2025 privacy laws will be here before we know it, further complicating the growing patchwork of state laws with which organizations need to comply in order to avoid enforcement. Starting in January, several new state privacy laws will take effect, each designed to grant consumers more control over their data and set specific compliance requirements for businesses in scope of these laws. This blog explores each of the upcoming 2025 privacy laws and what they mean for organizations nationwide. 

January 1, 2025: A Quartet of Privacy Laws 

The long list of 2025 privacy laws starts off with a significant shift on January 1st as four states—Delaware, Iowa, Nebraska, and New Hampshire—introduce new data privacy laws, placing fresh compliance requirements on businesses that collect and process consumer data in these regions. 

Delaware Personal Data Privacy Act  

• Consumer Rights: Provides Delaware residents with rights to access, correct, delete, and obtain a copy of their personal data, and to opt out of data sales, targeted advertising, and profiling. 

• Sensitive Data Protections: Requires businesses to obtain explicit consent before processing sensitive personal information, like health or biometric data. 

• Applicability Thresholds: Applies to businesses that process data of at least 35,000 Delaware residents or derive over 20% of their revenue from data sales, impacting medium to large entities. 

• Data Protection Assessments: Requires businesses to conduct data protection assessments for high-risk processing activities, such as profiling and data sales. 

• Enforcement and Penalties: Enforced by the Delaware Department of Justice, with penalties for non-compliance that could include fines or other legal actions. 

Iowa Consumer Data Protection Act 

• Consumer Rights: Grants Iowa residents the right to access, delete, and obtain a copy of their personal data held by businesses. 

• Opt-Out for Data Sales: Provides consumers with the ability to opt out of the sale of their personal data. 

• Sensitive Data Consent: Requires businesses to obtain consent before processing sensitive data, such as health or biometric information. 

• Applicability Thresholds: Applies to businesses that control or process the personal data of at least 100,000 Iowa residents or derive over 50% of revenue from selling personal data. 

• Enforcement: Enforced by the Iowa Attorney General, but there is no private right of action, meaning individuals cannot sue businesses directly for violations. 

Nebraska Data Privacy Act 

• Consumer Rights: Grants Nebraska residents the right to access, delete, correct, and obtain a copy of their personal data, and to opt out of data sales and targeted advertising. 

• Sensitive Data Consent: Requires businesses to obtain explicit consent before processing sensitive data, including health and biometric information. 

• Applicability Thresholds: Applies to businesses that process data of at least 50,000 Nebraska residents or derive over 50% of revenue from data sales. 

• Data Protection Assessments: Mandates that businesses conduct data protection assessments for high-risk processing activities, such as profiling and targeted advertising. 

• Enforcement: Enforced by the Nebraska Attorney General, with no private right of action for individuals, meaning only the Attorney General can bring enforcement actions. 

New Hampshire Data Privacy Act 

• Consumer Rights: Provides New Hampshire residents the rights to access, delete, correct, and obtain a copy of their personal data, and to opt out of data sales, targeted advertising, and profiling. 

• Sensitive Data Consent: Requires businesses to obtain explicit consent from consumers before processing sensitive data, such as health, genetic, or biometric information. 

• Applicability Thresholds: Applies to businesses that process data of at least 50,000 New Hampshire residents or derive more than 20% of gross revenue from selling personal data. 

• Data Protection Assessments: Mandates data protection assessments for high-risk processing activities, focusing on profiling and targeted advertising. 

• Enforcement: Enforced by the New Hampshire Attorney General, with no private right of action, meaning individuals cannot sue directly for violations. 

January 15, 2025: New Jersey Data Privacy Act  

Following shortly after, New Jersey’s Data Privacy Act is next on the list of 2025 privacy laws, bringing in robust data protection regulations aimed at enhancing transparency and security. 

• Consumer Rights: Grants New Jersey residents the right to access, delete, correct, and obtain a copy of their personal data, along with the ability to opt out of data sales, targeted advertising, and profiling. 

• Sensitive Data Consent: Requires businesses to obtain explicit consent before processing sensitive personal information, such as health, biometric, and genetic data. 

• Applicability Thresholds: Applies to businesses that process data of at least 25,000 New Jersey residents or derive more than 50% of revenue from data sales. 

• Data Protection Officer Requirement: Requires certain businesses to appoint a Data Protection Officer to oversee compliance and ensure responsible data handling practices. 

• Enforcement: Enforced by the New Jersey Attorney General, without a private right of action, meaning only the Attorney General can bring legal actions for violations. 

July 1, 2025: Tennessee Information Protection Act  

As we enter mid-2025, Tennessee’s Information Protection Act goes live, marking a milestone for data privacy in the state. 

• Consumer Rights: Provides Tennessee residents with rights to access, delete, and obtain a copy of their personal data, and to opt out of data sales, targeted advertising, and profiling. 

• Sensitive Data Protections: Requires businesses to obtain consent before processing sensitive data, including health, biometric, and genetic information. 

• Applicability Thresholds: Applies to businesses that process data of at least 175,000 Tennessee residents or derive over 50% of revenue from data sales and process data of at least 25,000 residents. 

• Data Protection Assessments: Mandates businesses conduct data protection assessments for high-risk processing activities, like targeted advertising and profiling. 

• Enforcement: Enforced by the Tennessee Attorney General, with no private right of action, so individuals cannot file lawsuits directly for violations. 

July 31, 2025: Minnesota Consumer Data Privacy Act  

Minnesota follows with its Consumer Data Privacy Act at the end of July, adding another layer of protection for residents. 

• Consumer Rights: Grants Minnesota residents rights to access, delete, correct, and obtain a copy of their personal data, and to opt out of data sales, targeted advertising, and profiling. 

• Sensitive Data Consent: Requires businesses to obtain explicit consent before processing sensitive data, including health, biometric, and genetic information. 

• Applicability Thresholds: Applies to businesses that control or process data of at least 100,000 Minnesota residents or derive more than 25% of gross revenue from selling personal data. 

• Data Protection Assessments: Mandates data protection assessments for high-risk processing activities, such as profiling and targeted advertising. 

• Enforcement: Enforced by the Minnesota Attorney General, with no private right of action, meaning only the Attorney General can initiate enforcement actions. 

October 1, 2025: Maryland Online Data Privacy Act 

Rounding out the year, Maryland’s Online Data Privacy Act targets digital privacy with a focus on online data collection practices.  

• Consumer Rights: Provides Maryland residents the right to access, delete, correct, and obtain a copy of their personal data, and to opt out of data sales, targeted advertising, and profiling. 

• Sensitive Data Consent: Requires businesses to obtain explicit consent before processing sensitive personal data, such as health and biometric information. 

• Applicability Thresholds: Applies to businesses that process data of at least 100,000 Maryland residents or derive at least 50% of gross revenue from selling personal data. 

• Protection for Minors: Includes additional protections for minors under 18, with restrictions on data collection and targeted advertising. 

• Enforcement: Enforced by the Maryland Attorney General, without a private right of action, so only the Attorney General can take legal action for violations. 

Preparing for Compliance in 2025 

The upcoming wave of privacy laws reflects a growing trend across the U.S. toward stronger consumer data protections. Here are some key steps businesses should take to prepare: 

• Update Privacy Policies: Ensure privacy policies are up-to-date and clearly outline consumer rights, data use, and opt-out mechanisms. 

• Implement Data Security Measures: Strengthen data protection measures, especially for sensitive and high-risk data processing. 

• Conduct Regular Audits: Assess current data practices to identify potential compliance gaps and ensure adherence to state-specific laws. 

• Appoint a Data Protection Officer: For organizations in states requiring a DPO, consider hiring or appointing a qualified individual to oversee compliance. 

As privacy regulations expand across the U.S., 2025 will be a pivotal year for businesses that handle consumer data. From Delaware to Maryland, the 2025 privacy laws underscore the importance of transparency, consumer rights, and data security. For organizations, staying ahead of these changes is not just about compliance—it’s about fostering trust and maintaining a competitive edge in a privacy-conscious market. The journey to compliance may be complex, but by prioritizing data protection and respecting consumer rights, businesses can turn regulatory challenges into opportunities for growth and reputation-building. 

We will keep you apprised of any other 2025 privacy laws that may arise as other states seek to fill the void of a federal privacy law.