Businesses in the US will be subject to a lot more scrutiny from consumers and regulators in 2025. With eight new data privacy laws going into effect over the course of the year, attorneys general will be eager to show they’re not all talk, privacy advocacy groups will be encouraging residents to exercise their rights, and consumers will (slowly but surely) begin supporting the businesses that respect their privacy—and avoiding the ones that don’t.
Here are the eight new laws coming into effect in 2025 and their effective dates:
Compliance with eight laws at once may seem daunting; but the good news is, there’s a lot of overlap between these new laws and existing state laws. However, despite broadly overlapping, each new law has its own quirks and unique requirements that you will need to consider. Below you’ll find a summary of each law that includes:
We’ll also talk about the steps you should prioritize when preparing for compliance.
If there are any terms you don’t recognize, you can find them on our Data Privacy Terminology Cheat Sheet.
|
When does it go into effect? |
January 1, 2025 |
|
What are its threshold criteria? |
The DPDPA applies to any entity that does business in the state or produces products or services that are targeted to residents of the state and that, during the previous calendar year, met one of the following:
|
|
What are the penalties for violating the law? |
Up to $10,000 per violation, with a 60-day cure period sunsetting January 1, 2026. |
US state privacy laws lie on a spectrum—on one end, there are the more consumer-friendly data privacy laws; on the other, there are the more business-friendly laws. The DPDPA falls decidedly on the consumer side.
For one, the DPDPA has a low applicability threshold, kicking in at a mere 35,000 consumers’ data processed for most businesses.
The DPDPA also has fewer and tighter exemptions relative to most data privacy laws. Notably, nonprofits are not exempt from this law. Most data privacy laws exempt organizations subject to other federal regulations like HIPAA. However, only HIPAA-covered data is exempt from the DPDPA, not the organization itself. So, a medical service provider covered under HIPAA must still comply with the DPDPA if they process consumer data that isn’t already protected by HIPAA. An example might include a patients’ phone number and address—this data is needed for communicating around appointments, but it isn’t protected health information covered by HIPAA.
Other unique features include a broader scope for what is considered sensitive personal information as well as additional subject rights related to third-party data transfers.
Learn more about the Delaware Personal Data Privacy Act here.
|
When does it go into effect? |
January 1, 2025 |
|
What are its threshold criteria? |
The ICDPA applies to entities conducting business in Iowa or producing products or services targeted to Iowa consumers that either:
|
|
What are the penalties for violating the law? |
Up to $7,500 per violation, with a non-sunsetting 90-day cure period. |
Unlike the DPDPA, the ICDPA falls more on the business-friendly side of the spectrum.
It provides one of the longest cure periods available in the US, giving businesses a perpetual right to address violations within a 90-day period.
And there are fewer ways to violate the ICDPA to boot. Iowa’s law lacks requirements around recognizing universal opt-out mechanisms (e.g. the Global Privacy Control), conducting privacy impact assessments, asking for opt-in consent to process sensitive data, and more.
Learn more about the Iowa Consumer Data Protection Act here.
|
When does it go into effect? |
January 1, 2025 |
|
What are its threshold criteria? |
Nebraska’s privacy law applies to any entity (regardless of the volume of processed data) that:
|
|
What are the penalties for violating the law? |
Up to $7,500 per violation, with a non-sunsetting 30-day cure period. |
The most notable feature of the NDPA is its broad applicability criteria. So long as your organization isn’t a small business (as defined by the Small Business Administration), it’s probably subject to the law if it processes the data of Nebraskans. That’s regardless of revenue or the total number of consumers whose data you process.
Note that although small businesses are exempt from the bulk of Nebraska’s data privacy law, they are still required to secure opt-in consent before selling consumers’ sensitive information.
Learn more about the Nebraska Data Privacy Act here.
|
When does it go into effect? |
January 1, 2025 |
|
What are its threshold criteria? |
New Hampshire’s data privacy law applies to entities that conduct business in the state or who produce products or services targeted to residents of New Hampshire and who, during a one-year period:
|
|
What are the penalties for violating the law? |
Up to $10,000 per violation, with a 60-day cure period sunsetting January 1, 2026. |
Unlike either Iowa or Delaware, New Hampshire’s data privacy law is typical of what one might expect from a data privacy law in the US. As opposed to Delaware, it provides entity-level (not data-level) exemptions for nonprofits and organizations subject to federal regulations like HIPAA or the GLBA. And as opposed to Iowa, the NHDPA does require privacy impact assessments for certain activities and features a sunsetting cure period.
One of the NHDPA’s notable features is its relatively low applicability threshold. Thus, it’s more likely that small businesses will be subject to its requirements.
Learn more about the New Hampshire Data Privacy Act here.
|
When does it go into effect? |
January 15, 2025 |
|
What are its threshold criteria? |
New Jersey’s privacy law applies to entities that, during a calendar year, meet one of the following criteria:
|
|
What are the penalties for violating the law? |
Up to $10,000 for the first violation and up to $20,000 for subsequent violations, with a 30-day cure period sunsetting July 15, 2026. |
Generally, applicability thresholds for data privacy laws in the US feature parallel criteria: either a business processes a certain number of individuals’ data, or it processes a lower number but derives revenue by selling that data.
That second set of criteria typically applies to data brokers and ad tech networks that earn revenue by selling consumer data. The NJDPA is unique in that it features no revenue threshold needed to meet these criteria—if you earn revenue from selling the personal data of at least 25,000 consumers, you’re subject to the law. This means organizations other than data brokers or ad tech networks may need to comply.
In addition to this unique feature, nonprofits are not exempt from the NJDPA. Data used solely for completing a payment transaction, however, is exempt. This is important because the NJDPA includes certain kinds of financial data in its definition of sensitive data and requires affirmative opt-in consent before it can be processed for purposes other than completing a transaction.
Learn more about the New Jersey Data Privacy Act here.
|
When does it go into effect? |
July 1, 2025 |
|
What are its threshold criteria? |
Tennessee’s privacy law applies if your organization exceeds $25 million in annual revenue, conducts business in the state or provides products or services that are targeted to residents of the state, and meets one or more of the following:
|
|
What are the penalties for violating the law? |
Up to $7,500 per violation and the possible addition of triple the actual damages if the violation was intentional, with a non-sunsetting cure period of 60 days. |
While most state privacy laws have settled on an applicability threshold of 100,000 consumers, the TIPA increased that threshold to 175,000. And it only applies to businesses with at least $25 million in revenue, giving it a far narrower scope than most data privacy laws.
Like Iowa’s law, the TIPA has a non-sunsetting cure period, though its duration is only 60 days compared to Iowa’s 90.
But the most unique feature of the TIPA is its affirmative defense option. The TIPA permits businesses to proactively defend against potential future violations through the creation of a documented privacy program that follows the NIST privacy framework or similar frameworks. This defense isn’t bulletproof—businesses that simply disregard their privacy program, for example, would likely still be found liable for violations.
Learn more about the Tennessee Information Protection Act (TIPA) here.
|
When does it go into effect? |
July 31, 2025 |
|
What are its threshold criteria? |
The MCDPA applies to entities that provide products or services targeted at Minnesotans and meet one of the following criteria:
|
|
What are the penalties for violating the law? |
Up to $7,500, with a 30-day cure period sunsetting January 31, 2026. |
The MCDPA features many of the usual set of exemptions found in other data privacy laws, but it notably exempts small businesses (as defined by the Small Business Association). While exempt from most requirements, small businesses must still obtain opt-in consent before selling sensitive personal information.
The MCDPA has two more unique features that stand out from other data privacy laws.
The first is its requirements around data inventories. Data maps or data inventories are a best practice for privacy programs and facilitate downstream compliance, but they typically aren’t required by statute.
Specifically, the law calls for businesses to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item.”
In essence, a data inventory lists the systems that contain personal information as well as the metadata needed to maintain their security and privacy.
The second unique requirement relates to profiling. Like most data privacy laws, the MCDPA gives consumers the right to opt out of profiling used to make decisions with a legal or similar impact on the consumer. But the MCDPA goes further by granting consumers the right to contest the results of profiling; be informed what actions they could have taken to achieve a different outcome; and to review the data used in profiling, correct it if it’s inaccurate, and have the decision re-evaluated. As an example, consumers might be subject to profiling for employment or credit purposes.
Learn more about the Minnesota Consumer Data Privacy Act here.
|
When does it go into effect? |
October 1, 2025 |
|
What are its threshold criteria? |
Maryland’s privacy law applies to entities that conduct business in the state or provide services or products targeted to residents of Maryland and during the prior calendar year either:
|
|
What are the penalties for violating the law? |
Up to $10,000 per violation and up to $25,000 per repeated violation, with a 60-day cure period sunsetting April 1, 2027. However, the state’s Attorney General gets to decide whether to offer the cure period or not. |
Maryland is easily the most unique law in this list, if not in the nation. Its applicability thresholds are low, and it imposes steeper financial penalties compared to other laws.
But most significantly, it outright prohibits the sale of personal data, regardless of whether the consumer opts in or not. Businesses may only collect, process, or share sensitive data if it's strictly necessary to provide or maintain a specific product or service requested by the consumer.
The MODPA also requires businesses to conduct privacy impact assessments on a regular basis for each data activity that presents a heightened risk of harm to a consumer. This in and of itself isn’t unusual, but the law also stipulates there must be "an assessment for each algorithm that is used.” The statute does not provide a definition for the word “algorithm,” and given the complexity of data processing operations, this could entail a great number of assessments.
There’s much more to cover about Maryland’s law and how it differs from other state privacy laws. Learn more about the Maryland Online Data Protection Act here.
Data privacy compliance is an ongoing process—not a one-and-done activity—but there are a few steps you can take to hit the ground running in 2025. Here’s what we’d recommend.
Conduct an assessment of the various data processing activities taking place at your organization. Do you sell any consumer data to third parties? If so, you may be subject to lower threshold applicability criteria, especially for New Jersey’s law. Do you have mobile app and/or website users from one of the states listed in this article? If so, there’s a good chance you’re subject to the given law.
Even if you don’t meet the law’s applicability criteria, conducting and documenting such an assessment will be a useful exercise. Not only will it show that you did your due diligence and create a record of your legal basis for not needing to comply, but it will also alert you to laws whose thresholds your organization is approaching. You might make a note to perform another assessment in six months or a year. Or, you might get a head start on compliance, knowing that it’s likely in your future.
Each of these laws has different requirements for privacy notices. Some of them are very prescriptive (Nebraska’s law in particular), while others are more general. Familiarize yourself with the requirements of the laws that you will be subject to in 2025, review your current privacy policy to see if it meets the laws’ standards, and—crucially—assess your processing activities to determine if your policy is still accurate.
If you haven’t performed an exercise like this in a while (or at all), there can be a lot of work involved. You may need to define a process for how you handle subject rights requests, for example, or take inventory of all the organizations you share data with. Our Ultimate Privacy Policy Checklist can help you prioritize what information you need to track down first.
While most of the privacy laws on this list have familiar subject rights, some feature unique rights or have unique requirements around rights.
Each of these laws features the following subject rights:
Other rights are specific to certain laws:
Even if you’re currently handling subject rights requests well enough, it’s worth investigating whether your process could be improved. As these and future laws go into effect and consumer awareness spreads, so will request volumes. In particular, you’ll want to ensure you can quickly track down which third parties have received a data subject’s information if you’re subject to Delaware’s, Minnesota’s, or Maryland’s data privacy laws.
In short, you’ll likely be managing a lot of assessments, subject rights requests, and privacy notices over the course of 2025. Without an automated solution, keeping track of all the associated documents and duties can quickly become overwhelming. With a complete privacy solution, however, you’ll be able to:
Osano provides these capabilities and more. Find out how we can support your efforts in achieving 2025 compliance by booking a demo.