Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Alerts and Updates

Eight New State Privacy Laws Take Effect in 2025 – Are You Ready?

December 2, 2024

Eight New State Privacy Laws Take Effect in 2025 – Are You Ready?

December 2, 2024

Read below

In the absence of a federal comprehensive privacy law, states have been enacting their own patchwork of laws.

As we come to the end of the year, companies operating in the United States should be planning their compliance strategies for the new upcoming privacy laws that go into effect in 2025 for New Hampshire, Delaware, Iowa, Nebraska, New Jersey, Tennessee, Minnesota and Maryland. While many of the rights and obligations of these new laws overlap, each has its own nuances. Now is the time to take stock of current privacy strategies and reassess them as needed to remain compliant with this incoming batch of state privacy laws.

In the absence of a federal comprehensive privacy law, states have been enacting their own patchwork of laws. There are currently 19 states that have passed comprehensive privacy laws. The following will become effective in 2025:

  1. New Hampshire SB 255 Privacy Act (January 1, 2025)
  2. Delaware Personal Data Privacy Act (January 1, 2025)
  3. Iowa Consumer Data Protection Act (January 1, 2025)
  4. Nebraska Data Privacy Act (January 1, 2025)
  5. New Jersey SB 332 Data Protection Act (January 15, 2025)
  6. Tennessee Information Protection Act (July 1, 2025)
  7. Minnesota Consumer Data Privacy Act (July 31, 2025)
  8. Maryland Online Data Privacy Act (October 1, 2025)

Scope and Applicability

Generally, the applicability thresholds for these new laws follow the pattern implemented by most of the other state data privacy laws currently in effect. Entities that do business in the respective state may become subject to the law if they either: (i) control or process the personal data of a certain number of state consumers per year (with certain exclusions, such as payment transactions); or (ii) control or process the personal data of a lower number of state consumers per year while deriving a certain percentage of gross revenue from the sale of personal data. In Tennessee, there is an additional threshold of having an annual revenue of at least $25 million, and Nebraska has adopted the broad threshold otherwise only seen in Texas where the law applies to companies processing personal information in Nebraska that are not a “small business” as defined by the U.S. Small Business Administration.

New Hampshire (effective January 1, 2025)

  1. Controls or processes the personal data of no less than 35,000 unique consumers in New Hampsire, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Controls or processes the personal data of no less than 10,000 unique consumers in New Hampsire and derives more than 25 percent of their gross revenue from the sale of personal data.

Delaware (effective January 1, 2025)

  1. Controls or processes the personal data of 35,000 Delaware consumers per year (excluding payment transactions); or
  2. Processes and controls the personal data of 10,000 Delaware consumers per year and derives 20 percent revenue from the sale of personal data.

Iowa (effective January 1, 2025)

  1. Controls or processes the personal data of 100,000 Iowa consumers per year; or
  2. Processes or controls the personal data of 25,000 Iowa consumers per year and derives 50 percent revenue from the sale of personal data.

Nebraska (effective January 1, 2025)

  1. Conducts business in Nebraska or produces a product or service consumed by residents of Nebraska; and
  2. Processes or engages in the sale of personal data; and
  3. Is not a small business as determined under the federal Small Business Act, except that such person shall not engage in the sale of sensitive data without the consumer’s prior consent.

New Jersey (effective January 15, 2025)

  1. Controls or processes the personal data of at least 100,000  New Jersey consumers, excluding personal data processed solely for the purpose of completing a payment transaction; or
  2. Controls or processes the personal data of at least 25,000 New Jersey consumers and the controller derives revenue or receives a discount on the price of any goods or services from the sale of personal data.

Tennessee (effective July 1, 2025)

Annual revenue of at least $25 million and either:

  1. Controls or processes the personal data of 175,000 Tennessee consumers per year; or
  2. Processes or controls the personal data of 25,000 Tennessee consumers per year and derives 50 percent revenue from sale of personal data.

Minnesota (effective July 31, 2025)

  1. Controls or processes the personal data of at least 100,000 Minnesota consumers per year, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 consumers.

Maryland (effective October 1, 2025)

  1. Controls or processes the personal data of at least 35,000 Maryland consumers per year, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Controls or processes the personal data of at least 10,000 Maryland consumers and derived over 20 percent of gross revenue from the sale of personal data per year.

Exemptions

All of the forthcoming laws provide certain entity- and data-level exemptions. While exemptions tend to vary by law, some of the exemptions under these laws include business and/or data regulated by the federal Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act, Health Insurance Portability and Accountability Act, Drivers' Privacy Protection Act and nonprofit organizations engaged in specific missions.

Controller’s Obligations

Common obligations and requirements imposed on data controllers by these new laws include:

  • Purpose limitation
  • Data minimization
  • Nondiscrimination
  • Privacy notices/transparency obligations
  • Opt-out mechanisms for the sale of personal data and targeted advertising
  • Data security safeguards
  • Data processing agreements
  • Data protection impact assessments for certain high-risk processing activities

Consumer Rights

Common consumer rights recognized by these new laws include:

  • Right to access
  • Right to correct
  • Right to delete
  • Right to opt out of certain processing activities
  • Right to portability

Next Steps

As we move into 2025, businesses should carefully evaluate whether they are subject to any of the laws coming into effect and take steps to ensure compliance, including:

  • Reviewing and updating consumer-facing privacy policies and notices to include consumer rights under the applicable laws and to ensure that these privacy notices are accurate regarding their current privacy practices
  • Re-assessing privacy strategies and updating risk and contractual processes, including implementing data privacy impact assessments and data protection agreements for service providers/processors and third parties
  • Updating data privacy rights request forms and processes
  • Reviewing and enhancing data security safeguards

For More Information

If you have any questions about this Alert, please contact Michelle Hon Donovan, Sandra A. Jeskie, Milagros Astesiano, any of the attorneys in our Privacy and Data Protection Group or the attorney in the firm with whom you are regularly in contact.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.