On April 14, 2025, the National Institute of Standards and Technology (NIST), released a draft update to the NIST Privacy Framework. The NIST Privacy Framework was originally launched in January 2020 as “a voluntary tool that can help organizations manage privacy risk arising from their products and services, as well as demonstrate compliance with laws that may affect them[.]” Although the NIST Privacy Framework doesn’t carry the force of law, it serves as a significant benchmark for privacy compliance.
In the five years since the NIST Privacy Framework’s introduction, the data privacy and security landscape has changed in myriad ways. At the time of the initial version of the NIST Privacy Framework, the country’s first comprehensive privacy legislation, the California Consumer Privacy Act, had only just come into effect. Now, almost half of US states have similar legislation, with some of these laws expressly linking compliance to participation in the NIST Privacy Framework. The rapid adoption of sophisticated artificial intelligence applications and the evolution of advanced cybersecurity threats has further complicated the data privacy compliance landscape — with NIST responding to these changes through its publication of NIST AI Risk Management Framework and update to the NIST Cybersecurity Framework to complement the NIST Privacy Framework.
The proposed updates to the NIST Privacy Framework are intended to account for these changes. For example, the amendments seek to maintain alignment between the NIST Privacy Framework and last year’s updates to the NIST Cybersecurity Framework. Specifically, targeted changes to the NIST Privacy Framework core structure and content have been made to maintain alignment with the updated NIST Cybersecurity Framework, with a focus on the Govern and Protect functions. The updates also add a discussion in the NIST Privacy Framework outlining how AI and privacy risks relate to one another.
Organizations have until June 13, 2025 to submit comments to the draft updates.