Confronted with high expectations and high stakes when it comes to data privacy, businesses must stay ahead of the curve to protect consumer rights and mitigate legal risks. As we navigate this issue in 2025, four key trends are shaping the future of data privacy.
To explore these trends, we’re sharing insights from two industry pros—Taryn Crane, Privacy & Data Protection Practice Leader at BDO, a Relativity Gold Provider Partner, and Beth Kallet-Neuman, General Counsel and Vice President of Legal at Relativity—who spoke on a recent webinar moderated by Matt Preyss, a senior product marketing manager at Relativity.
Follow Your North Star
Data privacy is a hot topic
With each new privacy regulation comes increased concern around how to balance the demands of a widening variety of jurisdictions. This patchwork quilt is only becoming more and more complex.
Taryn Crane emphasized the importance of using common principles and frameworks as guiding stars amidst this balancing act. She gave examples like transparency, notice, data minimization, and consumer choice, and explained how keeping these factors top of mind can alleviate stress when new laws come into play; with this approach, you can navigate any differences on an as-needed basis.
Beth Kallet-Neuman added to this take by defining three foundational categories within data collection: notice (information about how a business collects, stores, and uses personal data), choice (a person’s ability to decide how and whether their information can be collected), and consent (whether opt out or opt in, freely given indication of agreement).
She contended how crucial it is for organizations to protect consumer rights by prioritizing consumer awareness and enabling them to actively agree to what’s going to happen with their data. Plus, aligning to these three broad categories means that compliance with new regulations is easier since the organization would be following an approach of principles instead of specifics.
Shifting left
When it comes to incorporating privacy into the business, Beth and Taryn agreed: shift left. Common in the tech world, this term defines the practice of moving steps like testing and quality checks to earlier points in the software development lifecycle.
Both Beth and Taryn underscored the importance of businesses adopting a deep-rooted privacy mindset from the get-go – the principle of privacy by design. When you’re weaving privacy in early, there's less to be worried about later. Essentially, it allows privacy initiatives to be less about checking boxes, and more about proactive institutional change.
Mean What You Say, Say What You Mean
While we wait ...
Following these principles is more important now than ever. As Beth reminded webinar attendees, we remain without a federal privacy law, and it’s still to be determined whether there will be one anytime soon. That means that our current sources of truth are the existing laws:
“The federal enforcement that we do see is based mostly on existing federal law, such as the FTC's jurisdiction to regulate truthful statements and truthful actions. So: mean what you say, and say what you mean.” – Beth Kallet-Neuman
Beth urged businesses to be clear about the kind of privacy promise they can make, and to ensure they can live to that promise.
Cookie banners and other quick wins
Throughout the discussion, Beth and Taryn double-clicked on the importance of having thoroughly built—and checked—cookie banners. Sometimes, that’s as simple as making sure your banner works, or correcting mis- or uncategorized cookies. Taryn stressed the importance of identifying malfunctions proactively rather than finding out from the knock of a regulator at your door.
“It’s such low-hanging fruit. Anyone can see your website and they don’t have to go any further than looking at your privacy notice and your cookie banner to find potential non-compliance.” – Taryn Crane
Beth also urged organizations to consider how their websites present. What lives online has lots of eyes on it, and so she repeated her adage for measuring this caution: “Mean what you say, say what you mean.”
Dark patterns
In line with the concept of cookie banner maintenance, the panelists addressed the issue of subverting the user’s choice, otherwise known as dark patterns. Sometimes it’s a conflict between the tag collection mechanism and the consent collection, or a confusing cookie banner—anything that causes the user to think they’re saying “no” when, in reality, they've actually said “yes” to something.
It’s, unfortunately, a common and costly occurrence that we’ve seen ramp up in the past two years—with enforcement quickly keeping pace.
Taryn digs us a little deeper into this concept:
“We need more age-appropriate design. It goes broader for me than children, or, frankly, even privacy in some cases. ... We need to make things really digestible for the average human who's not well versed in online risks or the implications of their choices.” – Taryn Crane
AI’s Role in Data Privacy
AI is still an emerging area
“The second you figure out what’s going on, everything changes.” – Beth Kallet-Neuman
Though its popularity increases by the second, AI is still somewhat uncharted territory. Much like any emerging technology, protocol, or process—it requires careful observation of emerging regulation.
During BDO’s webinar, Beth highlighted the importance of tracking AI in your business and offered questions that can be used to monitor implementation:
- Who: Who are the folks impacted by the ingestion or deployment of the generative AI tooling? Who is handling adoption? Is your AI governance committee involved? (They should be!)
- What: If you're approving some sort of third-party generative AI, are you getting the specific authorization you need? (Beware of scope creep!) Is your AI governance committee helping to vet, understand, and approve additional uses? Are you employing human oversight? Are you record keeping and measuring output to help manage the complexities?
“No matter what you’re using generative AI for, whether you’re creating code or writing emails with Copilot, you want to make sure you have vetted that use, and that you’ve got a human reviewing it for quality and consistency.” – Beth Kallet-Neuman
Don’t reinvent the wheel
Part of successfully vetting and adopting AI technologies is understanding what is already available—what trails have already been blazed. Taryn suggested leveraging existing privacy and risk assessments when adopting AI tools. It makes operationalizing privacy more seamless.
Communicating Across the Company
Knowledge sharing is everything.
While taking precautions like following a north star, keeping tabs on new privacy laws, and leveraging new tech are all deeply important, Beth and Taryn agreed that, more than anything, you need cross-team collaboration. Just as the privacy team cannot on their own cater to the consumer, the marketing team needs privacy’s expertise to maintain healthy data boundaries. In short: this is all hands on deck.
To Beth, it’s the only way to have a full picture of what’s going on when it comes to assessing and implementing new AI tools.
“You certainly want your legal and privacy professionals involved. … You also want to make sure you have your tech folks, who really understand what’s going on. If you have data scientists in your organization who are very close to it, you might want one or two of them to be involved, too. And you’re going to want your marketing folks to be there.” – Beth Kallet-Neuman
Similarly, Taryn suggested treating privacy like a new project. Then, when new law comes out, it’s easier to start moving and dissect areas of impact.
“Don’t be afraid of assigning a project manager. Treat this like an actual implementation, just like any other technology or tool implementation—whatever it might be. Those are the most successful programs that I see: where there is cross-collaboration and more than just the privacy team has responsibility, accountability, and tasks to help accomplish privacy compliance goals.” – Taryn Crane
Often, the teams implementing cookie banners are in the marketing organization. On the contrary, handling AI governance has pretty squarely landed with privacy and compliance individuals, because of the intersection with other risk areas. Across all these functions, both Beth and Taryn flagged the dire need to collaborate collectively to identify potential issues.
Good privacy measures call upon marketing, data scientists, legal—a wide variety of perspectives. Melding skills from all facets of the business helps ensure that you’re conducting a consistent, secure privacy strategy.
Trends in Data Privacy Litigation
Are you collecting too much data?
Data privacy litigation is on the rise, with a focus on data minimization and the risks associated with data breaches. Taryn shared: “In all breaches that I’ve supported clients through, the running theme is ‘if we didn’t have half this data, this may have been a much smaller problem.’”
Both Taryn and Beth urged the group to consider some hard questions, including:
- What kinds of data am I collecting?
- Am I holding onto data that’s been around for years? Decades?
- Do I need data that’s 7 or 8 or 10 or even 20 years old?
- Why do I still have that old database from the company we acquired years ago?
- What value is that stale data giving our business anyway?
Take some advice from these two privacy pros: only collect data that matters. You should veer away from gathering broad amounts of unnecessary data. Then, take it one step further by creating a process where data collection is regularly reviewed and letting go of data that has surpassed its useful life. Regular data review and compliance with data retention policies will mitigate your risk ten-fold.
Acquisitions are a big culprit of over-inclusive data retention, mostly because they have long tails; it’s easy to take your eye off the ball without meaning to do so. The way to avoid the data breach risk tied to an acquisition is drafting a solid plan for after the integration, and following through with adequate data protection controls until a system is fully decommissioned.
“It sounds so boring to say ‘look at your data retention schedule or policy,’ but those are still important.” – Taryn Crane
Beware of a widely cast net
Be mindful that one security incident can spawn multiple litigations. You are not easily let off the hook! And once hooked, you also face the risk of private right of action: negligence, privacy breach, breach of contract, and so on. (There are many potential claims.)
Taryn puts it like this:
“Someone is going to throw a bunch of things at the wall and see what sticks. Organizations have to be careful!” – Taryn Crane
A Culture of Trust
As we move forward in 2025, businesses need to prioritize collaboration and build a culture of trust. Taryn’s biggest advice on how to do that is to get to know your business better.
“Create those in-roads, have those conversations, understand the goals and needs. Rather than throwing requirements over the fence, solution together,” she advised.
Beth closed out the session with a reminder to pay close attention to your website and social media activities. She warned us to make sure disclosures are sound, and if we don’t have a cookie banner yet, get one. Staying informed and proactive enables businesses to navigate the inevitable complexities of data privacy and build relationships with their consumers.
People are more willing to engage with organizations when they feel like their data is being handled in a protected, respectful way. Make this a part of your brand experience and surely, they will come to feel that trust.
Dive into Relativity's content on how to stay ahead of potential threats and safeguard your organization by browsing these articles right here on The Relativity Blog. You can also learn how RelativityOne supports the post-breach process with an AI-enabled solution that quickly helps you identify sensitive information and link it to individuals, aiding impact assessment and reporting.
Graphics for this article were created by Sarah Vachlon.
