8 US state privacy laws take effect in 2025: What do they have in common?
Posted: February 18, 2025
Eight US state privacy laws take effect in 2025: What do they have in common?
So far already this year, the following US state privacy laws have taken effect:
- 1 January 2025: Delaware Personal Data Privacy Act (DPDPA)
- 1 January 2025: Iowa Consumer Data Protection Act (ICDPA)
- 1 January 2025: Nebraska Data Privacy Act (NDPA)
- 1 January 2025: New Hampshire Privacy Act (NHPA)
- 15 January 2025: New Jersey Data Privacy Act (NJDPA)
Coming up later in the year, the following state privacy laws will take effect:
- 1 July 2025: Tennessee Information Protection Act (TIPA)
- 31 July 2025: Minnesota Consumer Data Privacy Act (MCDPA)
- 1 October 2025 Maryland Online Data Privacy Act (MODPA)
Here’s a run-down of what these laws provide in terms of rights and obligations.
Application
Each of the eight privacy laws taking effect in 2025 applies slightly differently, providing various exemptions and thresholds.
Each law applies to an entity that conducts business in the relevant state and fulfills one of two thresholds:
- It controls or processes the personal data of at least 100,000 consumers per year (30,000 consumers per year in Delaware and Maryland), or
- It controls or processes the personal data of at least 25,000 consumers (10,000 consumers in Delaware and Maryland) and derives a specified percentage of revenue from selling personal data:
- Delaware: 20%
- Iowa: 50%
- Maryland: 20%
- New Hampshire: 25%
- New Jersey: Any amount
- Tennessee: 50%
The exceptions are Minnesota and Nebraska’s laws, which apply generally to all businesses processing personal data in each state, except small businesses as defined by the US Small Businesses Association (SBA).
Businesses covered by each law are called “controllers”. “Processors” are service providers that process personal data on the controller’s behalf.
Consumer privacy rights
Each of these laws provides consumers with the following rights over their personal data, sometimes scoped or named slightly differently.
- The right to access personal data
- The right to correct inaccurate data (except Iowa)
- The right to delete personal data
- The right to obtain a portable copy of personal data
- The right to opt out of targeted advertising
- The right to opt out of the sale of personal data
- The right to opt out of profiling with significant effects (except Iowa and Tennessee)
Every state offers consumers the right to appeal decisions regarding their consumer rights requests.
Every state allows controllers 45 days to comply with a consumer privacy rights request, with an additional 45-day extension available where reasonably necessary.
Consent to process sensitive data
Every state requires controllers to obtain consent before processing sensitive data—except Iowa, which requires controllers to offer consumers an opt-out. Maryland’s law looks quite different from the others but functions in a similar way in this regard.
The following types of data are considered sensitive data under the definitions provided by all of the states:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data
- Personal data of a known child
- Precise geolocation data
All states recognize “mental or physical health condition or diagnosis”, except that Maryland uses the term “consumer health data”, while New Jersey refers to “mental or physical health condition, treatment, or diagnosis”.
The recognition of the following data points as “sensitive data” also varies across the states:
- Sex life (recognized in all states except Iowa, Nebraska, and Tennessee)
- Status as transgender or nonbinary (recognized in all states except Iowa, Nebraska, New Hampshire, and Tennessee)
- National origin (recognized in all states except Iowa, Nebraska, New Jersey, and Tennessee)
New Jersey adds “financial information”—which includes a consumer’s account number, account login, financial account, or credit or debit card number, in combination with any required security code, access code, or password—as sensitive data.
Data protection assessments
All states except Iowa require controllers to conduct data protection assessments for activities that present a heightened risk of harm to consumers, including under the following circumstances:
- Processing personal data for targeted advertising
- Selling personal data
- Conducting profiling that carries a risk of unfair or deceptive treatment, unlawful discrimination or disparate impact, or potential injury to consumers
- Processing sensitive data
These assessments generally aim to balance the benefits of data processing against the potential risks to consumer privacy. The assessments must be documented and should be made available for review by the state’s Attorney General or similar authority when requested.
Data protection assessments generally must:
- Identify and weigh the benefits of the processing to the controller, consumer, other stakeholders, and the public against potential risks to consumer rights.
- Factor in the use of de-identified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumer.
- Include safeguards that can be employed to reduce risks.
A fragmented landscape
As noted, there are many commonalities among the eight state privacy laws that will take effect—or have taken effect—throughout 2025. But “the devil is in the detail”—there are divergences in many areas, with some states such as Maryland taking a largely different approach to the other seven.
To ensure compliance across the board, controllers covered by all of these laws may wish to offer consumers in some of the less strict states, such as Iowa, rights that they legally do not have.
With many states having implemented comprehensive privacy laws, and with more laws taking effect next year, an elusive federal law that would unify privacy standards across the states is not an option.
