
2 Major Obstacles Privacy Newbies Face (and How to Overcome Them)
Martial artists use a colored belt system to denote their expertise....
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: January 16, 2025
As the years go on, the privacy landscape just gets more complicated—2025 is no exception.
As a data privacy software provider, we understandably field a lot of questions about new privacy developments, regulatory requirements, compliance, consumer rights, and more. That was certainly the case during our recent webinar, 2025 Privacy Law Preview: Be Prepared. During the webinar and throughout the course of recent months, we've received dozens of questions about 2025's data privacy laws. Here are our answers to the most frequently asked.
Small- or large-scale PIAs effectively have the same purpose: to document and identify privacy risks in the early stages of a project or initiative (no matter the size) to better equip organizations to mitigate or minimize those risks. Whether your project is large or small, the PIA should include the following:
When evaluating a new large project in its entirety—across various systems that involve many stakeholders, departments, etc.—the PIA will need to be robust by default to ensure you are accounting for all of these aspects, particularly what systems process what data and for what reasons. Each system within the PIA will need to be considered.
A smaller scale PIA could be used when conducting minor project updates, specific system implementations, or when a singular privacy concern is raised regarding some process in that project.
A risk assessment should be conducted when the processing of a consumers’ personal information (including sensitive and non-sensitive personal information) presents a significant risk to the customers’ privacy. The California Privacy Protection Agency (CPPA) describes what constitutes significant risk here.
The assessment should always be done prior to the initiation of that processing. Note that there are additional requirements around automated decision-making training and technology.
If you want to learn more details about assessments, like what activities require an assessment, what assessments should include, and more, check out the CPPA Draft Risk Assessment Regulations Fact Sheet.
Some laws treat the use of third-party cookies as a "sale" of personal information because it means that the transfer of personal data to third parties is in exchange for some form of value. Even if no money changes hands, the exchange of data for services (like targeted advertising) can be considered valuable consideration.
Generally, you can follow these steps to improve your compliance with requirements around universal opt-out mechanisms (UOOMs). However, be sure to review the specific law and work with your counsel and internal experts.
Data brokers raise significant privacy concerns as they aggregate, buy, sell, and disclose billions of consumer data including personal data to create detailed profiles of individuals for commercial purposes.
Currently, data brokers are not covered under the regulations in place. Several states (five as of this writing) are closing the gap in the regulations by passing data broker laws:
Data brokers pose a significant concern for consumers whose data may be unwittingly processed without their consent or even awareness, so we would imagine this trend of broker-specific laws and regulations to continue.
Most laws do not specifically call out data mapping, but rather require other activities (e.g., data inventories, assessments, record of processing, and subject rights requests) that are very hard to achieve in a compliant and efficient manner without having your data mapped out.
If you’re curious about how to get started with data mapping, we recommend reviewing our data mapping 101 guide.
Entity-level exemptions apply to the entire organization. If an entity qualifies for an entity-level exemption, it means that the entire business is exempt from complying with certain privacy laws.
For example, financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA) or healthcare providers regulated by the Health Insurance Portability and Accountability Act (HIPAA) often benefit from entity-level exemptions in various state privacy laws. This means the entire organization is exempt from certain privacy law requirements.
Data-level exemptions apply only to specific types of data within an organization. Even if certain data is exempt, the organization as a whole must still comply with the privacy law for other types of data.
For instance, under the California Consumer Privacy Act (CCPA), financial institutions may have a data-level exemption for GLBA-covered consumer financial information, but they still need to comply with the CCPA for other types of personal data.
Many laws exempt nonprofits—but not all. The following US privacy laws do not have exemptions for nonprofits:
Pseudonymous data has been processed in such a way that it can no longer be attributed to a specific individual without the use of additional information
In general, many US privacy laws and the GDPR recognize pseudonymization as a great data protection measure. However, the area is still blurry on whether it would be deemed exempt from the laws or not considered personal data. In most cases, the laws still apply to pseudonymous data with the exception of a few. New Jersey’s law, for example, exempts “de-identified” data, but not pseudonymous data. Maryland also does not provide exemptions for pseudonymous data.
Yes, many use the terms controller and processor.
A controller is an entity that determines the purposes and means of processing personal data. Essentially, the controller decides why and how personal data will be processed. A processor is an entity that processes personal data on behalf of a controller. The processor follows the instructions of the controller and does not determine the purposes or means of processing.
Only the California Consumer Privacy Act (CCPA) applies to employee data. US privacy laws generally exclude data collected by employers from their scope.
This privacy pro’s opinion: Given the thin margins in Congress, we will likely not see a comprehensive federal privacy law passed in 2025. We do expect state legislatures to continue enacting their own privacy laws.
There are steps being taken at the federal level regarding AI regulation. In December 2024, the “Bipartisan House Task Force Report on AI” articulated guiding principles, key findings, and recommendations to help guide future actions that Congress can take to address advancements concerning artificial intelligence. President Biden’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence also provided some guidance on this matter.
Yes! You can find a glossary of common data privacy terms here.
No—they are distinct laws with distinct data privacy requirements.
We take a deep dive into the MODPA in our blog, What Makes the Maryland Online Data Privacy Act (MODPA) Different?
To become broadly compliant, you could identify the strictest law and model your privacy practices after that, but this is often not feasible. The best way to keep up is to implement privacy technology’ that can do a lot of the work for you.
Beyond that, creating or bookmarking a matrix or tracker of the laws that includes their exemptions, thresholds, scope, and so on will help you to quickly identify where they differ. Most of the laws do not directly conflict; rather, some are just stricter with more requirements than others.
All of 2025’s data privacy laws have requirements around data processing agreements or certain contractual obligations between data controllers and processors. The sharing of data is allowed under various circumstances depending on the law.
While VPPA and wiretap lawsuits might seem esoteric, the fundamental issues at play are fortunately similar to what many data privacy laws regulate. To reduce your risk, understand the technologies on your website, especially those that may transfer data to a third party; provide notice; and secure consent.
You can learn more about the VPPA and similar lawsuits here.
There’s only so much information that a blog post can provide. If you want to chat about your organization’s unique needs and how Osano can help, schedule a demo with us.
Need a quick way to reference all of the features and requirements of the US state privacy laws? Look no further.
Download Now
Ashley Fowler is Senior Privacy Program Manager at Osano and has over 6 years of professional privacy experience. She holds a CIPP/US IAPP certification and is proficient in privacy impact and data protection assessments, international privacy compliance, and employee privacy. In previous roles, Ashley has helped manage implementation efforts for privacy regulations (such as the GDPR and CCPA) along with the implementation and execution of cross-organizational privacy technology solutions.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.