Post-Election Privacy & Cybersecurity Law Developments To Watch

What should privacy and cybersecurity practitioners and specialists consider after the 2025 inauguration? There are a few notable issues that may shape how businesses think about their privacy and cybersecurity programs:

1. A comprehensive federal privacy law is possible but unlikely. A GOP-led White House and Congress will have an opportunity to pass a federal privacy law. Historically, Republicans have taken a much more industry-friendly approach to privacy, expressing concerns that more stringent laws will stifle business innovation. (For example, the American Privacy Rights Act failed over GOP objections, even though it had been stripped of certain civil rights protections in favor of business interests.) However, a law that would preempt laws like the CCPA, is likely to run into the buzzsaw of the Senate filibuster, which Senator McConnell promised will stay intact (despite current pressure from the president-elect). Those hoping for a federal privacy law should be skeptical: despite numerous attempts, Congress has found passing such a law difficult even after finding significant legislative compromise.
2. Other federal initiatives in privacy will continue to be pursued. GOP congressional members have been vocal in their aim to preserve American competitive advantages in tech against Chinese competition. Curtailing Chinese efforts to mine data from the U.S. Congress has also successfully made bipartisan efforts to increase protections for children online. While a comprehensive privacy law may be difficult to achieve, Congress may continue to do what the U.S. has done best in this space: keep adding patches to the privacy patchwork.
3. As always, the states will likely move privacy and cybersecurity laws and enforcement forward. As of this writing, twenty states have enacted comprehensive privacy laws. While there are important differences between them, the points of convergence are important for U.S. businesses: they define personal information broadly, create more stringent protections for so-called "sensitive data" (such as biometric information), impose contractual and risk assessment requirements, and provide for individual privacy rights. They are typically enforceable only by state attorneys general, omitting private rights of action. So long as Congress remains unable or unwilling to pass comprehensive legislation, this number will increase, as will enforcement. Businesses should keep a close eye on how laws are enforced to learn state priorities and what kind of conduct is likely to lead to investigations and fines.
4. Federal agencies are likely to step back from rulemaking and enforcement. While the FTC does not have general rulemaking authority in the privacy realm, it has consistently been a powerful privacy enforcer. For its part, the SEC promulgated in 2023 a comprehensive set of cybersecurity rules for regulated businesses. However, the Supreme Court's decision in Loper Bright, coupled with an incoming administration hostile to agency action, is likely to weaken both rulemaking and enforcement efforts in this space, especially if they are seen to stifle business activity.
5. Global privacy and cybersecurity developments will continue to impact U.S. businesses. The EU/UK GDPR continues to set the global benchmark in privacy. Since it became effective in 2018, the GDPR has been the model for privacy laws in U.S. states and countries such as China and Brazil. The EU GDPR is also well enforced (member state enforcement authorities have issued fines over the past six years of €4.2 billion). The EU is further poised to consider creating a set of procedural regulations to, among other things, impose more coherence across member states around enforcement. Changes in the GDPR and in global laws will continue to impact U.S. businesses and impact overall expectations regarding best practices, regardless of what happens in U.S. law.
6. AI, AI, AI. Whatever may happen with privacy law, the continued adoption of AI tools will impact much of organizational data management. These tools implicate not only privacy and cybersecurity concerns but also questions around intellectual property, data ownership, and safety. Again, even if legislation in the U.S. is anemic in this space, the EU has already passed a comprehensive regulation that will likely shape U.S. business behavior.

What does all of this mean for U.S. businesses? At a glance, businesses can likely expect more continuity than disruption in the continued development of privacy laws and practices. While agency enforcement may very well wane during the Trump administration, the fragmented global framework and global nature of business will make it nearly impossible to escape global trends converging on privacy compliance themes. Treating personal data processing as requiring strong internal governance and risk management will continue to put businesses in the best position possible to weather the current unpredictability of U.S. federal law.

Originally published 11 November 2024

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.