2025 Privacy Program Blueprint: Evolving Beyond the Privacy Policy
The fifth anniversary of the effective date of the California Consumer Privacy Act (CCPA) arrives in January 2025. As we approach the end of another year filled with evolving privacy laws in California and twenty other states, now is the time for a critical review of your privacy policies and practices. To borrow a line from one of my favorite artists, “What a long, strange trip it has been [in 2024]”, and 2025 looks to be just as volatile from a privacy perspective.
By now you have developed a process to track new laws and ensure compliance with the various, and sometimes conflicting, rules and regulations. As the landscape continues to shift, it is not only important to keep pace with changing laws, but also to build a privacy program based on assessments of how your company collects, processes, shares and stores personal data of consumers, employees and job applicants.
Privacy programs are essential for maintaining compliance, demonstrating accountability, and managing risks — such as regulatory, reputational, and litigation — arising from data privacy breaches, consumer complaints, or regulatory oversight. Programs also promote consistency and show a level of maturity that can reduce regulatory risks, should your company be investigated or subject to an enforcement action.
Several major updates are on the horizon for 2025 and beyond:
New Notice Requirements: With more stringent obligations around transparency, some states now mandate clearer disclosures around data collection and processing, particularly related to AI, courtesy of Colorado and California.
AI Disclosure Penalties: $5,000 per day, courtesy of California.
Possible Whistleblower Protections: A bill has passed both houses in California and is sitting on the Governor’s desk.
New Small Business Exemption Triggers: Maryland’s new Online and Digital Privacy Act (MODPA) departs from the majority of states, which exclude small businesses based on a national revenue screen (e.g., $25 million). Maryland’s small business exemption is different. As of October 1, 2025, your business will need to determine if the threshold is met by counting customers, and evaluating if they are Maryland residents, whether or not they purchased anything.
Prohibition Against Sale of Sensitive Personal Data without Prior Consent: Again, this is a new requirement implemented by Maryland.
New Types of Regulated Data: Definitions of “Neural Data” were adopted by California and Colorado in 2024.
Whether you transact business exclusively online or augment your brick-and-mortar sales in some or all fifty states, these updates are likely to affect the text of your privacy policy. What is even more likely, however, are the profound changes these laws will continue to inflict on your business operations.
FAQ 1: You've navigated the maze of new laws, sorted out which changes apply to your business model, and adapted the language of your outward facing privacy policy accordingly. What’s next?
ANSWER: It’s time to turn your focus inward and consider how these regulatory changes impact your business operations. The next step is to look at your internal workflows, data management systems, and employee protocols to see if they have been affected by regulatory changes.
FAQ 2: Are you aligned not only on paper but in practice? How has your business evolved since your last privacy policy update?
ANSWER: Here are examples of organizational triggers to consider:
Have you introduced new products or made significant changes to existing products?
Does your business collect, process or sell sensitive personal data (e.g., ethnic origin)?
Are your privacy disclosures still accurate?
Have you made any changes (e.g., automation) that affect how your consumer requests are processed?
Have you updated your employee and job applicant notices?
Did your company hit $25 million in national revenue or serve 35,000 customers in Maryland?
Did marketing, HR or some other business unit procure a new analytic tool that leverages personal data or AI?
Are your de-identification practices enough to avoid consumer privacy restrictions?
Have you accounted for all tools that leverage AI and personal data?
Do your vendor contracts protect consumer and employee personal data?
Were there any significant organizational changes in the past year (e.g., reorganizations, mergers, integration activities)?
Indeed, there are many factual questions you will need to investigate in addition to implementing changes in law. Your assessment of these questions can help tailor a dynamic privacy program to monitor these types of business triggers. We are here to help you navigate complex regulations, provide program recommendations, draft policies and contracts, and ensure your business remains current, compliant, and aligned with both new laws and your ongoing evolution. Let us know if we can help.
Elaine Critides elaine.critides@pierferd.com
This publication and/or any linked publications herein do not constitute legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, the author(s) and PierFerd assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, this publication may constitute Attorney Advertising. © 2024 Pierson Ferdinand LLP.
