Data privacy in 2025: The resurgence of biometric security, a fleeting forecast for federal data privacy regulations, and the return of the wild west of AI
The transition from 2024 to 2025 brings a lot of uncertainty, speculation, and hopefully some optimism for the world of data privacy.
As technology continued to innovate, securing data grew more complex and consumers grew more concerned over how their information was being used. Regulatory changes are coming soon, with several states providing their own data privacy standards in anticipation of a shifting focus within the U.S. federal government, creating an important inflection point to set the tone for the future of data privacy and security.
As we forge ahead to 2025, let’s take a closer look at the trends we can expect to shape the industry. From biometrics to legislation and of course AI, these are some of the most important areas organizations should prepare for.
Biometric Security Will [Re] Enter the Chat
While biometric data and security of that data is certainly not a new conversation, several have widely accepted that their biometric data is out in the world. From unlocking your cell phone to clearing security at airports across the U.S., the use of your biometric data for security of yourself and others has been used for years now. However, one case has brought to light the sensitive nature of biometric data and how it is used.
In late 2024, the Australian privacy commissioner found that the Bunnings Group, a popular hardware store in Australia, had breached Australians' privacy with a facial recognition tool that captured the faces of every person who entered a Bunnings store. Used for physical security purposes, there was no way for shoppers to know that their personal and sensitive data was being gathered through a facial recognition system. Consequently, there was no way for shoppers to be able to consent to the use of their biometrics.
However, this issue is not limited to Australia. In the United States, the Illinois Supreme Court found that in 2023, White Castle, the popular fast food chain, had improperly collected nonconsensual fingerprints of employees for the purpose of securing their computer systems. As a result, White Castle was held liable for damages potentially exceeding $17 billion.
Both of these cases are underscored by an alarming fact: the general public is simply not aware that their biometric data is being collected, or worse, they are unaware of the fact that their trusted organizations are sharing their fingerprint, their facial scan, or any other biometric data unique to identifying them.
As such, we can expect the industry to handle biometric data much more carefully, and we can expect more lawsuits to be filed against brands who collect biometric data without consumer consent. As businesses seek to find a middle ground of data collection, optimizing business efficiencies, and maintaining consumer privacy, the question remains of what regulations exist for businesses to follow.
Federal Data Privacy Legislation Will Need to Wait
As the political landscape continues to evolve in the United States, we can expect that federal data privacy legislation will not solidify any time soon. Given the promises set forth by the incoming Trump Administration, we will see more states introduce privacy legislation, and for other states to model their legislation after a singular piece of law that is viewed as the high watermark when it comes to state-specific regulation. Historically, data privacy has received the support of both political parties in the United States, but the conflict arises in who makes the final decision on regulation – whether it is the state governments or the overarching federal government.
We can expect more states to roll out their own regulations to protect the data privacy of their residents. In fact, Delaware, Iowa, Nebraska, New Hampshire, and New Jersey have all introduced their state-specific data privacy regulations, all effective January 1, 2025.
U.S.-based businesses will follow suit of the states: selecting one piece of legislation (such as the CCPA) to be viewed as the standard for compliance, rather than picking apart the 19 individual state privacy bills that currently exist.
Make no mistake about it -- change is on the horizon, and the impact will be felt on both the data privacy sector and the broader technology landscape.
The Trump Administration Will Repeal the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
Similar reasoning behind why every state will need to set forth their own data privacy regulations, enters President-Elect Trump’s inevitable repeal of the Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. The President-Elect has made it very clear that this will be a priority for him in his second term, and his business affiliations with individuals who have been staunchly opposed to regulating the use of AI solidifies this promise.
Data privacy surrounding AI will undoubtedly be highly contested in the new year, and will likely be a major focus of the aforementioned legislation. Organizations like X, LinkedIn, and Microsoft have all received backlash for training models on user posts, but that reputational damage simply may not be enough to deter other brands from doing the same thing until they get caught. Should organizations commit similar violations, prosecution will be carried out on the state level, with punishment dependent on the severity of infringement according to each individual state’s statute.
The good news? For a number of states, regulations around the responsible use of AI have already been established, giving businesses a blueprint to follow and hope for a continued emphasis on consumer privacy.
While the anticipation for federal data privacy legislation will need to wait for the time being, we can expect continued conversations and general optimism as we continue to move forward with state-level legislation, consumer rights, and greater acknowledgment of expected privacy for all.
Photo credit: ra2studio / Shutterstock
Daniel Barber is Co-Founder and CEO of DataGrail.