Companies that handle consumer data must comply with eight new state privacy laws in 2025, further complicating the national array of various requirements they must follow.
Five of those laws take effect in January in Delaware, Iowa, Nebraska, New Hampshire and New Jersey. Tennessee, Minnesota, and Maryland come online later in the year. Twenty states overall have enacted broad data privacy protections that give residents more control over how businesses collect and use their data.
Businesses will face new challenges to adhere with numerous laws that are broadly similar but each have their own nuances. More states next year are likely to consider additional requirements, especially as a proposed federal standard has stalled in Congress.
“Businesses are screaming for some uniformity here,” Gary Kibel, partner at Davis+Gilbert LLP, said.
The new laws largely follow those already in effect in states such as Colorado, Connecticut, and Virginia. They give consumers rights over their data, such as the ability to know what information a company collects and request its deletion.
Consumers must be provided choices over whether their data can be sold or used for purposes such as targeted advertising, under the laws. The laws include higher privacy standards for sensitive data, though states differ in how they define that category. Some also exempt different entities from the requirements, such as financial institutions regulated under federal law.
Maryland’s law will be closely watched. The measure will be an anomaly among states for its “very restrictive approach” to data processing and sales, said Nancy Libin, partner at Davis Wright Tremaine LLP.
“The difference in approach that the Maryland law takes is really fundamental,” she said.
The comprehensive privacy laws taking effect in 2025 will be enforced by attorneys general and don’t allow individuals to sue.
Delaware: Jan. 1
Delaware’s privacy law will apply to entities that handle the personal data of at least 35,000 consumers in the state per year or 10,000 if more than 20% of gross revenue comes from selling personal data.
The law doesn’t exempt most nonprofits. That’s a departure from privacy requirements in many other states, where “for the most part, nonprofits have been spared,” Libin said.
The measure also includes a broader definition of sensitive data than elsewhere to include transgender or non-binary status. Companies must obtain consent to process such data. Businesses will have 60 days to fix violations without penalty until the end of 2025.
Iowa: Jan. 1
Privacy advocates said Iowa’s law has weaker consumer protections than other states. The law applies to businesses that handle the personal data of at least 100,000 residents or 25,000 if more than half of gross revenue comes from selling personal data.
Consumers have more limited rights than they do elsewhere as the law doesn’t allow them to correct inaccuracies in their data. Businesses can fix violations within 90 days without penalty.
Nebraska: Jan. 1
Nebraska’s law applies to businesses that process or sell the personal data of state residents. It exempts small businesses as defined by the federal Small Business Act, except for a provision requiring consumer consent to sell sensitive data
Businesses have 30 days to fix violations without penalty.
New Hampshire: Jan. 1
The law applies to companies that handle the data of at least 35,000 residents a year or 10,000 if more than 25% of gross revenue comes from selling personal data.
Companies will have 60 days to correct violations without penalty through the end of 2025. The state attorney general’s office created a new data privacy unit to spearhead enforcement.
New Jersey: Jan. 15
Companies fall under the law if they handle the personal data of at least 100,000 residents per year or 25,000 if they sell personal data. Nonprofits are included.
The law includes transgender or non-binary status as well as financial information in its definition of sensitive data, which companies need consent to process.
Businesses have 30 days to fix violations without penalty for the first 18 months.
Tennessee: July 1
Tennessee’s law will apply to companies that exceed $25 million in annual revenue. They must also handle the personal data of 175,000 residents or 25,000 if more than half of gross revenue comes from selling personal information.
Companies have 60 days to fix violations without penalty. Businesses have an affirmative defense against violation action if their privacy program conforms to the National Institute of Standards and Technology privacy framework.
Minnesota: July 31
Minnesota’s privacy law stands out for giving consumers the right to question automated decisions made via profiling, when personal data is used to evaluate or predict a person’s characteristics. The law applies to entities—including most nonprofits—that handle the personal data of at least 100,000 residents per year or 25,000 if more than a quarter of gross revenue comes from selling personal data.
Consumers also have the right to see the specific third parties to which their data was disclosed, which “can be an enormous undertaking” for businesses, Libin said.
The right for businesses to fix violations without penalty for 30 days expires on Jan. 31, 2026.
Maryland: Oct. 1
Maryland’s law is “definitely the most impactful” among those taking effect in 2025, Kibel said. The law’s data minimization requirements mean businesses can’t collect more data than what’s reasonably necessary to provide a requested service. Companies also can’t sell sensitive data.
The law applies to companies and most nonprofits that handle the personal data of at least 35,000 consumers per year or 10,000 if more than 20% of gross revenue comes from selling it. Businesses already need to think about the law’s requirements as they develop products and services, Libin said.
“It may be very hard to retrofit your systems to accommodate this,” she said.
To contact the reporter on this story:
To contact the editors responsible for this story: