Twelve Privacy Investments for Your Company for a Stronger 2025

FPF has put together a list of Twelve Privacy Investments for Your Company for a Stronger 2025 that reflects on new perspectives on the work that privacy teams do at their organizations. We hope there is something here that’s useful where you work, and we’d love to hear other ideas and feedback.

Privacy Investments for Your Company for a Stronger 2025

• Re-review your privacy notice and other disclosures to ensure you are covering any new data collection or uses planned in 2025 – including secondary uses of data – that may be going on. This has been a theme of FTC actions in 2024 and a measure that would enhance transparency as suggested by the EDPB in the latest Opinion on data protection and AI models. Since new uses of data for AI have been prompting consumer alarm, allow time for explanation, education and communication to support user understanding of the value proposition. Consider opt-out options for new uses and opt-in for any significant changes or uses of sensitive data.

• Take steps to minimize your processing of precise location data or sensitive data. Explore using less precise alternatives, ensuring limited retention and effective de-identification techniques, or uses of other kinds of data that have less risk of creating sensitive inferences.

• Take a good look at vendor management. Don’t just rely on contractual constraints. If there are no technical monitoring or other controls in place, get a plan for some in product roadmaps.

• Deepen your relationships with various business teams (sales and marketing, product teams, etc.) so you know what they’re planning and can help develop a forward-looking compliance strategy. 

• Help FPF gather information about the operational implications of new or prospective laws so we can effectively explain data uses and tech to policymakers to help them craft policy and guidance that strikes the right balance for accountable data use.

• While comprehensive federal privacy legislation may not be imminent, the states and the attorneys general are still pretty concerned about privacy, as are governments around the world. Deepen your connections with the AG offices and understand their perspectives.  Meet key local legislators and build relationships by supporting their interest in being educated about emerging technologies and their impact.

• Although the outcomes of court cases have been unclear, it is clear that protections for users under 18 will continue to be a focus of legislative activity and enforcement. Consider options that can provide for more limited uses of teen data.

• Take special care with data that may implicate personal health information and prepare to be vigilant in the case that law enforcement comes knocking for information about a user that could reveal their reproductive health status. We recommend our Health and Wellness Policy Brief.  

• Map your international data flows and track any instances where internal processes or third-party relationships could put data within reach of one of the U.S. government’s “countries of concern.” Diversify your data transfers tools with an eye on the global landscape, as cross-border data flows restrictions are increasingly expanding beyond the EU-US dynamic.

• If you are doing business in India, make sure to have good data governance and data inventories in place for your operations. Major changes are coming, with the implementation date of the DPDPA in sight after the draft implementing rules were published at the very beginning of this year. Keep a close track on India’s DPDPA Rules and stay sufficiently informed to provide feedback during the public consultation exercise. 

• Align your teams on how your company will use AI tools internally to automated work flows and make all of this work easier, including applying AI tools to making privacy compliance easier, like handling data subject requests or assessing whether your policies could be made easier to read and access. FPF’s new report may help.

• Tidy up your clean room practices. You may view your partners as trusted, but the FTC may consider them potential attackers from a de-identification point of view. Ensure technical controls are credible.