Cathy Mulrow-Peattie Discusses Compliance Challenges Ahead Under New State Privacy Laws in 2025

January 30, 2025

Hinshaw partner Cathy Mulrow-Peattie was recently quoted in several Privacy Daily articles, discussing the increasing risks businesses face as more states implement privacy laws.

"We're no longer in a nonregulated environment anymore with just a couple of states having privacy laws," Mulrow-Peattie said. Since the likelihood of federal privacy legislation being adopted remains low, she explained that "the states are going to take up that banner," which could lead to the establishment of a patchwork of 50 individual state privacy laws. Already this year, several states, including New York, Massachusetts, and Illinois, have introduced legislation on comprehensive privacy laws.

With expectations of "eight new privacy enforcers" by the end of this year, companies will have to manage multiple state regulators regarding data breaches and consumer complaints. Mulrow-Peattie also flagged that the definition of "sensitive data" varies among the new privacy laws taking effect in January across Delaware, Iowa, Nebraska, New Hampshire, and New Jersey. She predicts these differences will become a "hot ticket" enforcement priority for state Attorney Generals.

Mulrow-Peattie emphasized that although these state laws may vary, identifying trends and commonalities can help businesses navigate compliance. "You have to look at it from a risk and a business perspective: What … to your business are the biggest risks for these new laws?"

With an expected increase in privacy enforcement, Mulrow-Peattie said businesses should assume states have enforcement resources, yet some companies still lack privacy notices that reflect their data practices. "You have to know where your data is, how you're using it, and how you're sharing it—and give people the [right to opt-out]."

Additionally, reacting to news that the New York Assembly and Senate have passed health data privacy bills, Mulrow-Peattie indicated that while she supports the legislation's goal, she is "concerned about the broad definitions in the bill of regulated health information, in particular around inferences and regulated entity." She added that this could be overly burdensome for New York businesses to comply with, particularly advertising and small health-related organizations.

Hinshaw & Culbertson LLP is a U.S.-based law firm with offices nationwide. The firm's national reputation spans the insurance industry, the financial services sector, professional services, and other highly regulated industries. Hinshaw provides holistic legal solutions—from litigation and dispute resolution, and business advisory and transactional services, to regulatory compliance—for clients of all sizes. Visit www.hinshawlaw.com for more information and follow @Hinshaw on LinkedIn and X.