Annual Update To Your Online Privacy Policy And Terms Of Use Requires Clauses Based On New Laws

Nashville, Tenn. (December 3, 2025) - As 2025 draws to a close, the U.S. privacy landscape continues to evolve rapidly, with significant implications for how businesses handle consumer data and make use of artificial intelligence (AI). This year alone has seen the enactment of comprehensive privacy laws in eight (8) additional states, bringing the total to twenty (20) states with such legislation on the books. These laws impose strict privacy notice requirements that demand immediate attention to any company's public facing privacy policy.

In addition, the need to disclose the use of AI in data processing and user interactions makes updating your privacy policy and terms of use paramount to reduce your exposure to enforcement actions, consumer litigation, reputational harm, and other risks.

In this alert, we outline key developments and provide actionable recommendations for your annual privacy policy and terms of use review.

New Privacy Laws Enacted in 2025

In 2025, legislatures in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee passed comprehensive consumer privacy laws modeled after the California Consumer Protection Act. These laws grant consumers rights to access, delete, correct, and opt out of the sale or sharing of their personal information while imposing obligations on covered businesses.

A core theme across all these laws is the requirement for a clear and conspicuous privacy notice. These privacy notices must include a variety of required language based on the state laws which apply to the business. NOTE: even if a business is not physically located in or legally incorporated in a state that has a state privacy law, that business may have to comply with the state privacy law due to the data collection patterns of the business in question.

Several of these laws – such as Maryland's and New Jersey's – require disclosures about AI-driven processes and automated decision-making if it impacts consumers.

Incorporating AI Use Disclosures

Beyond state privacy mandates, the integration of AI into business operations – from chatbots and recommendation engines to predictive analytics – necessitates transparent disclosures to mitigate risks under laws like the FTC Act's unfair/deceptive practices provisions and emerging state AI recommendations. Certain states have expanded opt-out rights for AI profiling and some states require disclosures in AI-generated content for advertising and media. The White House's draft Executive Order on AI, circulated this past month, signal potential preemption of state laws but emphasizes voluntary disclosure for high-risk AI uses.

We strongly recommend embedding AI-specific clauses in your privacy policies and terms of use.

Recommended Action Items

As the New Year approaches we recommend the following steps:

1. Conduct a Privacy / AI Compliance Audit: Review your current, public-facing privacy notice and terms of use against the eight (8) new state privacy laws and various AI disclosure laws/best practices.
2. Draft Updates: Incorporate the state-specific notice requirements and AI clauses that your audit deems out of compliance.
3. Vendor Review: Assess the vendors you use to process personal data to ensure they have the required AI compliance and privacy practices to protect the data they process on your behalf.
4. Consult Us: Schedule a call with our team to assist you with tailored guidance for your organizations privacy and AI-use needs and for assistance with any of the above.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.