US Federal Privacy Reform: Will 2025 Be The Year For Comprehensive Action?
In his latest article for AdExchanger, Charles Simon (VP, Private Advertising Standards) explores why a federal privacy law feels more real than ever, highlighting how businesses can prepare for what’s next. While the timeline for change is uncertain, one thing is clear: companies that adapt now to prioritize privacy will be the ones leading tomorrow.
The US will soon have a unified federal government under the incoming administration.
While much of its agenda is unclear and margins in the House and Senate are razor thin, we can expect that the next two years will be relatively business-friendly, deregulatory and somewhat hostile to expansive regulatory regimes.
Indeed, the unexpected resignation of noted researcher and regulator Ashkan Soltani, founding executive director of the California Privacy Protection Agency (CPPA), may be a case of writing on the wall.
Moreover, it may be a recognition that recent pushes for a comprehensive federal privacy law are finally realizable – even if the resulting law ends up vastly different from the approach that Europe and California have taken.
Two models for privacy legislation
Privacy legislation at the state level in the US has evolved rapidly over the last six years. Laws have been driven by the demands of regulators and their constituents in the wake of scandals like Equifax and Cambridge Analytica. They are also a consequence of Apple and Google’s ongoing war over which of them is perceived to be more private and secure.
Nineteen states have passed comprehensive laws, starting with the 2018 California Consumer Privacy Act and the subsequent California Privacy Rights Act, which mandated the creation of the California Privacy Protection Agency – a de facto Data Protection Authority.
Meanwhile, the 2023 Texas Data Privacy and Security Act (TDPSA) went into effect in July 2024, with components pertaining to universal opt-out mechanisms (UOOMs).
Many provisions of the Texas law stand in stark contrast to California’s regime, although there are some similarities.
Like California, Texas has raised the bar on regulatable personal and sensitive personal data, with “reasonably linkable to an individual” being the new norm.
They’ve enshrined consumer rights like access and deletion, instituting harsh penalties for businesses that fail to honor those rights or misuse personal data. Further, they have both imposed GDPR-like processor/controller distinctions. They have also defined what constitutes a sale of personal data and the obligations of parties involved in it. Plus, they have instituted broad opt-out requirements for targeted advertising.
But that’s about where their similarities end.
California’s laws hew European, mandating the creation of the CPPA and imposing highly prescriptive requirements for everything from disclosure to business documentation. (See “Do Not Sell My Personal Information” links in the footers of major websites.) It also allows for private rights of action (PRA) in the case of a data breach.
Texas’ legislation, on the other hand, is much more traditional in its sole enforcement by the attorney general, flexibility of design choices available to businesses seeking to comply and preclusion of PRAs. It has an added focus on children’s data, including a prohibition on its use in targeted advertising.
With Texas Senator Ted Cruz set to take over as Chair of the Senate Committee on Commerce, Science and Transportation in 2025 – the very same committee associated with the American Privacy Rights Act – it is the TDPSA that federal legislation will most closely resemble.
A federal privacy law – really?
But how close are we really to a federal privacy law?
For one thing, state laws are coming under increased opposition. A pair of 2024 vetoes from Vermont and California’s governors – justified as necessary to avoid harming business – has shaken the state-level privacy movement.
The US Congress, meanwhile, has flirted with comprehensive privacy measures but ultimately failed to pass them, owing to the zeal for stronger measures and electoral gamesmanship, as with last session’s American Privacy Rights Act. But these federal failures have taken place at times of mixed government. With the elections behind us and a unified federal government ahead, the future of privacy policy is coming into sharper focus.
Contrary to the first-blush analysis of many, and compounded by the successes of state laws like Texas’, there’s now a real shot at federal privacy legislation that evens the playing ground and simplifies compliance.
Such legislation will almost certainly maintain the opt-out status quo for nonsensitive categories of personal data, provide enhanced notice requirements and universal consumer rights, preempt state laws and ease the current burden of patchwork compliance. It will also preclude private rights of action for all but the most negligent practices.
And while the Federal Trade Commission will be given enforcement authority for such a law, the historically deregulatory tendencies of this Congress, as well as the President’s newfound focus on efficiency, suggest designated safe harbor entities are a real possibility. In this case, self-regulatory organizations (think FINRA to the SEC) are likely to see renewed relevance.
While such a bill won’t win the US adequacy under the GDPR, companies of all shapes and sizes should be ready to support it. The internet and legal teams simply don’t work on a state-by-state basis. Enhanced user rights with decreased cost of compliance is a win-win.