Special Report

The Year Ahead 2025:
Tech Talk — AI Regulations +
Data Privacy

Careful consideration and close collaboration between your organization’s business departments are watchwords for 2025. AI tools in performance management and other areas present both opportunities and risks as increased regulation and enforcement at the state level proliferate — along with the rise of related class actions. On the privacy front, a focus on data minimization and thoughtful implementation and governance of new technologies and their data, both within the organization and across its vendors, will all help to avoid unintended consequences.  

Takeaways

  • Unclear how change in administration will impact federal government guidance on AI.
  • 2025 will likely bring more state laws on AI regulation for developers and deployers, as well as more state-level enforcement actions of state privacy and security laws.
  • Privacy litigation will continue to grow. 
  • Organizations should take stock of data they maintain to determine how to ensure privacy law compliance.
  • Organizations should take preventative measures to protect personal data they maintain (including data processed by their vendors).

State Privacy Laws Taking Effect in 2025

January 1

  • Delaware Personal Data Privacy Act 
  • Iowa Consumer Data Protection Act 
  • Nebraska Data Privacy Act 
  • New Hampshire Consumer Data Protection Act 

January 15

  • New Jersey Data Privacy Act 

July 1

  • Tennessee Information Protection Act

July 31

  • Minnesota Consumer Data Privacy Act

October 1

  • Maryland Online Data Privacy Act

State AI Developments

 
california icon

California | Effective 01.01.26

  • Creates California AI Transparency Act to ensure transparency in the training data used for generative AI systems. The Act applies to developers of generative AI systems or services, including substantial modifications.
  • Sets disclosure requirements, including:
    • High-level summary of datasets used.
    • Sources or owners of the datasets.
    • Description of how datasets further the AI system’s purpose.
    • Number and types of data points in the datasets.
    • Information on whether datasets include copyrighted, trademarked, or patented data.
    • Details on whether datasets are purchased, licensed or include personal information.
    • Description of any data cleaning, processing or modifications.
    • Time period of data collection and notice, if ongoing.
  • Comprehensive proposed AI regulations under the California Consumer Privacy Act move forward concerning Automated Decision-Making Technology (ADMT).
  • Civil Rights Council examining comments to Initial Text for Proposed Modifications to Employment Regulations Regarding Automated-Decision Systems.
     
Colorado state icon

Colorado | Effective 02.01.26

  • Defines high-risk AI systems as systems making consequential decisions affecting areas like employment, education, healthcare and more.
  • Identifies role-specific obligations.
    • Developers: Must provide necessary documentation and mitigate algorithmic discrimination.
    • Deployers: Required to conduct risk management and impact assessments and to provide consumer rights.
  • Emphasizes consumer rights, including the right to notice, explanation, correction and appeal for decisions made by high-risk AI systems.
  • Includes algorithmic discrimination: Duty of care to prevent both intentional discrimination and disparate impact.
  • Gives Colorado Attorney General significant authority to enforce the law.
     
Illinois state icon

Illinois

  • New laws address use of generative AI and digital likeness, publicity rights.
  • Updates its civil rights law to make clear that uses of artificial intelligence, including generative AI, could constitute civil rights violations.

Trends in Data Privacy and Security Litigation + Regulatory Enforcement

  • Increase in data breach class actions. 
  • Website tracking technology claims.
  • Illinois Biometric Information Privacy Act and Genetic Information Privacy Act claims.
  • AI and data privacy actions: Legal challenges to AI’s use of personal data and decisions made with assistance from AI.
  • Regulatory enforcement actions: Aggressive enforcement by state AGs and industry regulators.
tya25: Tech Podcast 2
The Year Ahead 2025: AI’s New Laws + Traditional Issues

 

Hosts: Eric J. Felsberg, Principal, Artificial Intelligence Co-Leader and Technology Industry Co-Leader, and Joseph J. Lazzarotti, Principal, Artificial Intelligence Co-Leader and Privacy, Data and Cybersecurity Co-Leader

“It’s like an AI chicken or the egg conundrum. Who should own the liability there? Should it be the developers of these technologies or should it be the users? If you're trying to make that determination, where does that line fall? This uncertainty has worked its way into different legislation across the country. It really reflects how these lawmakers are grappling with some of these issues that, frankly, don't have an easy answer.” 
 

Listen to the podcast
tya25: Tech Podcast
The Year Ahead 2025: Tech Tools + Privacy Considerations

 

Hosts: Joseph J. Lazzarotti, Principal, Artificial Intelligence Co-Leader and Privacy, Data and Cybersecurity Co-Leader, and Damon W. Silver, Principal and Privacy, Data and Cybersecurity Co-Leader

“It's this constant sense of governance — risk and compliance processes that should take place whenever you're dealing with these technologies. If there was one goal I would recommend for next year, that would be more collaboration between the stakeholders [IT, legal, HR, the business area deploying the tech] when rolling out these kinds of tools.” 
 

Listen to the podcast

 

Related resources

Businesswoman presenting on a big screen in a conference room on AI technology.
We Get AI for Work Audio Guide
NYC Buildings from a birds eye view
New York Enacts Immediate Updates to Breach Notification Law
A trio of business colleagues walking and talking.
OCR Proposed Tighter Security Rules for HIPAA Regulated Entities, including Business Associates and Group Health Plans
A Human Resource employee's typing on a keyboard as symbols of bio/personal data fly above.
2024 Wrap-Up of the Workplace Privacy, Data Management & Security Report
Loper Data Privacy
Privacy Blizzard Expected in January as Five State Laws Take Effect
Side view of a woman's head as she considers people with the help of AI/
AI and Other Decision-Making Tools: Does the Fair Credit Reporting Act Apply?
Image of the Florida State flag.
Florida Healthcare Provider Faces $1.19M HIPAA Penalty Following Independent Contractor Breach
A digital keyhole in a screen of data.
Tips for Vacation Rental, Property Mgmt. Businesses Facing Vendor Cybersecurity Risk

Return to The Year Ahead 2025 Report

© Jackson Lewis P.C. This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Jackson Lewis and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome. 

Focused on labor and employment law since 1958, Jackson Lewis P.C.'s 1000+ attorneys located in major cities nationwide consistently identify and respond to new ways workplace law intersects business. We help employers develop proactive strategies, strong policies and business-oriented solutions to cultivate high-functioning workforces that are engaged, stable and diverse, and share our clients' goals to emphasize inclusivity and respect for the contribution of every employee. For more information, visit https://www.jacksonlewis.com.