Preparing for 2025: A Dive into New U.S. Data Privacy Laws

Privacy professionals, it’s time to gear up for a monumental shift in the U.S. data privacy landscape. In 2025, eight new state privacy laws will go into effect, joining an existing patchwork of regulations. These laws will raise the stakes for businesses handling consumer data, demanding greater transparency, accountability, and adaptability.

This article unpacks the essentials of these new laws, highlights their unique features, and provides actionable steps to ensure your organization is ready to thrive in the evolving privacy-first era.

The U.S. 2025 data privacy law wave: What’s new?

Here’s a snapshot of the eight new privacy laws coming into effect in 2025:

Iowa Consumer Privacy Act (ICPA)
Delaware Personal Data Privacy Act (DPDPA)
New Hampshire Consumer Expectation of Privacy (NHCEP)
New Jersey Consumer Privacy Act (NJCPA)
Nebraska Data Privacy Act (NDPA)
Tennessee Information Protection Act (TIPA)
Minnesota Consumer Data Privacy Act (CDPA)
Maryland Online Data Privacy Act (MODPA)

Iowa Consumer Privacy Act (ICPA)

Effective date: January 1, 2025

Highlights:

• Extended timelines: 90 days to respond to consumer requests, the longest among U.S. state laws.
• Limited rights: Opt-out rights are restricted to data sales, excluding profiling and targeted advertising, and businesses are not required to recognize opt-out signals. The right to correct is not available in this State.
• Enforcement: Handled solely by the Attorney General, with fines up to $7,500 per violation.

Learn more about the ICPA

Delaware Personal Data Privacy Act (DPDPA)

Effective date: January 1, 2025

Highlights:

• Low thresholds: Applies to businesses processing data of just 10,000 consumers if over 20% of revenue comes from data sales.
• Third-party lists: Requires businesses to provide consumers with the list of third parties with whom the controller disclosed personal data.
• Rapid response: 45-day compliance deadline for consumer rights requests.

Learn more about the DPDPA

New Hampshire Consumer Expectation of Privacy (NHCEP)

Effective date: January 1, 2025

Highlights:

• Transparency first: Strong focus on notice requirements and consumer rights like access, correction, and deletion.
• Enforcement: Attorney General-led with clear guidelines for business compliance.

Learn more about the NHCEP

New Jersey Consumer Privacy Act (NJCPA)

Effective date: January 1, 2025

Highlights:

• Enhanced disclosures: Requires businesses to notify consumers about data sales and targeted advertising practices in detail.
• Opt-out obligations: Businesses must provide accessible, user-friendly mechanisms for opt-outs.

Learn more about the NJCPA

Nebraska Data Privacy Act (NDPA)

Effective date: January 1, 2025

Highlights:

• Data minimization: Emphasizes limiting data collection to what is necessary for specific purposes.
• Secure processing: Focus on bolstering data security practices.

Learn more about the NDPA

Tennessee Information Protection Act (TIPA)

Effective date: July 1, 2025

Highlights:

• High applicability thresholds: Covers businesses processing data of 100,000+ consumers or deriving significant revenue from data sales.
• Consumer request security: Mandates robust systems for handling consumer requests.

Learn more about the TIPA

Minnesota Consumer Data Privacy Act (CDPA)

Effective date: July 31, 2025

Highlights:

• Profiling protections: First state to grant rights to contest profiling decisions and review data used in profiling.
• Unique requirements: Mandates a data inventory and requires consent for pseudonymous data reidentification.
• Data Protection Officer: Implicitly requires appointing a chief privacy officer to oversee data compliance.

Learn more about CDPA

Maryland Online Data Privacy Act (MODPA)

Effective date: October 1, 2025

Highlights:

• Expanded definitions: Broadens “data sale” to include transfers by processors or affiliates.
• Sensitive data restrictions: Prohibits the sale of sensitive data.
• Geofencing limits: Prohibits geofencing near sensitive health facilities without consent.
• Data minimization: Raises the bar, requiring a stricter data minimization principle.

Learn more about MODPA

Common ground: What these laws share

While each law has unique elements, they share foundational principles that reflect a broader trend in consumer privacy protection:

Consumer Rights

Access, correction, deletion, data portability, and opt-out rights are common across most laws. Some, like Minnesota, expand these individual rights to include contesting profiling results.

Transparency

Privacy notices must be clear, accessible, and detailed, covering data collection, usage, and sharing practices.

Applicability Thresholds

These laws generally apply to businesses meeting certain thresholds, such as processing data for a specific number of consumers or deriving revenue from data sales, with the exception of Nebraska’s Data Privacy Act, which applies to any business conducting certain activities.

Data Protection Assessments (DPAs)

Many laws require assessments for high-risk processing activities to evaluate risks and mitigation strategies.

Non-Discrimination

Consumers exercising their rights cannot be discriminated against, such as being denied services or charged higher prices.

What makes each law stand out?

Some of the new 2025 data privacy laws have unique elements that differentiate it from others, reflecting the diverse approaches states are taking to protect consumer privacy:

Iowa Consumer Privacy Act (ICPA): Iowa stands out with its extended 90-day response timeline for consumer requests—double the standard 45 days found in most other state laws. It also limits opt-out rights to data sales, excluding profiling and targeted advertising.

Delaware Personal Data Privacy Act (DPDPA): Delaware’s low thresholds for applicability (10,000 consumers if over 20% of revenue comes from data sales) make it more likely to apply to small and medium-sized businesses than other laws. It also has a broad definition of sensitive data, being the only one that explicitly includes pregnancy as a health condition, and one of the few that includes the status as transgender or nonbinary. Finally, Delaware is one of the few states with the right to obtain third-party lists.

New Jersey Consumer Privacy Act (NJCPA): New Jersey’s focus is on enhanced disclosure requirements, obligating businesses to provide comprehensive notifications about data sales and targeted advertising practices. It requires businesses to disclose if personal data is processed for profiling, which may generate legal effects on the consumer.

Tennessee Information Protection Act (TIPA): Tennessee sets high applicability thresholds, covering businesses processing data for 100,000+ consumers or deriving significant revenue from data sales. As Delaware, it includes the right to obtain third-party lists and is one of the states that do not require organizations to recognize universal opt-out signals. Finally, Tennessee mandates organizations to maintain a privacy program that aligns with the NIST privacy framework.

Minnesota Consumer Data Privacy Act (CDPA): Minnesota breaks new ground by granting consumers rights to challenge profiling decisions and understand the data used. It also introduces requirements like prohibiting unlawful discrimination against consumers during data processing and requiring express consent before reidentifying pseudonymous data. Organizations must also maintain a data inventory for transparency and demonstrate compliance with the regulations. Additionally, appointing a Chief Privacy Officer (CPO) is necessary to oversee data compliance and protect consumer information.

Maryland Online Data Privacy Act (MODPA): Maryland imposes strict data minimization requirements, including prohibiting certain geofencing practices near health facilities. The collection, processing, and sharing of sensitive data are limited to situations where it is strictly necessary to provide or maintain a specific product or service requested by the consumer. Additionally, the sale of sensitive data is generally prohibited. Organizations are not allowed to sell or process a consumer’s personal information for targeted advertising if they know or should have known that the consumer is under 18 years old.

These distinctive features reflect the varying priorities of states as they balance consumer rights, business obligations, and enforcement mechanisms.

How to prepare your business for new U.S. privacy laws in 2025

1. Assess applicability

Map out which laws apply to your organization based on factors like consumer thresholds and revenue sources. This is critical for prioritizing compliance efforts.

2. Conduct data protection assessments (DPAs)

Evaluate high-risk activities such as profiling, data sales, or processing sensitive data. Ensure these assessments align with the specific requirements of each applicable law.

3. Update privacy notices

Your privacy notice is your compliance cornerstone. Include clear information on:

• Data categories collected
• Processing purposes
• Consumer rights
• Opt-out mechanisms

For example, Minnesota requires businesses to disclose their data retention policies and the last update date of their privacy notices.

4. Strengthen consumer rights management

Develop streamlined processes to handle consumer rights requests efficiently. Ensure compliance with specific deadlines (e.g., Iowa’s 90 days vs.

Delaware’s 45 days). Use secure, user-friendly systems for submitting and tracking requests.

5. Bolster data security practices

Regularly review and update your data security protocols. Focus on protecting sensitive information and preventing unauthorized access or breaches.

6. Train your team

Educate employees across all departments about privacy requirements and their roles in compliance. From IT to marketing, everyone plays a part in safeguarding consumer data.

7. Stay agile

Regulatory landscapes are evolving. Keep an eye on amendments, emerging laws, and enforcement actions to adapt your compliance strategies proactively.

Key takeaways: Building trust through compliance in 2025

The new 2025 privacy laws signal a shift toward enhanced consumer protections and greater accountability for businesses. While navigating this evolving landscape can seem daunting, preparation is your best defense.

Here’s what to remember:

Start now: Early compliance efforts reduce risks and ease transitions.

Leverage tools: Privacy management software and automated workflows can streamline compliance.

Stay educated: Knowledge is power—keep up with new regulations and trends in data privacy laws.

Like assembling a LEGO masterpiece, compliance requires patience, precision, and planning. By laying each piece carefully, you’ll build a privacy program that’s as resilient as it is effective.

While the new privacy laws present challenges, they also allow businesses to earn customer trust. By prioritizing data protection, organizations can strengthen relationships, enhance reputations, and thrive in the privacy-first era.