CLE Takeaways: Top 10 Privacy & Cybersecurity Must-Knows for 2025

The legal landscapes for privacy and cybersecurity continue to evolve rapidly, presenting both challenges and opportunities for innovative companies. Indeed, 2024 was a busy year, with the enactment of a number of new federal and state laws covering protections for personal data, enhanced data breach notifications, AI regulation, and more.

Against this backdrop, partners Michael Sussmann and Ana Razmazma, counsel Sari Ratican and Melanie Jolson, and associate Brent Tuttle discussed their “Top 10 Privacy & Cybersecurity Must-Knows for 2025.”

Here are the key takeaways from their discussion:

1. New comprehensive state privacy laws create new compliance requirements. From January 1, 2025, through January 1, 2026, 11 new comprehensive state privacy laws will take effect, joining nine already in existence prior to 2025. Most have similar baseline requirements regarding privacy notices, consumer rights, and data protection assessments. However, Maryland is an outlier with particularly stringent requirements, including strict limitations on data collection and use.
   
2. The evolving legal framework brings new obligations. Companies face enhanced requirements around data protection, breach notification, and vendor management. Notable changes include expanded definitions of personal information and stricter timelines for breach reporting.
3. Consumer health data laws demand special attention. States continue to implement dedicated consumer health data privacy laws, such as the Washington State’s My Health My Data Act, which go beyond the scope of HIPAA. These laws cover a broader set of health-related information, including wellness data, reproductive data, and information from health apps and devices. Companies collecting any health-related consumer data should carefully evaluate their obligations under these new frameworks.
4. Reproductive healthcare privacy takes center stage. The Department of Health and Human Services’ Office for Civil Rights has implemented new requirements for protecting reproductive healthcare information privacy. Organizations handling such data must update their Business Associate Agreements, privacy notices, training, and implement specific attestation requirements for data sharing.
   
5. Critical cybersecurity threats demand vigilance. “Info-stealing”—primarily via phishing and supply chain attacks—remain the primary threat to companies, while the sophistication of state-sponsored threats continues the arms race between attackers and defenders. Organizations should focus on fundamentals like multi-factor authentication and patch management, early detection, and rapid and effective response.
6. Wiretapping laws impact digital technologies. There has been a surge in privacy litigation based on federal and state wiretapping laws and directed at companies using chatbots, session replay tools, pixel tracking, and similar technologies. To stay out of the plaintiffs’ attorneys’ crosshairs, companies need clear consumer disclosures and other user consent mechanisms.
7. AI regulation through existing privacy laws. Current privacy laws already regulate artificial intelligence as it relates to the processing of personal information including, without limitation, through transparency requirements, requirements around certain profiling activities, and consumer rights. Companies must ensure their AI activities comply with these existing privacy frameworks.
8. AI risk disclosures in corporate filings require increased attention from organizations as they receive increased scrutiny from regulators. Organizations must carefully balance messaging around the innovations AI may be able to produce with accurate representations of their AI capabilities. Risks associated with the use of AI must be accurately disclosed in annual Securities and Exchange Commission filings. Note that the SEC has demonstrated its commitment to addressing "AI washing" through enforcement actions.
9. Enhanced due diligence in transactions. Investors and acquirers are scrutinizing vendor contracts and data protection practices more closely than ever. Companies should closely track where third-party data is going, and they should maintain comprehensive vendor management programs with strong contractual protections in place for all vendors and service providers.
10. Children's privacy protection expands. State consumer privacy laws are extending privacy protections beyond Children's Online Privacy Protection Act’s under-13 threshold, with some regulations covering personal information of minors up to age 18.

Learn more about Fenwick’s privacy and cybersecurity practice and register here to watch our other 2025 CLE webinars on-demand (self-study credit available).