With 2025 right around the corner, eight additional U.S. state privacy laws will go into effect, joining California, Colorado, Connecticut, Montana, Oregon, Texas, Utah, and Virginia:
- Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
- Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
- Nebraska Data Privacy Act (effective Jan. 1, 2025)
- New Hampshire Privacy Act (effective Jan. 1, 2025)
- New Jersey Data Privacy Act (effective Jan. 15, 2025)
- Tennessee Information Protection Act (effective July 1, 2025)
- Minnesota Consumer Data Privacy Act (effective July 31, 2025)
- Maryland Online Data Privacy Act (effective Oct. 1, 2025)
While many of these eight state privacy laws are similar to current privacy laws in effect, there are some noteworthy differences that you will need to be mindful of heading into the New Year. Additionally, if you did not take Texas, Oregon and Montana into consideration in 2024, now is the time to do so!
Here is a roadmap of key considerations as you address these additional state privacy laws.
1. Understand What Laws Apply to Your Organization
To help determine what laws apply to your organization, you need to know the type and quantity of personal data you collect and how it is used. Each of the eight new state laws differ with their scope of application, as their thresholds vary based on the 1) number of state residents whose personal data controlled or processed and 2) the percentage of revenue a controller derives from the sale of personal data.
Delaware, New Hampshire, and Maryland have the lowest processing threshold – 35,000 consumers.
Nebraska’s threshold requirements are similar to Texas’ threshold requirements: the law applies to any organization that operates in the state, processes or sells personal data, and is not classified as a small business as defined by the U.S. Small Business Administration.
Notably, Maryland and Minnesota will apply to non-profits, except for those that fall into a narrow exception.
See our chart at the end of this article for ease of reference.
2. Identify Nuances
Organizations will need to pay particular attention to Maryland’s data minimization requirements as it is the strictest of the eight. Under Maryland, controllers will have unique obligations to meet, including the following:
- Limit the collection or processing of sensitive data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.”
- Cannot process minors’ (under 18 years old) personal data for targeted advertising.
- A broad prohibition on the sale of sensitive data.
If a controller engages in the sale of sensitive data, under Texas’ privacy law, which went into effect in July 2024, requires controllers to include the following notice in the same place your privacy policy is linked: “NOTICE: We may sell your sensitive personal data.” Similarly, if a controller engages in the sale of biometric personal data, the following notice must be included in the privacy policy: “NOTICE: We may sell your biometric personal data.” Nebraska requires companies to obtain opt-in consent before selling sensitive data. Maryland prohibits the sale of sensitive data altogether.
Minnesota takes data inventory a step further, requiring companies to maintain an inventory of personal data processed and document and maintain a description of the policies and procedures that they adopt to comply with the act.
3. Refine Privacy Rights Management
All states provide consumers with the right to access, delete, correct (except Iowa), and obtain a copy of their personal data.
Minnesota’s law provides consumers with two additional rights:
- The right to request the specific third parties to whom a business has disclosed personal data. Controllers may choose to respond to such a request either by providing the names of the specific third parties to which it has disclosed the consumer’s personal data or the name of third parties to which it has disclosed any personal data.
- The right to question the results of a controller’s profiling, to the extent it produced legal effects. Consumers will have the right to be informed of the reason that the profiling resulted in a specific decision and be informed of the actions the consumers may take to secure a different decision in the future.
Aligning with California and Utah, Iowa requires controllers to provide notice and an opportunity to opt out of the processing of sensitive data.
Interestingly, Iowa does not affirmatively establish a right to opt-out of online targeted advertising.
4. Conduct Data Privacy Impact Assessments
Most state privacy laws require controllers to conduct data privacy impact assessments for high-risk processing activities such as the sale of personal data, targeted advertising, profiling, and sensitive data processing. Nebraska, Tennessee, Minnesota, and Maryland follow Oregon by including any processing activities that present a heightened risk of harm to a consumer. Maryland takes this a step further in requiring the assessment include an assessment of each algorithm that is used.
5. Update Privacy Notices
All state privacy laws require privacy notices at the time of collecting personal data. It is essential you keep your privacy notice up-to-date and ensure (at a bare minimum) it covers data categories, third-party sharing, consumer privacy rights options, and opt-out procedures. Minnesota also requires controllers to provide a "reasonably accessible, clear, and meaningful" online privacy notice, posted on its homepage using a hyperlink that contains the word "privacy."
As state privacy laws stack up, having a structured, adaptable, and principles-based approach paves the path to sustainable compliance.
Make 2025 the year your privacy program doesn’t just meet the minimum—it excels.
Click here to view the 2025 US State Privacy Laws Applicability Chart
[View source.]