Get ready to ring in the new year with five new state privacy laws. 2025 will see five new comprehensive consumer privacy laws quickly coming into effect. Four laws, the Delaware Personal Data Privacy Act (DPDPA), the Iowa Consumer Data Protection Act (ICDPA), the Nebraska Data Privacy Act (NDPA), and New Hampshire’s SB 255 (NH SB 255) will become effective on January 1, while the fifth, New Jersey’s SB 322 (NJ SB 322) goes into force on January 15.
With the exception of Nebraska’s NDPA, the applicability thresholds for the laws all follow the pattern used by most other state data privacy laws currently in effect. Persons or entities who do business in the respective state may become subject to the law if they either:
- process the personal information of a certain number of state residents (that number is 100,000 for most states) or
- process the personal information of a lower number of state residents while deriving a certain percentage of gross revenue from the sale of personal data.
NJ SB 322 deviates slightly from the norm regarding the latter threshold by not setting any minimum revenue percentage: entities that process the data of 25,000 NJ residents and derive any revenue or discount from selling personal data are subject to the law.
Nebraska’s NDPA, on the other hand, follows the significantly broader approach to applicability pioneered by the Texas Data Privacy and Security Act (the TDPSA). Rather than setting thresholds, the NDPA, like the TDPSA, applies to any entity that does business in the state, is not a small business as defined by the U.S. Small Business Administration, and processes or sells the personal data of even one state resident.
Each of the laws going into effect in January 2025 also provides certain categories of exemptions. All five, for example, provide an exemption for entities regulated by the federal Gramm-Leach-Bliley Act, which covers financial institutions and other financial service providers that collect non-public consumer financial information. Other exemptions, however, vary from law to law. For example, Iowa’s ICDPA has a wholesale entity level exemption for businesses regulated by the Health Insurance Portability and Accountability Act (HIPAA), while the Delaware and New Jersey laws contain only data-level exemptions for data that is regulated by HIPAA.
All five of the forthcoming new laws will grant similar rights to consumers, which generally align with those afforded by other existing state data privacy laws. Additionally, all five grant sole enforcement authority to their respective Attorneys General, and none create a private right of action. Notably, NJ SB 322 joins the laws of Colorado and California in granting rulemaking authority to a state administrative agency, and privacy commentators are currently awaiting proposed rulemaking by the New Jersey Division of Consumer Affairs.
With active enforcement by several states’ Attorneys General and a trend toward broader applicability (see our client alert on the topic for more information), data privacy compliance is becoming increasingly important and increasingly complex. Companies should carefully evaluate whether they are subject to any laws coming into effect and take steps now to ensure compliance.