had privacy tacked onto your list of responsibilities, meeting the challenges these trends present won’t be easy.
If, like many professionals, you’re finding your scope expanding, you’ll need a solution that automates tedious privacy tasks—that way, you can develop a holistic strategy across your responsibilities without having to worry about, for example, the nitty gritty of each privacy impact assessment.
And if AI is among those new responsibilities, solutions for consent and notice management will be especially important. For now, there isn’t a reliable way to exercise the “right to be forgotten” for data ingested in an AI model, making it all the more important that consumers know when and where their data interacts with an AI system.
Your organization may be subject to the new laws coming into effect in 2025 as well. Solutions like Osano have regulatory knowledge baked into their functionality, helping you keep track of multi-jurisdictional requirements. That includes subject rights management, which we predict will be especially challenging in 2025.
Osano solves for these problems and more, and it’s the only data privacy platform to come with a “No Fines, No Penalties,” guarantee. If a penalty for non-compliance should come your way, we can help make it sting a little less. Schedule a demo today.
