The momentum for change in US state privacy laws accelerated in 2024, driven by several significant developments, including efforts for a federal privacy law, state-level enforcement actions and the activation of four new state privacy laws alongside the enactment of seven more. This trend is expected to continue in 2025, as five new privacy laws have already taken effect, and three more will take effect later in the year, adding to the growing complexity of compliance for businesses navigating an increasingly fragmented landscape of state regulations.
This article, part of our ongoing series on the US state data privacy laws, provides an overview of the key aspects of the eight state privacy laws taking effect in 2025, as well as important compliance requirements that businesses, already compliant with existing state privacy laws, need to understand and incorporate into their privacy programs moving forward.
Key Dates by States
| Effective date | Cure periods | |
| Delaware | January 1, 2025 | 60-day until December 31, 2025; then AG’s discretion |
| Iowa | January 1, 2025 | 90-day with no sunset |
| Nebraska | January 1, 2025 | 30-day with no sunset |
| New Hampshire | January 1, 2025 | 60-day until December 31, 2025; then AG’s discretion |
| New Jersey | January 15, 2025 | 30-day until July 15, 2026 |
| Tennessee | July 1, 2025 | 60-day with no sunset |
| Minnesota | July 15, 2025 | 30-day until January 31, 2026 |
| Maryland | October 1, 2025 | 60-day until April 1, 2027 |
Applicability
The applicability of new state data privacy laws is largely consistent with existing state data privacy laws, with some variations based on factors such as the volume of data processed or the company's revenue from selling data, or whether the business or the data it holds is exempt from the legislation.
- Application threshold – Unlike most state privacy laws, Nebraska's privacy law applies to all companies operating in the state, regardless of the amount of personal data they processed or their revenue from selling data. In contrast, Tennessee's privacy law is more restrictive and applies only to businesses with revenue exceeding US$25 million.
- Exemptions – Unlike most state privacy laws, the privacy laws in Delaware, Minnesota and New Jersey (like Colorado's) do not generally exempt nonprofit organizations. Delaware, Maryland and New Jersey also follow the approach of California and Oregon by including institutions of higher education within the scope of their privacy laws. A unique aspect of New Jersey's privacy law is that it does not include the Family Educational Rights and Privacy Act (FERPA) exemption. New state privacy laws continue to differ in how they handle exemptions under the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), depending on whether the exemptions apply to entities or specific types of data. As a recall, an entity-level exemption removes an entire organization from the law's scope, while a data-level exemption only excludes specific types of data held by the entity, which may still be subject to the law. Delaware, Maryland, Nebraska and New Jersey privacy laws include an entity-level exemption under the GLBA, while Minnesota provides only a data-level GLBA exemption. In contrast, Iowa, New Hampshire and Tennessee offer both entity-level and data-level GLBA exemptions. Regarding HIPAA, most new state privacy laws provide only data-level exemptions. However, Iowa, Nebraska and Tennessee's privacy laws provide both entity-level and data-level HIPAA exemptions. Finally, privacy laws in both Nebraska and Minnesota (similar to Texas's) exempt small businesses as defined by the US Small Business Administration.
Consumers' Rights
While new state privacy laws vary in some details, they generally align with established privacy frameworks with respect to consumers' rights. Most states, including new state privacy laws, grant consumers several rights, including the ability to access, delete and correct inaccuracies in their personal data, request copies of their data (i.e., data portability), and opt out of targeted advertising, the sale of personal data and profiling that produces a legal or similarly significant effect on consumers. Nevertheless, notable exceptions are found in Iowa, while Minnesota privacy law recognizes additional rights for consumers.
- Lack of right to correct and opt-out of profiling rights in Iowa – Iowa's privacy law does not grant consumers the right to correct inaccuracies in their personal data or opt out of profiling based on their personal data.
- Right to question the results of profiling – Minnesota's privacy law grants consumers the right to be informed of the reasons behind a profiling decision, access the data used to make that decision, and learn about the actions they can take to secure a different decision in the future.
- Right to transparency – Minnesota's privacy law, similar to Oregon's, allows consumers to request a list of third parties to whom the controller has disclosed their personal data. Delaware and Maryland privacy laws also grant consumers a limited transparency right, allowing them to request a list of the categories of third parties to whom the controller has disclosed their data.
Key Compliance Obligations for Businesses
New state privacy laws introduce some important deviations from existing privacy laws regarding obligations imposed on businesses. While core responsibilities of entities that are qualified as a "business" or "controller" remain the same, such as providing privacy notices, conducting data protection assessments (except in Iowa), and implementing data security measures, businesses must be aware of new, unique state-specific obligations to maintain their privacy compliance in 2025. These key new compliance obligations include:
- Mandatory data protection assessment before high-risk processing – Unlike other state privacy laws, which require data protection assessments if processing poses a heightened risk to consumers, New Jersey's privacy law (like Colorado's) prohibits businesses from engaging in such processing without first conducting and documenting a data protection assessment.
- Emerging trends in stricter data minimization requirements – Maryland's approach to data minimization aligns more closely with unenacted federal law proposals, i.e., the American Data Privacy and Protection Act (ADPPA) and the American Privacy Rights Act (APRA). While most state privacy laws limit data collection to what is adequate, relevant and necessary for the disclosed purposes, Maryland's privacy law requires data controllers to collect only what is "reasonably necessary and proportionate to provide or maintain a product or service requested by the consumer." This approach is much stricter than other state laws in limiting the personal data controllers can collect. For example, a controller cannot collect data for purposes unrelated to the offered product or service (such as consumer research not directly tied to product improvements), even with the consumer's consent or as it is disclosed in the privacy notice. With respect to sensitive personal data, Maryland's privacy law includes a more stringent requirement, stipulating that its collection, processing and sharing must be limited to what is "strictly necessary" for the requested product or service. Finally, the law imposes a complete ban on the sale of sensitive data, with no exceptions, including informed consent. Notably, Maryland's privacy law broadens the categories of sensitive personal data to include national origin, consumer health data, transgender or non-binary status, sex life, and genetic or biometric data.
- Standardizing opt-out mechanisms – As the universal opt-out mechanism becomes widely adopted in new state privacy laws, including those in Delaware, Nebraska, Minnesota, New Hampshire, New Jersey and Maryland, businesses should consider standardizing their methods for honoring opt-out preference signals. Regulatory guidance can be observed in New Jersey, where the Division of Consumer Affairs in the Department of Law and Public Safety is responsible for clarifying the technical specifications for the universal opt-out mechanism.
- Children's privacy – All new state privacy laws classify children's data (defined as individuals under 13 years of age by COPPA) as sensitive personal data. However, with new laws taking effect in 2025, businesses should carefully review the additional restrictions on minors' (individuals between the ages of 13 and 17 years) data. In New Jersey, controllers must obtain affirmative consent to process personal data for targeted advertising, sale or profiling if they have actual knowledge, or willfully disregard, that the consumer is between 13 and 17 years of age. In Maryland, controllers are prohibited from processing or selling the personal data of consumers under the age of 18 for targeted advertising if they know, or should know, the consumer's age.
- Implicit requirement to appoint a Chief Privacy Officer (CPO) – Minnesota's privacy law requires businesses to document and include in their privacy policies the name and contact information of their CPO or another individual responsible for compliance with the law. This can be interpreted as an implicit requirement to appoint a CPO, similar to the requirements in the European Union's GDPR and the unenacted ADPPA and APRA federal privacy regulations in the United States.
Enforcement Takeaways
- Immediate new compliance measures – New state privacy laws impose specific obligations on businesses, with key requirements for those operating in New Jersey, Minnesota and Maryland. Under New Jersey's law, businesses must conduct a data protection assessment before processing high-risk data that may pose heightened risks to consumers, and they must obtain affirmative consent of minors aged 13 to 17 for processing their data for targeted advertising, sale or profiling. Minnesota's may be read to require businesses to designate a privacy officer responsible for implementing privacy notices, ensuring compliance with state laws, and managing consumer requests. Under Maryland's law, businesses should revisit their data collection practices to ensure they collect only what is necessary and proportionate to provide the product or service, and avoid collecting data for unrelated purposes. Moreover, businesses must ensure that the processing of sensitive data is strictly necessary for the products or services provided, and refrain from selling such data. Although these requirements can already be found under certain existing US data privacy laws, they are not pervasive in all cases and warrant specific consideration by businesses operating in these states.
- Affirmative defense – Notably, unlike any other state privacy laws, Tennessee's privacy law recognizes an affirmative defense to a violation if businesses create, maintain and comply with a written privacy policy that reasonably aligns with the National Institute of Standards and Technology (NIST) privacy framework, or if they have documented policies designed to safeguard consumer privacy, such as obtaining certification under the APEC's Cross Border Privacy Rules systems (for controllers) or Privacy Recognition for Processors system (for processors). Businesses should consider adopting and maintaining a privacy framework that aligns with these standards to benefit from the affirmative defense provided.
- Private right of action – New state privacy laws do not grant a private right of action, instead giving exclusive enforcement authority to the respective Attorney General's offices.
- Rulemaking authority – Unlike most state privacy laws, but similar to California and Colorado, New Jersey's privacy law requires the Director of the Division of Consumer Affairs to promulgate implementing rules and regulations, meaning additional regulations are expected in the future.
Burak Haylamaz (White & Case, Staff Attorney, Los Angeles) contributed to the development of this publication.
White & Case’s Data Privacy and Cybersecurity team will continue to provide updates on this law and any related rules and regulations. Please reference our US Data Privacy Guide and other client alerts for general steps to take to comply with US State Data Privacy Laws.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2025 White & Case LLP
