A new wave of U.S. state consumer privacy laws will become effective in 2025. Four state laws went into effect on January 1, and another will be effective on January 15. Three others will be effective by October 2025. Several additional states – including Michigan and Oklahoma – have active bills being considered, and we expect other states may consider similar laws this year. Below we highlight the unique aspects of these new statutes.
Background
The U.S. has recently witnessed an unprecedented flurry of state legislative activity in the privacy space, with nineteen (19) states passing comprehensive privacy legislation. Of these, eight are already in effect, a further eight will go into effect in 2025, and three will be effective in 2026.
Laws Effective in 2025
- Delaware Personal Data Privacy Act (enacted 2023; effective January 1, 2025)
- Iowa Consumer Data Protection Act (enacted 2023; effective January 1, 2025)
- Nebraska Data Privacy Act (enacted 2024; effective January 1, 2025)
- New Hampshire Data Privacy Act (enacted 2024; effective January 1, 2025)
- New Jersey Data Privacy Act (enacted 2024; effective January 15, 2025)
- Tennessee Information Protection Act (enacted 2023; effective July 1, 2025)
- Minnesota Consumer Data Privacy Act (enacted 2024; effective July 31, 2025)
- Maryland Online Data Privacy Act (enacted 2024; effective October 1, 2025)
Given the sheer number of new laws, the looming compliance deadlines lining up, and increased privacy enforcement and attention of regulators, businesses should take proactive steps to learn about the requirements and establish compliance measures.
Key Takeaways
Enhanced Protections for Sensitive Data: While many state consumer privacy laws already afford heightened protections to “sensitive data,” some of the new laws further expand the scope of and requirements around sensitive data. Sensitive data is a subcategory of personal information that typically includes information that reveals a consumer’s racial or ethnic origin, biometric data, or geolocation data. The use of sensitive is also a focus for federal regulators and policymakers—with the Federal Trade Commission (FTC) making the illicit use of sensitive data an enforcement priority and federal lawmakers restricting the sharing of sensitive data with certain countries.
Delaware, Maryland, and New Jersey have followed the trend of widening the definition of sensitive data to include information such as transgender or non-binary status. Maryland’s new law also goes beyond existing state laws in the level of protection afforded to sensitive data, where businesses will be prohibited from selling sensitive data (which includes sharing data for non-monetary consideration), even when consent is obtained, except as necessary to provide or maintain a specific requested product.
Small Business Exemptions: In another notable trend with these new laws, Nebraska and Minnesota followed Texas’s unconventional approach to applicability thresholds. Whereas most state privacy laws only apply to businesses that meet defined processing or revenue thresholds, Nebraska follows Texas in dispensing with these thresholds entirely and instead applying to entities that (1) conduct business in Nebraska or produce products or services consumed by Nebraska residents, (2) process or sell personal data, and (3) do not qualify as a small business as defined by the US Small Business Administration (SBA). Minnesota adopts a hybrid approach excluding small businesses as well as entities that process fewer than 100,000 consumers’ personal data. The effect of these exemptions may mean that they may apply to some entities not current required to comply with existing privacy laws (e.g., a business may not meet the thresholds but also may not qualify as a small business, which could bring it into the scope of one of these new laws). These laws provide a timely reminder for businesses to carefully assess the applicability of new laws as they come into effect, even if they are exempt from existing state privacy legislation.
The Role of Privacy Frameworks: Although all existing consumer privacy laws require businesses to adopt security measures to protect consumer information, Tennessee made waves when it became the first state to tie compliance to a specific privacy framework, the National Institute of Standards and Technology (NIST) Privacy Framework or another comparable framework. The Tennessee law provides a safe harbor for businesses that comply with these frameworks.
Given the evolving landscape of data privacy regulations, it is imperative for businesses to proactively review and update their privacy programs. Given the short compliance timelines, businesses should take immediate steps to understand how the imminent laws apply to them and implement necessary changes.
If you have questions about these new laws or the applicability to your business, please reach out to one of the authors of this article or your local Baker McKenzie contact.
