New year— new privacy landscape. Last season left us with a whopping seven new comprehensive state privacy laws, with the likes of Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island all opting to bring their constituents greater protection in the ever-changing digital world.

Now, many of those seeds of privacy legislation are set to bloom in 2025. Let’s have a quick round up of every comprehensive state privacy law going into effect this year.

1. Delaware

Delaware’s Personal Data Privacy Act (DPDPA), which went into effect on January 1, 2025, establishes comprehensive privacy protections for residents of the state, making Delaware the latest to join the growing list of U.S. jurisdictions with robust privacy legislation. The Act mandates businesses to enhance transparency in their data practices and requires explicit consent when collecting or using sensitive personal data, such as information related to race, religion, health conditions, biometric data, and location.

Under the new law, Delaware consumers gain powerful rights over their personal information. They can opt out of the sale of their data, targeted advertising, and certain types of automated decision-making. The DPDPA also includes phased implementation milestones: from July 1, 2025, businesses must conduct data protection assessments for certain processing activities, and starting January 1, 2026, they must honor universal opt-out signals for consumer preferences. Additionally, the mandatory “right to cure” for violations will end on December 31, 2025, after which enforcement by the Delaware Attorney General’s office will no longer require a grace period.

2. Iowa

The Iowa Consumer Data Protection Act (ICDPA) became effective on January 1, 2025 and targets businesses that either control or process the personal data of at least 100,000 Iowa consumers or derive over 50% of their revenue from selling personal data of at least 25,000 Iowa residents. The law imposes penalties of up to $7,500 per violation, but with a generous 90-day cure period, which does not sunset, allowing businesses ample time to address non-compliance.

Notably, the ICDPA is more business-friendly compared to other state laws, as it lacks certain requirements like recognizing universal opt-out mechanisms, conducting privacy impact assessments, or securing opt-in consent for processing sensitive data.

3. Maryland

The Maryland Online Data Protection Act (MODPA) will go into effect on October 1, 2025. MODPA applies to businesses operating in Maryland or targeting Maryland residents. Organizations are subject to the law if, in the prior calendar year, they controlled or processed the personal data of at least 35,000 consumers (excluding payment transaction data) or processed the personal data of at least 10,000 consumers while deriving over 20% of gross revenue from selling personal data.

Non-compliance can result in penalties of up to $10,000 per violation and $25,000 for repeated violations. A 60-day cure period, available until April 1, 2027, is at the discretion of the Maryland Attorney General.

4. Minnesota

The Minnesota Consumer Data Privacy Act (MCDPA) is set to take effect on July 31, 2025. It establishes privacy obligations for businesses targeting Minnesota residents. It applies to organizations that annually process the personal data of at least 100,000 consumers or derive over 25% of their gross revenue from selling personal data while processing the personal data of at least 25,000 consumers.

Violators face fines up to $7,500, with a 30-day cure period available until January 31, 2026. Notably, the MCDPA exempts small businesses, though they must secure opt-in consent before selling sensitive personal data. The law also uniquely mandates data inventories, a step that supports broader compliance but is rarely required by statute.

5. Nebraska

The Nebraska Data Privacy Act (NDPA) became effective as of January 1, 2025 and establishes privacy obligations for entities conducting business in Nebraska or offering products and services to its residents. Unlike many state privacy laws, the NDPA applies to organizations processing or selling personal data, regardless of data volume, provided they are not classified as small businesses under federal Small Business Administration guidelines.

Violators face penalties of up to $7,500 per infraction, with a 30-day cure period that does not sunset. While small businesses are exempt from most requirements, they must obtain opt-in consent before selling sensitive personal data.

6. New Hampshire

The New Hampshire Data Privacy Act (NHDPA) became effective January 1, 2025 and introduces significant privacy obligations for entities conducting business in the state or offering products and services to its residents. The law applies to organizations that, within a one-year period, control or process personal data for at least 35,000 consumers (excluding data solely processed for payment transactions) or derive over 25% of gross revenue from selling the personal data of at least 10,000 consumers.

Noncompliance may result in fines up to $10,000 per violation, with a 60-day cure period available until January 1, 2026.
Distinctive among state privacy laws, the NHDPA features relatively low applicability thresholds, increasing its reach to small businesses. Unlike Iowa, it mandates privacy impact assessments for certain activities, and unlike Delaware, it provides entity-level exemptions for nonprofits and federally regulated organizations under HIPAA or GLBA. With its comprehensive scope, the NHDPA is set to enhance data protection practices across New Hampshire.

7. New Jersey

New Jersey Data Privacy Act (NJDPA) became effective as of January 15, 2025 and sets clear thresholds for compliance. It applies to entities that annually control or process the personal data of at least 100,000 consumers—excluding data processed solely for payment transactions—or those handling the data of at least 25,000 consumers and generating revenue or receiving discounts from selling personal data. Penalties for non-compliance reach up to $10,000 for a first violation and $20,000 for subsequent violations, with a 30-day cure period available until July 15, 2026.

Unlike other state laws, the NJDPA does not impose a revenue minimum for applicability, making it relevant beyond traditional data brokers and ad tech networks. Additionally, nonprofits are not exempt from the law, though financial data used exclusively for payment transactions is excluded. Notably, the NJDPA treats certain financial data as sensitive and requires opt-in consent for its processing outside of transactional purposes.

8. Tennessee

Tennessee Information Protection Act (TIPA) will become effective July 1, 2025 and establishes privacy requirements for businesses operating in the state. The law applies to organizations with annual revenue exceeding $25 million that conduct business in Tennessee or target its residents and meet one of the following criteria: processing the personal information of at least 175,000 consumers annually or processing the personal data of 25,000 consumers while deriving over 50% of gross revenue from its sale. Violations can result in fines up to $7,500 per occurrence, with triple damages for intentional breaches and a 60-day non-sunsetting cure period.

The TIPA sets a notably high consumer threshold—175,000 compared to the standard 100,000—and applies exclusively to businesses with at least $25 million in revenue, narrowing its scope. Unique among state privacy laws, TIPA allows businesses to establish an affirmative defense by implementing a documented privacy program aligned with the NIST privacy framework or similar standards. While not a fail-safe, this proactive measure can mitigate liability for compliant organizations.

Achieve Privacy Compliance with BigID

No matter what industry your organization represents, 2025 will require your team to take a closer look at the various privacy legislation that may now impact your daily operations. BigID is the industry leading DSPM platform for data privacy, security, compliance, and AI data management. Get greater visibility from your enterprise data and achieve simple compliance with comprehensive data privacy laws like the MODPA, TIPA, NJDPA, and more.

With BigID organizations can:

  • Discover Your Data: Discover and catalog your sensitive data, including structured, semi-structured, and unstructured – in on-prem environments and across the cloud.
  • Know Your Data: Automatically classify, categorize, tag, and label sensitive, personal data with accuracy, granularity, and scale.
  • Map Your Data: Automatically map PII and PI to identities, entities, and residencies to visualize data across systems.
  • Enforce Privacy Policies: Ensure alignment and enforcement of data policies in accordance with privacy mandates to fulfill regulatory compliance requirements.
  • Universal Consent & Preferences Management: Manage and adjust consumer consent and preferences universally and centrally across various channels with ease.
  • Comprehensively Assess Privacy Risks: Initiate, manage, document, and complete various assessments, including PIA, DPIA, vendor, AI, TIA, LIA, and more for compliance and risk reduction.
  • Streamline Data Lifecycle Management: Apply a policy-based approach to automate data lifecycle management across collection, retention, and deletion.

Don’t wait for compliance deadlines to catch up to you — get ahead with a 1:1 demo from BigID’s privacy experts today.