The landscape of U.S. state privacy legislation is currently experiencing unprecedented growth. Comprehensive privacy bills are gaining significant momentum across states, reflecting an increasing focus on data governance. This evolving environment necessitates that organizations remain continuously informed about new and updated regulations.
Various resources, including trackers and reports, are maintained to assist businesses in understanding these developments. These tools focus on comprehensive approaches to governing personal information, excluding bills that are narrow in scope, coverage, or the specific rights they grant. This ensures a clear focus on broad-impact legislation.
As 2025 approaches, businesses face the imperative to adapt to new legal frameworks and refine existing privacy programs. While eight new state privacy laws are specifically slated to go into effect in 2025, other existing laws will also see critical provisions or compliance deadlines become active. Understanding these changes is essential for maintaining compliance and mitigating risk.
1. **Delaware Personal Data Privacy Act**
The Delaware Personal Data Privacy Act was signed into law on September 11, 2023, and is set to go into effect on January 1, 2025. This legislation marks a significant addition to the comprehensive privacy laws across the United States. It introduces new obligations for data controllers operating within the state, impacting how personal data is collected, processed, and managed.
The Act establishes specific applicability thresholds for businesses. It applies to controllers that process the personal data of 35,000 consumers or more, or those that derive more than 20% of their gross revenue from the sale of personal data while processing the personal data of 20,000 consumers or more. These thresholds are among the lowest, potentially encompassing a broader range of organizations.
Key provisions include the requirement for data protection assessment requirements to apply to processing activities created or generated after July 1, 2025. Additionally, the mandatory right to cure period for violations expires on December 31, 2025, after which the Attorney General will have discretion to grant cure periods. The law also mandates that businesses honor universal opt-out signals, with this requirement going into effect on January 1, 2026.
Delaware’s law also expands the definition of sensitive information to include national origin and transgender or non-binary status, alongside other categories. This broader scope necessitates that businesses conduct Data Protection Impact Assessments (DPIAs) when processing sensitive data or engaging in other high-risk activities, aligning with a growing trend among state privacy laws to impose heightened restrictions on such information.
Read more about: Navigating Car Insurance Rates: Understanding State-Specific Costs and Proven Strategies to Lower Your Premiums
2. **Iowa Consumer Data Protection Act**
The Iowa Consumer Data Protection Act was signed into law on March 29, 2023, and will become effective on January 1, 2025. This comprehensive privacy law adds to the varied legal landscape businesses must navigate, presenting distinct requirements and consumer rights that differ from other state statutes.
Iowa’s law generally relies on volume-based criteria for its applicability thresholds, typically applying to businesses that process the personal data of 100,000 or more residents or derive a certain portion of revenue from selling data. Organizations operating within Iowa are encouraged to assess their data processing activities against these criteria to determine their compliance obligations.
Notably, the Iowa Consumer Data Protection Act presents specific limitations regarding consumer rights. Unlike most state privacy laws, it does not affirmatively establish a right for consumers to correct inaccurate data. Furthermore, it does not explicitly provide for a right to opt-out of online targeted advertising, which is a common feature in many other comprehensive privacy statutes.
Despite these differences, the law does require controllers to provide notice and an opportunity to opt out of the processing of sensitive data. This provision underscores a baseline protection for sensitive personal information, requiring businesses to be transparent about such practices and offer consumers a choice regarding its use. Businesses must therefore ensure their privacy notices are updated to reflect these specific requirements.
Read more about: Beyond the Showroom: 12 Forgotten Innovations and Influences Shaping 1940s Motoring
3. **Nebraska Data Privacy Act**
Signed into law on April 17, 2024, the Nebraska Data Privacy Act is slated to go into effect on January 1, 2025. This legislation broadens the scope of privacy regulation, presenting new compliance considerations for organizations operating in the state. Its applicability thresholds are notably broad, aligning with an expansive approach to data governance.
The Nebraska Data Privacy Act applies to any organization that operates in the state, processes or sells personal data, and is not classified as a small business as defined by the U.S. Small Business Administration. This broad definition means that many businesses, irrespective of numerical data thresholds, will fall under the purview of this law, requiring a thorough review of their data handling practices.
A significant provision of the Nebraska law is its requirement for companies to obtain opt-in consent before selling sensitive data. This is a stricter approach compared to some other states that allow an opt-out mechanism. The law also mandates that businesses conduct data protection impact assessments (DPIAs) for high-risk processing activities, such as the sale of personal data, targeted advertising, profiling, and sensitive data processing.
Furthermore, the Nebraska Data Privacy Act requires businesses to honor universal opt-out preference signals. Such signals allow consumers to communicate their preferences regarding the sale of personal data and targeted advertising across all websites without needing to opt out individually. Businesses should prepare to integrate mechanisms that recognize and respond to these signals to ensure compliance by the effective date.
Read more about: The 12 Most Important US Laws Affecting Remote Workers in 2025: A Foundational Review
4. **New Hampshire Privacy Act (Senate Bill 255)**
The New Hampshire Privacy Act, codified as Senate Bill 255, was signed into law on March 6, 2024, and is scheduled to become effective on January 1, 2025. This new comprehensive privacy legislation introduces a set of obligations for businesses processing personal data of New Hampshire residents, adding another layer to the intricate national privacy framework.
Applicability for the New Hampshire Privacy Act begins at a threshold of processing the personal information of 35,000 residents or more. Additionally, the law requires data protection assessment requirements to apply to processing activities created or generated after July 1, 2024. This means businesses should already be considering these assessments for newer activities.
A crucial aspect going into effect on January 1, 2025, is the requirement for businesses to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals. This aligns New Hampshire with several other states in empowering consumers with broad control over how their data is used for advertising and commercial purposes.
The law also specifies that the mandatory right to cure period for violations expires on December 31, 2025. After this date, attorneys general will have discretion to grant cure periods, signaling a transition to potentially stricter enforcement. This timeline highlights the importance of achieving compliance within the initial year of the law’s effectiveness.
Like many other comprehensive state privacy laws, New Hampshire’s Act also mandates that businesses conduct Data Protection Impact Assessments (DPIAs) when processing sensitive data or engaging in other high-risk processing activities. This requires a proactive approach to risk management for certain data processing operations.
5. **New Jersey Data Privacy Act (Senate Bill 332)**
The New Jersey Data Privacy Act, known as Senate Bill 332, was signed into law on January 16, 2024, with its effective date set for January 15, 2025. This legislation introduces comprehensive data privacy requirements for businesses operating within New Jersey, contributing to the growing body of state-level privacy regulations in the U.S.
Under the New Jersey Data Privacy Act, businesses are required to honor opt-out preference signals. These signals provide a standardized mechanism for consumers to express their desire to opt out of the sale of personal data and targeted advertising across different online services without needing to make individual requests on each site. Organizations should integrate the necessary technical infrastructure to recognize and respond to these signals.
The law expands the definition of sensitive information to include several new categories. These encompass national origin, transgender or non-binary status, and specific types of financial account information. This broadened scope for sensitive data means businesses handling such information will face heightened restrictions on its collection and processing, requiring careful review of current practices.
Furthermore, the Act mandates that businesses conduct Data Protection Impact Assessments (DPIAs) when processing sensitive data. This requirement extends to other high-risk processing activities as well, reinforcing the need for comprehensive risk assessments. Businesses must identify and document such activities to ensure compliance with this aspect of the law.
6. **Colorado Privacy Act**
The Colorado Privacy Act, signed into law on July 7, 2021, and initially effective on July 1, 2023, continues to evolve with significant compliance obligations going into effect throughout 2025. Businesses operating in Colorado must pay close attention to these upcoming dates, as they introduce new layers of responsibility regarding consumer data.
A critical date for compliance is January 1, 2025, when the mandatory notice of violation and right to cure period expires. After this date, the Colorado Attorney General will no longer be obligated to provide a cure period, gaining discretion to pursue enforcement actions immediately. This shift emphasizes the importance of sustained compliance and proactive remediation of any identified issues.
Further obligations take effect on July 1, 2025, focusing on the collection and processing of biometric data. Businesses engaging in such activities will face specific requirements to protect this sensitive information, including stricter consent provisions and data handling practices. This reflects a broader trend toward enhanced protection for biometric identifiers across state privacy laws.
Additionally, as of October 1, 2025, the Act imposes new obligations for data controllers that provide online services, products, or features to minors. These provisions are designed to enhance the protection of personal data belonging to individuals under a certain age, necessitating a careful review of services directed at or accessible by minors.
Since July 1, 2024, the requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals has been in effect. Businesses should already be compliant with this provision, but the ongoing evolution of the law means continued vigilance is necessary for all aspects of data processing and consumer rights in Colorado.
As the regulatory landscape continues to evolve, businesses must maintain vigilance throughout 2025, with several additional comprehensive state privacy laws and critical compliance dates becoming effective in the mid-to-late parts of the year. This ongoing progression underscores the imperative for organizations to adapt their data governance frameworks to a fragmented but increasingly robust U.S. privacy regime. Understanding these subsequent legal developments is crucial for ensuring sustained compliance and mitigating potential risks as the year unfolds.
This second section examines six further pivotal state privacy laws, highlighting their unique requirements, advanced compliance dates, and broader implications for businesses managing personal data. These laws include both new statutes coming into effect and existing legislation with significant new provisions activating in 2025, presenting a complex but navigable challenge for privacy professionals. The analysis aims to provide clear, factual insights into these developments, consistent with the objective reporting standards required for effective compliance strategies.
Read more about: Your Definitive Guide to Long-Term Car Storage: Protecting Your Vehicle Through Travel and Winter
7. **Tennessee Information Protection Act**
The Tennessee Information Protection Act was signed into law on May 11, 2023, and is scheduled to become fully effective on July 1, 2025. This legislation introduces a comprehensive framework for data privacy within Tennessee, adding to the growing number of states with their own distinct regulations. Its implementation necessitates that businesses review their data handling practices to align with the new statutory requirements by the effective date.
Applicability of the Tennessee Act primarily relies on revenue-based thresholds, a characteristic that differentiates it from several other state privacy laws that utilize volume-based criteria. Organizations are encouraged to assess their annual gross revenue and other specified factors to determine if they fall under the purview of this legislation. Such an assessment is fundamental for identifying compliance obligations.
A key provision involves data protection assessment requirements, which apply to processing activities created or generated after July 1, 2024. This early effective date for DPIA requirements means businesses should have already been considering these assessments for newer data processing operations well in advance of the law’s general effective date. The Act includes high-risk processing activities, such as those involving sensitive data or activities presenting a heightened risk of harm to a consumer, among those requiring DPIAs.
The law also expands the definition of sensitive information to include biometric data, aligning with a broader trend among state privacy laws to enhance protection for such identifiers. Businesses processing sensitive data, including biometric information, must conduct Data Protection Impact Assessments (DPIAs), as mandated by the Act. This highlights the heightened restrictions on the collection and processing of sensitive personal information under Tennessee law.
Read more about: Which 2025 Midsize Sedans Truly Deliver the Best Value: An In-Depth Consumer Report
8. **Minnesota Consumer Data Privacy Act**
The Minnesota Consumer Data Privacy Act, signed into law on May 24, 2024, is set to go into effect on July 31, 2025. This comprehensive privacy legislation introduces a robust set of consumer rights and business obligations, significantly shaping the data privacy landscape in Minnesota. Its staggered effective date, with certain provisions for postsecondary institutions deferred to July 31, 2029, allows for a phased approach to compliance.
Notably, the Minnesota Act extends its applicability to non-profit organizations, with only narrow exceptions, a divergence from many other state privacy laws that typically exempt non-profits. This broader scope mandates that a wider array of organizations operating within Minnesota undertake thorough compliance assessments. Furthermore, the law requires businesses to maintain an inventory of personal data processed and to document the policies and procedures adopted for compliance.
The Act grants consumers a comprehensive set of rights, including the standard rights to access, delete, and correct personal data. Uniquely, Minnesota’s law also provides consumers with the right to request a list of specific third parties to whom a business has disclosed personal data, or categories thereof. It further introduces the right to question the results of a controller’s profiling activities if they produce legal effects, allowing consumers to understand the basis of decisions and pursue alternative outcomes.
Data protection assessment requirements under the Minnesota Act apply to processing activities created or generated after January 1, 2025. This reinforces the need for proactive risk management for certain data processing operations, especially those deemed high-risk or involving sensitive data. Additionally, businesses must provide a “reasonably accessible, clear, and meaningful” online privacy notice, conspicuously posted on their homepage, to ensure transparency for consumers. The mandatory right to cure period for violations expires on January 1, 2026.
Read more about: The Wealthy’s Secret: Unpacking How Trusts Shield Fortunes from Probate and Preserve Financial Privacy
9. **Maryland Online Data Privacy Act**
The Maryland Online Data Privacy Act, signed on May 9, 2024, will become effective on October 1, 2025. This legislation establishes stringent data privacy requirements, distinguishing itself through some of the most rigorous provisions among U.S. state privacy laws. Its late 2025 effective date provides organizations with lead time to prepare for its comprehensive obligations.
Maryland’s law features a relatively low applicability threshold, applying to organizations that process the personal data of 35,000 consumers or more. Like Minnesota, it also applies to non-profits, subject to narrow exceptions, thereby encompassing a broad range of entities within its regulatory scope. Businesses must meticulously evaluate their data processing volumes to ascertain their compliance responsibilities under this Act.
A central tenet of the Maryland Act is its strict data minimization requirements. It mandates that controllers limit the collection or processing of sensitive data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer.” The law also broadly prohibits the sale of sensitive data altogether and restricts processing minors’ (under 18) personal data for targeted advertising, demonstrating a heightened focus on protecting vulnerable populations and sensitive information.
The definition of sensitive information is expanded to include national origin, transgender or non-binary status, biometric data, and a broad scope of “consumer health data,” encompassing information related to gender-affirming treatment and reproductive or ual health care. When conducting Data Protection Impact Assessments (DPIAs), which are required for high-risk activities, the Act specifically mandates an assessment of each algorithm utilized. The requirement to honor opt-out preference signals for targeted advertising or data sale also goes into effect on October 1, 2025, with an optional 60-day right to cure period expiring on April 1, 2027.
Read more about: Google’s Graveyard & Gripes: 12 Times Even the Tech Giant Tripped Up (and Why We’re Still Here)
10. **Oregon Consumer Privacy Act**
The Oregon Consumer Privacy Act, signed on July 18, 2023, initially became effective for most entities on July 1, 2024. However, a specific critical compliance date for tax-exempt organizations classified under 501(c)(3) goes into effect on July 1, 2025. This phased implementation approach is crucial for these particular non-profit organizations, which must prepare to meet the law’s obligations from this date.
The Act mandates that data protection assessment requirements apply to processing activities created or generated after July 1, 2024. This means businesses, including those newly subject to the law’s provisions in 2025, should already be incorporating DPIAs into their operational planning for new data processing activities. These assessments are essential for identifying and mitigating risks associated with high-risk data processing.
Oregon’s law provides consumers with a set of core rights, including the ability to access, delete, and correct their personal data. It is notable for establishing a transparency right, similar to Delaware and Minnesota, allowing consumers to request a list of third parties that have received their data. This provision enhances consumer control and visibility over how their personal information is shared and utilized by businesses.
Although the general requirement for consumers to opt out of targeted advertising or data sale through opt-out preference signals takes effect on January 1, 2026, the overall framework established by the Act is in place. The mandatory right to cure period for violations under the Oregon Consumer Privacy Act is scheduled to expire on January 1, 2026, signaling a transition to potentially stricter enforcement actions after that date.
Read more about: The Enduring Journey: Unpacking the Profound Reasons Why Americans Are Keeping Their Cars for Two Decades and Beyond
11. **Montana Consumer Data Privacy Act**
The Montana Consumer Data Privacy Act, signed into law on May 19, 2023, commenced its general effectiveness on October 1, 2024. However, several critical compliance milestones are slated for January 1, 2025, necessitating ongoing attention from organizations. These forthcoming requirements signify a continued expansion of data privacy obligations within the state.
Effective January 1, 2025, the law requires businesses to allow consumers to opt out of processing for purposes of targeted advertising or any sale of personal data through opt-out preference signals. This aligns Montana with a growing number of states empowering consumers with broad control over how their data is used for commercial purposes. Organizations must ensure their systems are equipped to recognize and respond to these signals.
Furthermore, data protection assessment requirements under the Montana Act apply to processing activities created or generated after January 1, 2025. This establishes a forward-looking obligation for businesses to conduct DPIAs for new or modified high-risk processing operations. Such assessments are fundamental for managing privacy risks, especially concerning sensitive data processing and targeted advertising.
The applicability thresholds for the Montana Act include businesses collecting personal information of 50,000 consumers, or 25,000 consumers if 25% or more of their gross revenue is derived from data sales. These thresholds are comparatively lower than in some other states, potentially bringing a broader range of organizations under its purview. The mandatory right to cure period for violations is set to expire on April 1, 2026, indicating a period of grace for initial compliance before more stringent enforcement.
Read more about: The Timeless Call of the Open Road: 15 Iconic American Drives Perfect for Your Classic Car
12. **Texas Data Privacy and Security Act**
The Texas Data Privacy and Security Act, signed on June 18, 2023, became generally effective on July 1, 2024. However, key provisions within this law are scheduled to go into effect on January 1, 2025, underscoring the ongoing need for businesses to adapt their privacy practices. These upcoming compliance dates represent significant milestones for data governance in Texas.
As of January 1, 2025, the Act mandates that businesses allow consumers to opt out of processing for purposes of targeted advertising or any sale of personal data through opt-out preference signals. This provision empowers Texas consumers with enhanced control over their personal information and requires businesses to implement the necessary technical mechanisms to honor these signals. Concurrently, authorized agent provisions also go into effect, enabling consumers to designate representatives to act on their behalf in exercising privacy rights.
The Texas Act is characterized by its broad applicability, similar to Nebraska’s privacy law. It applies to nearly any business that operates in the state, processes or sells personal data, and is not classified as a “small business” as defined by the U.S. Small Business Administration, without numerical data thresholds. This expansive scope means a vast array of organizations must ensure compliance, regardless of their specific data processing volumes.
The law includes specific notice requirements related to the sale of sensitive or biometric personal data. If a controller engages in the sale of sensitive data, it must include a prominent notice stating, “NOTICE: We may sell your sensitive personal data,” in the same location where its privacy policy is linked. A similar notice is required for the sale of biometric personal data. These provisions highlight the Act’s emphasis on transparency regarding the commercialization of specific categories of personal information.
Read more about: From Boom to Resilience: Unpacking 14 Nasdaq Titans and the Dot-Com Era’s Enduring Legacy
The continued rollout of comprehensive state privacy laws across the United States in 2025 creates a dynamic and complex regulatory environment for businesses. From new statutes becoming fully effective to critical compliance milestones in existing legislation, the imperative for proactive and adaptable privacy programs has never been clearer. Organizations must diligently track these evolving requirements, conduct thorough assessments, and refine their data handling practices to ensure ongoing adherence across multiple jurisdictions. The patchwork nature of U.S. privacy law demands a strategic approach to compliance, prioritizing consumer rights while navigating the nuances of each state’s distinct legal framework. Remaining informed and agile will be key to successful data governance in this increasingly regulated landscape.
