Data Privacy and Cybersecurity Developments We Are Watching in 2025

WEBSITE TRACKING: MAKE SURE YOU’RE DOING IT RIGHT

As we explained in our recent Cookie Deep Dive webinar, there has been an explosion of enforcement and litigation targeting the use of cookies, chat bots, session replay, and other technologies (collectively, cookies). Regulators in the United States have undertaken extensive investigations and imposed massive fines. Plaintiffs allege cookies constitute “wiretapping” under archaic laws such as the California Invasion of Privacy Act (CIPA), which permit statutory damages of $5,000 to $10,000 per violation. The trend of more plaintiffs’ firms asserting additional claims and increasing settlement demands is likely to escalate given the trend in recent CIPA jurisprudence. Fortunately, there was some good news for defendants in 2024. The Massachusetts Supreme Court, in a case argued by McDermott Partner Dave Gacioch, held that Massachusetts’ wiretapping law did not apply to cookies.

To mitigate these heightened risks, clients are focusing more on cookie management while still enabling marketing, analytics, and data monetization. Now is the time to audit practices, document procedures, and make a plan, because we see no end in sight to these risks heading into 2025.

ARTIFICIAL INTELLIGENCE (AI): BECAUSE OF COURSE

There may not have been a bigger story in 2024 than the proliferation of publicly available AI tools. And the race to regulate AI likely is still in its early stages. Generative AI (GenAI) provides incredible capabilities but presents a bevy of privacy and potential security risks. GenAI tools also pose novel issues related to intellectual property rights and data ownership. To fully grasp and balance the potential risks and benefits of GenAI, companies first must understand the types of data being used to train the model, the provenance of such data, and ensure that the company has the appropriate rights and consents to use that data. Keeping up with the AI curve can feel daunting, but we have developed a series of standard operating procedures, templates, and training materials that can make things less scary. McDermott’s Artificial Intelligence Law Center is a resource for those looking to dig into this cutting-edge issue.

PCI DSS 4.0: IT’S ALMOST HERE!

The Payment Card Industry Data Security standard (PCI DSS) 4.0 for credit-card processing is fully effective March 31, 2025. If a company accepts credit cards as a merchant, it has PCI DSS and card-brand obligations under its contracts with its bank and any third-party processors. The new 4.0 security obligations are some of the most robust and onerous of any framework, and they will have numerous implications for any company taking, processing, or storing credit or debit cards. Preparing for these changes will require significant time and effort. The transition to new PCI DSS 4.0 controls involves numerous new workflows, including the need for new policies, processes, and technology solutions. We recently examined how PCI DSS 4.0 will impact digital health and healthcare companies, especially as e-commerce models expand.

There are a number of challenges and obstacles to full PCI DSS 4.0 compliance, including the fact that many companies mistakenly believe that fully outsourcing credit card functions to a third-party payment platform exempts them from PCI DSS obligations. That is not true. If you are not sure about the state of your company’s PCI DSS compliance, now is the time to dig in.

FEDERAL PRIVACY REGULATION AND ENFORCEMENT: WHAT COMES NEXT?

What will the second Trump administration bring? Between chatter of shuttering entire agencies and shifting enforcement priorities, the one thing that is clear is that 2025 will see a change in the way that the federal government approaches its role in the consumer privacy arena.

One development we are watching is what is going to happen with the Consumer Financial Protection Bureau (CFPB). The CFPB recently issued a proposed rule seeking to bring certain data brokers within the scope of the Fair Credit Reporting Act (FCRA). The proposed rule would revise the definitions of “consumer reporting agency” and “consumer report” in Regulation V and modify restrictions on when consumer reporting agencies may furnish, and users may obtain, consumer reports. Comments on the proposed rule are due March 3, 2025, but what will be interesting to see is whether the rule making process will continue under the new administration.

STATE LAWS: YOU KNEW WE COULDN’T OMIT THIS ONE

Seven. That was the number of new state consumer privacy laws passed in 2024. That was on the heels of eight new laws passed in 2023. The smart money for 2025 is that there will be another half-dozen states that enact consumer privacy laws as we move closer and closer to a complete patchwork of state consumer privacy laws in the absence of a federal consumer privacy law (the likelihood of which, under Republican control, is low). It can be hard to keep up with all the changes and requirements of the different laws, which is why McDermott has an online resource to help you keep track. Our consumer privacy law map is regularly updated and is a free resource.

Another thing that bears watching, of course, is the progress of the new California Consumer Privacy Act (CCPA) regulations, which are in the public comment period. These proposed regulations are onerous and overbroad, and they seem destined for a legal challenge if they are finalized.

EU DATA ACT: SOMETHING LIKE WE’VE NEVER SEEN BEFORE

Among the EU Digital Package regulations, the EU Data Act is quite likely to be the most challenging to implement. We anticipate that many clients will begin or continue their implementation work streams well into 2025. The three primary obligations of the EU Data Act include:

1. The obligation to provide an access mechanism by design and by default and, if technically feasible, to provide users with direct access to their data (Data Act, Art. 3(1)).
2. The obligation to provide users with indirect access to their data (Data Act, Art. 4(1)).
3. The obligation to provide third parties with data upon request from users (Data Act, Art. 5(1)).

When these obligations become applicable will vary based on a variety of factors, including jurisdiction and product type. However, they will phase in between September 2025 and September 2026. Given this time frame, we anticipate that many companies will focus significant effort on their EU Data Act compliance activities in 2025 if they have not already started doing so.

EU CYBERSECURITY FRAMEWORKS: TIME TO REVISIT PAST PRACTICES

In 2025, businesses operating in the EU will need to focus their cybersecurity efforts to comply with either the Network and Information Security 2 (NIS2) Directive (the cornerstone of the EU legal framework for cybersecurity), the Digital Operational Resilience Act (DORA, a cybersecurity regulation for financial institutions), or the Cyber Resilience Act (a regulation applying to manufacturers of products with digital elements placed on the EU market). This framework imposes, among others, cybersecurity controls and obligations to report incidents, and it is backed up by potentially heavy fines and, in some cases, personal liability of members of boards of directors.

While the NIS2 Directive became applicable in October 2024, only a handful of EU countries (e.g., Belgium, Italy) have implemented the Directive through their legal order. In 2025, we expect other EU countries to do the same. The NIS2 Directive covers businesses from a broad spectrum of industries deemed highly critical – such as energy, health, and digital infrastructure – and critical. DORA becomes effective on January 17, 2025, and applies to financial institutions. For both DORA and NIS2, covered entities must implement measures ensuring supply chain security, including supply chain contractual terms with their direct suppliers/service providers.

TAKE A DEEP BREATH: IT WILL (MOSTLY) BE OK

Reviewing the above, it is easy to see how in-house privacy counsel could become overwhelmed. But for (almost) every problem, there is a solution. It begins with understanding whether any of the above laws apply to your business. Most companies have already some cybersecurity measures in place, so the project will inevitably entail conducting a gap analysis. At this point, companies will have to design methods to address and mitigate any existing gaps. McDermott has a variety of toolkits, templates, presentations, and other materials that can help companies address the privacy and cybersecurity challenges that they may face heading into 2025.

If you have any questions or would like to discuss anything contained in this article, contact your regular McDermott lawyer or one of the article’s authors.