Navigating the Expanding Patchwork of U.S. State Privacy Laws: What’s Coming in 2025

As we head into 2025, the landscape of data privacy laws in the United States is poised for a major shift. A whopping eight new privacy laws will come online throughout 2025, increasing compliance requirements for businesses while offering consumers more control over their personal data.

These state laws will impact a significant portion of the U.S. population, bringing new challenges and opportunities for companies operating across state lines. Keep reading for a look at the key state privacy laws going into effect in 2025, including a summary of each and their potential impact on businesses.

January 1, 2025: A New Year, New Laws

On January 1, 2025, comprehensive privacy laws will go into effect in four states: Delaware, Nebraska, New Hampshire, and Iowa.

Delaware Personal Data Privacy Act (DPDPA)

Delaware’s privacy law applies to businesses that:

1. Conduct business in Delaware or produce products or services targeted to Delaware residents, AND in a calendar year:
2. Control or process the personal data of:
   • At least 35,000 Delaware consumers (excluding data processed solely for payment transactions) OR
   • At least 10,000 Delaware consumers, while deriving more than 20% of annual gross revenue from the sale of personal data

The DPDPA gives consumers the right to access, confirm, correct, delete, and transfer the personal data a business holds on them. It also provisions the right to opt-out of the sale of data and targeted advertising.

Under Delaware's privacy law, businesses must also:

• Honor universal opt-out signals starting January 1, 2026
• Conduct data protection assessment if they process data of more than 100,000 consumers for the purposes of targeted advertising, data sales, and profiling
• Obtain parental consent for processing the data of children under 13

A 60-day cure period is automatically granted until January 1, 2026, after which it’s at the discretion of the Delaware Department of Justice (DDOJ). Willful violations of the DPDPA can result in fines of up to $10,000 per violation.

Learn more: Diving into Delaware's Privacy Law: Key Requirements for Compliance

Nebraska Data Privacy Act (NDPA)

The Nebraska Data Privacy Act applies to entities that:

• Conduct business in Nebraska or produce products or services consumed by Nebraska residents AND
• Processes or engages in the sale of personal data AND
• Is not a small business as determined under the federal Small Business Act

Under Nebraska’s privacy law, consumers have the right to access, confirm processing, correct, delete, transfer, and opt-out of data sales and targeted advertising. The sale of sensitive personal data is prohibited without consumer consent and the act mandates that universal opt-out signals be recognized from day one.

The law also includes a 30-day cure period, after which businesses may face civil penalties of up to $7,500 per violation. The Attorney General will handle enforcement, and no private right of action is provided.

Learn more: The Nebraska Data Privacy Act: Key Requirements for Compliance

New Hampshire Privacy Act (NH SB 255)

New Hampshire's privacy law applies to businesses that:

• Conduct business in New Hampshire or target products or services to New Hampshire residents AND
• Process the personal data of at least 35,000 consumers (excluding data solely used for payment transactions) OR
• Process the data of at least 10,000 consumers and derive over 25% of revenue from the sale of personal data

SB 255 provides the typical consumer rights—access, confirmation of processing, correction, deletion, portability, and the right to opt-out of data sales and targeted advertising. Businesses are required to recognize universal opt-out signals, like the Global Privacy Control, by law’s effective date: January 1, 2025.

The law includes specific protections for sensitive data. It restricts the processing of data for children under 13, and imposes additional safeguards for data used in targeted advertising or profiling of consumers aged 13 to 15.

Enforcement falls to the Attorney General, who is authorized to impose civil fines of up to $10,000 for each violation. Additionally, if there's evidence that a business is willfully disregarding the law, the Attorney General can seek criminal penalties of up to $100,000 per violation.

Learn more: Navigating New Hampshire's Data Privacy Law: Compliance Requirements for Businesses

Iowa Consumer Data Protection Act (ICDPA)

The Iowa Consumer Data Protection Act (ICDPA) applies to businesses that:

• Conduct business in Iowa or produce products or services targeted at Iowa consumers, and either:
• Control or process personal data of at least 100,000 Iowa consumers OR
• Derive over 50% of revenue from selling the personal data of at least 25,000 Iowa consumers

Iowa's privacy law includes rights for consumers such as access, confirmation of processing, deletion, portability, and the ability to opt-out of targeted advertising and data sales. Notably, the ICDPA does not grant a right to correct inaccurate information and consumers do not have the right to opt-out of profiling.

Learn more: Unveiling Iowa's Privacy Law—What Businesses Need to Know

January 15, 2025: New Jersey's law goes into effect

New Jersey’s Data Privacy Act (NJ SB 322) applies to entities or individuals that:

• Determine the purpose and means of processing personal information, while conducting business in New Jersey or targeting New Jersey residents AND
• Control or process the data of at least 100,000 New Jersey consumers OR
• Control or process the data of 25,000 New Jersey consumers and derive revenue or discounts from the sale of personal data

Under New Jersey’s privacy law, consumers have the right to access, delete, correct, and transfer their personal data. They’re also granted the right to opt-out of data sales, targeted advertising, automated decision making, and profiling.

If a business denies a consumer's request for access, deletion, etc., they have the right to appeal that decision.

Like many other state privacy laws, New Jersey requires that businesses honor universal opt-out signals, but gives businesses a six month grace period before enforcement begins on July 15, 2025.

Additionally, NJ SB 322 grants rulemaking authority to the New Jersey Division of Consumer Affairs, giving the state more flexibility to adapt the law’s implementation over time.

Learn more: New Jersey's Privacy Law Explained: What Businesses Need to Know

Mid-2025: Three more states join the privacy party

After the initial flurry of activity in January, we’ll see a nearly six month break before three more state laws come into effect in the second half of the year.

July 1, 2025: Tennessee Information Protection Act (TIPA)

The Tennessee Information Protection Act applies to businesses that:

• Conduct business in Tennessee or produce products/services targeted at Tennessee residents AND
• Exceed $25 million in revenue AND
• Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information OR
• Control or process personal data of at least 175,000 consumers

The law provides consumers with the right to access, confirm processing, correct, delete, transfer, and opt-out of targeted advertising and data sales. Sensitive data processing (including data of consumers under 13) must comply with COPPA requirements.

There is a 60-day cure period, and violations can lead to fines of up to $7,500 per violation.

Learn more: The Tennessee Information Protection Act: Compliance Requirements and Checklist

July 31, 2025: Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act applies to entities that:

• Conduct business in Minnesota or target Minnesota residents AND
• Control or process personal data of at least 100,000 consumers in a calendar year (excluding data processed solely for payment transactions) OR
• Derive more than 25% of gross revenue from the sale of personal data and process/control the data of at least 25,000 consumers

Under Minnesota’s privacy law, consumers have the right to access, confirm processing, correct, delete, transfer, and opt-out of data sales and targeted advertising.

In cases of profiling with significant effects (such as decisions that impact the consumer’s life or livelihood—think applying for a mortgage), consumers have the right to question the result, be informed of the reason for profiling, and request information on what actions could have resulted in a different outcome.

The MCDPA is one of the stricter privacy laws in the U.S. today, sporting a few unique provisions:

• Consumers have the right to request a list of the “specific third parties to which the controller has disclosed the consumer’s personal data.”
• Businesses must establish and maintain data inventories. This law is the only U.S. state privacy law to explicitly require data inventories, though they are always a best practice.
• Unless required by law or permitted by an exception, controllers are prohibited from retaining "personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed.” In other words, data minimization is an explicit requirement of the MCDPA.

Businesses must recognize universal opt-out signals as of the law’s effective date.

Violations are subject to fines of up to $7,500 per violation. There is an initial 30-day cure period, but that expires January 31, 2026. Enforcement will be handled by the Attorney General.

Learn more: The Minnesota Consumer Data Privacy Act: Everything Businesses Need to Know

October 1, 2025: Maryland Online Data Privacy Act (MODPA)

The Maryland Online Data Privacy Act applies to businesses that:

• Conduct business in Maryland or target Maryland residents AND
• Process personal data of at least 35,000 consumers (excluding data processed solely for payment transactions) OR
• Process personal data of at least 10,000 consumers and derive more than 20% of gross revenue from the sale of personal data

Consumers protected by Maryland's privacy law have the right to access, confirm processing, correct, delete, transfer, and opt-out of targeted advertising and data sales.

There is some question as to whether businesses are required to recognize universal opt-out signals. The text of the law suggests that it's optional, but experts believe it was written in a way that implies the intention was for it to be mandatory. This will definitely be one piece of the law to watch as enforcement draws closer.

The Attorney General’s Division of Consumer Protection will enforce the law. There is a discretionary 60-day cure period, but it only applies to violations occurring before April 1, 2027.

Violators of the MODPA may be fined up to $7,500 per violation, with $25,000 for repeated violations. Criminal penalties are also possible for severe violations.

Learn more: Maryland's Data Privacy Law: What Businesses Need to Know

Five notable outliers in 2025’s privacy laws

1. Maryland sports stricter provisions for sensitive data

Maryland’s privacy law introduces stricter controls on sensitive data, allowing its collection, processing, and sharing only when deemed strictly necessary for a specific service or product. The sale of sensitive data is outright banned.

Controllers must ensure the personal data they collect is limited to what’s necessary and proportionate to the service requested by the consumer. Additionally, targeted advertising based on the personal data of consumers under 18 is prohibited, and the sale of data for minors is only allowed with explicit consent.

2. High revenue threshold in Tennessee, plus an affirmative defense provision

Tennessee's privacy law stands out by combining both a high revenue threshold and a large volume of consumer data processed. This means that far fewer businesses will fall under the law's purview.

The Tennessee Information Protection Act (TIPA) also introduces a unique affirmative defense provision, allowing businesses to defend against violations by implementing a written privacy program that aligns with recognized standards like the NIST Privacy Framework.

3. Minnesota’s profiling rights

Minnesota's Consumer Data Privacy Act (MCDPA) provides consumers with several rights related to profiling. Consumers have the right to question the results of profiling decisions and ask for information about how the decision was made.

Additionally, consumers are entitled to review the personal data used in the profiling process. If the decision was based on inaccurate data, consumers can ask for corrections to be made and for the decision to be reassessed. Finally, consumers have the right to opt out of profiling when it leads to automated decisions with significant consequences.

4. New Hampshire’s data broker registration requirement, plus biometric data protections

Data broker registration

Under the New Hampshire Privacy Act, businesses that collect and sell consumer data are required to register as data brokers. This applies to entities that control or process personal data of New Hampshire residents and engage in the sale of this data, including exchange for valuable consideration. Data brokers must comply with additional reporting and transparency obligations.

Biometric data protection

The law explicitly defines biometric data as sensitive data, requiring that businesses obtain consumer consent before processing data such as fingerprints, facial recognition, and more.

5. Iowa’s business friendly approach

Iowa’s Consumer Data Protection Act (ICDPA) is notably more relaxed compared to other state privacy laws. It offers a 90-day cure period for alleged violations, the longest of any U.S. privacy law, and does not provide consumers the right to opt out of profiling.

Additionally, businesses have 90 days to respond to privacy rights requests, a much longer time frame than most other states, which typically require responses within 30 to 45 days.

The road ahead for businesses

With eight privacy laws coming into force in 2025, businesses will see a dramatic increase in the complexity of their compliance programs—especially if they operate across multiple states. As the U.S. privacy landscape becomes more fragmented, companies will need to carefully evaluate their obligations under each law and take steps to ensure compliance.

About Transcend

Transcend is the next-generation privacy platform. Encoding privacy at the code layer, we offer solutions for any privacy challenge your teams may be facing—including getting you ready for any (or all) of the state privacy laws coming into force in 2025.

From Consent Management to DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.