With the advent of a new year comes a new set of consumer data privacy laws in the United States. Five new state data privacy laws go into effect in January 2025, with additional laws coming throughout 2025 and into 2026. Here we provide a summary of the data privacy laws that take effect in 2025. Businesses in all 50 states should assess the impact of upcoming and existing state data privacy laws on their business and be prepared to implement compliant data policies and practices.
Delaware Personal Data Privacy Act (January 1, 2025)
The Delaware Personal Data Privacy Act (“DPDPA”) creates data privacy requirements for anyone who (i) conducts business in Delaware or produces products or services targeted to Delaware residents and (ii) during the preceding calendar year, either:
- controlled or processed the personal data of at least 35,000 Delaware residents (other than solely for the purpose of completing a payment transaction); or
- controlled or processed the personal data of at least 10,000 Delaware residents and derived more than twenty percent (20%) of their gross revenue from the sale of personal data.
The DPDPA’s threshold for volume of personal data processed is noticeably lower than most states, potentially expanding the scope of the law. Like many other state data privacy laws, the DPDPA requires controllers to post clear and accessible privacy notices, implement appropriate data security measures, obtain consent from consumers before collecting or processing sensitive personal data, conduct data protection assessments for activities that may present a heightened risk of harm to consumers’ privacy, and enter into compliant contracts with data processors.
Iowa Act Relating to Consumer Data Protection (January 1, 2025)
The Iowa Act Relating to Consumer Data Protection (“ICDPA”) applies to businesses within the state or producing products or services targeted at Iowans that also meet one of the following criteria:
- control or process personal data of at least 100,000 Iowans; or
- control or process personal data of at least 25,000 Iowans and derive over fifty percent (50%) of gross revenue from the sale of personal data.
The ICDPA is considered somewhat “business-friendly” as it offers consumers fewer rights than other state data privacy laws. For example, the ICDPA does not allow consumers the right to correct their personal data or the right to opt out of targeted advertising and profiling. The ICDPA also provides businesses with a 90-day period to cure violations. Although the ICDPA’s requirements are less stringent than those of other states, the penalties for violations can still sting at up to $7,500 per uncured violation.
Nebraska Data Privacy Act (January 1, 2025)
The Nebraska Data Privacy Act (“NDPA”) applies to businesses that (i) conduct business in Nebraska or produce a product or service consumed by Nebraska residents, (ii) process or engage in the sale of personal data; and (iii) are not a small business as defined by the federal Small Business Act (unless the business engages in the sale of sensitive data without the consumer’s prior consent).
Like Texas, Nebraska has a “small business” exemption to its law. While facially more lenient to smaller companies, many companies unknowingly fall outside the definition of a “small business” under the Small Business Administration guidelines. Companies who are unsure whether they qualify for this exemption should contact an attorney to ensure they are compliant with the law’s requirements.
New Hampshire (January 1, 2025)
The New Hampshire Privacy Act (“NH Act”) applies to “controllers” of personal data who either conduct business in New Hampshire or produce a product or service consumed by New Hampshire residents and who, within one year, either:
- control or process the personal data of at least 35,000 New Hampshire consumers; or
- control or process the personal data of at least 10,000 New Hampshire consumers and derive at least 25% of gross revenue from the sale of personal data.
Like the DPDPA, the NH Act has a broad scope in terms of volume of personal data processed. However, the NH Act also contains an expansive definition of “sensitive” personal data, which includes genetic or biometric data, personal data of a known child, and precise geolocation data. The NH Act also requires controllers to practice data minimization and to conduct a data protection impact assessment for any activities that present a heightened risk of harm, such as using personal data for targeted advertising, selling personal data, and the processing of sensitive personal data.
New Jersey (effective January 15, 2025)
The New Jersey Privacy Act (“NJPA”) applies to controllers that conduct business in New Jersey or produce products or services targeted to New Jersey residents and meet one of the following criteria:
- control or process the personal data of at least 100,000 New Jersey residents (other than solely for the purpose of completing a payment transaction); or
- control or process the personal data of at least 25,000 New Jersey residents and derive revenue or receive a discount, in any amount, on the price of goods or services from the sale of personal data.
Like Delaware’s legislation, the NJPA does not provide for entity-level exemptions for certain nonprofit organizations, certain institutions of higher education, or companies subject to HIPAA, but does contain certain exemptions for financial institutions governed by the GLBA. New Jersey also requires proactive data protection assessments for the processing of sensitive personal data and joins other states such as Colorado and California in requiring the use of a universal “opt-out” mechanism for data sales.
Tennessee Information Protection Act (effective July 1, 2025)
The Tennessee Information Protection Act (“TIPA”) applies to businesses that (i) conduct business in Tennessee or produce products or services that target Tennesseans, (ii) exceed $25 million in annual revenue, and (iii) meet one of the following criteria:
- control or process personal information of at least 25,000 consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information; or
- control or process the personal information of at least 175,000 consumers.
The TIPA is considered relatively “business-friendly” due partly to its narrow scope and its “safe harbor” affirmative defense for controllers and processors that implement a written privacy program that “reasonably conforms” to the current standards set by the National Institute of Standards and Practices (NIST), among other requirements. Tennessee is also the first state to exempt state-licensed insurance companies from compliance with a data privacy law. Finally, TIPA provides for a 60-day cure period for any violations, the second-longest cure period of all state privacy laws.
Minnesota (effective July 31, 2025)
The Minnesota Consumer Data Privacy Act (“MCDPA”) applies to “controllers” of personal data who either conduct business in Minnesota or produce a product or service consumed by Minnesota residents and who, within one year, either:
- control or process the personal data of at least 100,000 New Hampshire consumers, or
- control or process the personal data of at least 25,000 New Hampshire consumers and derive at least 25% of gross revenue from the sale of personal data.
Minnesota’s law provides consumers with rights regarding profiling in furtherance of decisions that produce legal or similarly significant effects (the type of data use that may become significantly more prevalent with the rise of generative artificial intelligence). Consumers have the right to question the result of the profiling, be informed of the reason the profiling resulted in the decision, review and if necessary, correct the personal data used in profiling, and where possible, be informed of what actions the consumer could have taken to secure a different decision. The MCDPA also exempts insurance companies from compliance with the law, following Tennessee’s lead. Minnesota also requires controllers to allow consumers to opt out of processing their data via a universal opt-out mechanism.
Maryland Online Data Privacy Act (effective October 1, 2025)
The Maryland Online Data Privacy Act (“MDODPA”) applies to anyone who either conducts business in Maryland or produces a product or service consumed by Maryland residents and who, within the previous calendar year, either:
- controlled or processed personal data of at least 35,000 Maryland consumers, or
- control or process the personal data of at least 10,000 Maryland consumers and derive at least 20% of gross revenue from the sale of personal data.
The MDODPA is unique among state privacy laws passed thus far in prohibiting both sales of sensitive personal data and some types of processing sensitive personal data, regardless of consumer consent. Similarly, controllers are required to limit the collection of personal data, again regardless of consumer consent, to what is “reasonably necessary and proportionate” to “provide or maintain a specific product or service requested by the consumer to whom the data pertains.” Controllers are also required to conduct and document data protection assessments.
Other Data Privacy Laws That Recently Took Effect
Additionally, several states enacted data protection laws that took effect in 2024, including Texas, Florida, Oregon, and Montana. As states continue to enact cybersecurity and data privacy laws, it’s more important than ever for businesses of all sizes to keep data privacy and security best practices at the forefront of their operational and administration priorities.
[View source.]
