In this article

Sign up for our newsletter

Share this article

As the years go on, the privacy landscape just gets more complicated—2025 is no exception.  

As a data privacy software provider, we understandably field a lot of questions about new privacy developments, regulatory requirements, compliance, consumer rights, and more. That was certainly the case during our recent webinar, 2025 Privacy Law Preview: Be Prepared. During the webinar and throughout the course of recent months, we've received dozens of questions about 2025's data privacy laws. Here are our answers to the most frequently asked.

1. How do PIAs change based on their scope? What's the difference between a large scale, project-wide PIA, and a small scale, tactical PIA? When should one or the other be conducted?

Small- or large-scale PIAs effectively have the same purpose: to document and identify privacy risks in the early stages of a project or initiative (no matter the size) to better equip organizations to mitigate or minimize those risks. Whether your project is large or small, the PIA should include the following:  

  • The purpose and scope 
  • The data collected 
  • How the data will be used 
  • Whom the data will be shared with and why 
  • What protections will be in place 
  • What rights the data subject may have 
  • Mitigation measures 

When evaluating a new large project in its entirety—across various systems that involve many stakeholders, departments, etc.—the PIA will need to be robust by default to ensure you are accounting for all of these aspects, particularly what systems process what data and for what reasons. Each system within the PIA will need to be considered.  

A smaller scale PIA could be used when conducting minor project updates, specific system implementations, or when a singular privacy concern is raised regarding some process in that project. 

2. When do I need to perform a risk assessment under the CCPA? What data is covered, and what data is exempt from CCPA assessment requirements? Are there any example assessments or templates I could look at?

A risk assessment should be conducted when the processing of a consumers’ personal information (including sensitive and non-sensitive personal information) presents a significant risk to the customers’ privacy. The California Privacy Protection Agency (CPPA) describes what constitutes significant risk here 

The assessment should always be done prior to the initiation of that processing. Note that there are additional requirements around automated decision-making training and technology. 

If you want to learn more details about assessments, like what activities require an assessment, what assessments should include, and more, check out the CPPA Draft Risk Assessment Regulations Fact Sheet.

3. What does it mean that some laws treat third-party cookies as a "sale" of personal information? 

Some laws treat the use of third-party cookies as a "sale" of personal information because it means that the transfer of personal data to third parties is in exchange for some form of value. Even if no money changes hands, the exchange of data for services (like targeted advertising) can be considered valuable consideration.

4. How can I become compliant with UOOM requirements?

Generally, you can follow these steps to improve your compliance with requirements around universal opt-out mechanisms (UOOMs). However, be sure to review the specific law and work with your counsel and internal experts. 

  1. Update Privacy Policies: Ensure that your privacy policy clearly states how your business handles UOOM signals and the rights consumers have regarding their personal data. 
  2. Implement Technical Solutions: Integrate tools and protocols that facilitate UOOM compliance, such as a consent management platform. These tools help automate the process of recognizing and honoring opt-out signals 
  3. Train Staff: Educate your team about UOOM requirements and the importance of respecting consumer privacy preferences. This includes understanding how to handle data subject requests and ensuring compliance with relevant laws. 
  4. Regular Audits and Updates: Conduct regular audits to ensure ongoing compliance with UOOM requirements and update your practices as necessary to align with new regulations. 

5. What is the current state of data broker laws and requirements in the US?

Data brokers raise significant privacy concerns as they aggregate, buy, sell, and disclose billions of consumer data including personal data to create detailed profiles of individuals for commercial purposes.  

Currently, data brokers are not covered under the regulations in place. Several states (five as of this writing) are closing the gap in the regulations by passing data broker laws: 

Data brokers pose a significant concern for consumers whose data may be unwittingly processed without their consent or even awareness, so we would imagine this trend of broker-specific laws and regulations to continue. 

6. Why should I conduct a data mapping exercise/inventory? Which laws require these activities, and where should I start?  

Most laws do not specifically call out data mapping, but rather require other activities (e.g., data inventories, assessments, record of processing, and subject rights requests) that are very hard to achieve in a compliant and efficient manner without having your data mapped out. 

If you’re curious about how to get started with data mapping, we recommend reviewing our data mapping 101 guide.  

7. What is the difference between data- and entity-level exemptions?

Entity-level exemptions apply to the entire organization. If an entity qualifies for an entity-level exemption, it means that the entire business is exempt from complying with certain privacy laws. 

For example, financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA) or healthcare providers regulated by the Health Insurance Portability and Accountability Act (HIPAA) often benefit from entity-level exemptions in various state privacy laws. This means the entire organization is exempt from certain privacy law requirements. 

Data-level exemptions apply only to specific types of data within an organization. Even if certain data is exempt, the organization as a whole must still comply with the privacy law for other types of data. 

For instance, under the California Consumer Privacy Act (CCPA), financial institutions may have a data-level exemption for GLBA-covered consumer financial information, but they still need to comply with the CCPA for other types of personal data.

8. How do these laws treat non-profits?

Many laws exempt nonprofits—but not all. The following US privacy laws do not have exemptions for nonprofits:  

9. What is the definition of "pseudonymous" data? How do these laws treat pseudonymous data?

Pseudonymous data has been processed in such a way that it can no longer be attributed to a specific individual without the use of additional information 

In general, many US privacy laws and the GDPR recognize pseudonymization as a great data protection measure. However, the area is still blurry on whether it would be deemed exempt from the laws or not considered personal data. In most cases, the laws still apply to pseudonymous data with the exception of a few.  New Jersey’s law, for example, exempts “de-identified” data, but not pseudonymous data. Maryland also does not provide exemptions for pseudonymous data.

10. Do these different laws have the concept of a controller and processor? If so, how do they treat these different categories? 

Yes, many use the terms controller and processor.  

A controller is an entity that determines the purposes and means of processing personal data. Essentially, the controller decides why and how personal data will be processed. A processor is an entity that processes personal data on behalf of a controller. The processor follows the instructions of the controller and does not determine the purposes or means of processing.

11. Is employee data regulated under these laws? If so, what are my obligations to employee data?

Only the California Consumer Privacy Act (CCPA) applies to employee data. US privacy laws generally exclude data collected by employers from their scope.

12. What's the status and likelihood of a potential federal data privacy law?

This privacy pro’s opinion: Given the thin margins in Congress, we will likely not see a comprehensive federal privacy law passed in 2025. We do expect state legislatures to continue enacting their own privacy laws.

13. Is there any federal AI regulation in the works?

There are steps being taken at the federal level regarding AI regulation. In December 2024, the “Bipartisan House Task Force Report on AI” articulated guiding principles, key findings, and recommendations to help guide future actions that Congress can take to address advancements concerning artificial intelligence. President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence also provided some guidance on this matter.

14. Is there a glossary of terms we can reference?

Yes! You can find a glossary of common data privacy terms here.

15. Is following an ISO certification or other certification enough to be compliant with these laws?

No—they are distinct laws with distinct data privacy requirements. 

16. Can you briefly describe Maryland's data privacy law, MODPA? Who is subject to the law, and what makes its requirements unique?

We take a deep dive into the MODPA in our blog, What Makes the Maryland Online Data Privacy Act (MODPA) Different?

17. There are a lot of laws in the US—what's the best approach to becoming broadly compliant with all or most of them? Which laws do I need to pay special attention to because of unique or conflicting requirements?

To become broadly compliant, you could identify the strictest law and model your privacy practices after that, but this is often not feasible. The best way to keep up is to implement privacy technology’ that can do a lot of the work for you.  

Beyond that, creating or bookmarking a matrix or tracker of the laws that includes their exemptions, thresholds, scope, and so on will help you to quickly identify where they differ. Most of the laws do not directly conflict; rather, some are just stricter with more requirements than others.

18. Which of the laws require data processing addenda? Once a DPA is in place, can I share consumer data with a third party?

All of 2025’s data privacy laws have requirements around data processing agreements or certain contractual obligations between data controllers and processors. The sharing of data is allowed under various circumstances depending on the law.  

19. What are people referring to when discussing the VPPA and wiretap lawsuits? How can I avoid being hit by one of these suits?

While VPPA and wiretap lawsuits might seem esoteric, the fundamental issues at play are fortunately similar to what many data privacy laws regulate. To reduce your risk, understand the technologies on your website, especially those that may transfer data to a third party; provide notice; and secure consent. 

You can learn more about the VPPA and similar lawsuits here. 

Still Have Questions? 

There’s only so much information that a blog post can provide. If you want to chat about your organization’s unique needs and how Osano can help, schedule a demo with us. 

Schedule a demo of Osano today

US Laws Survival Guide

Need a quick way to reference all of the features and requirements of the US state privacy laws? Look no further.

Download Now
US Laws Survival Guide Cover Image
Share this article