New year— new privacy landscape. Last season left us with a whopping seven new comprehensive state privacy laws, with the likes of Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Rhode Island all opting to bring their constituents greater protection in the ever-changing digital world.
Now, many of those seeds of privacy legislation are set to bloom in 2025. Let’s have a quick round up of every comprehensive state privacy law going into effect this year.
1. Delaware
Delaware’s Personal Data Privacy Act (DPDPA), which went into effect on January 1, 2025, establishes comprehensive privacy protections for residents of the state, making Delaware the latest to join the growing list of U.S. jurisdictions with robust privacy legislation. The Act mandates businesses to enhance transparency in their data practices and requires consentement explicite when collecting or using sensitive personal data, such as information related to race, religion, health conditions, données biométriques, and location.
Under the new law, Delaware consumers gain powerful rights over their les informations personnelles. They can se retirer of the sale of their data, targeted advertising, and certain types of automated decision-making. The DPDPA also includes phased implementation milestones: from July 1, 2025, businesses must conduct data protection assessments for certain processing activities, and starting January 1, 2026, they must honor universal opt-out signals for consumer preferences. Additionally, the mandatory “right to cure” for violations will end on December 31, 2025, after which enforcement by the Delaware Attorney General’s office will no longer require a grace period.
2. Iowa
Le Iowa Consumer Data Protection Act (ICDPA) became effective on January 1, 2025 and targets businesses that either control or process the personal data of at least 100,000 Iowa consumers or derive over 50% of their revenue from selling personal data of at least 25,000 Iowa residents. The law imposes penalties of up to $7,500 per violation, but with a generous 90-day cure period, which does not sunset, allowing businesses ample time to address non-compliance.
Notably, the ICDPA is more business-friendly compared to other state laws, as it lacks certain requirements like recognizing universal opt-out mechanisms, conducting privacy impact assessments, or securing opt-in consent for processing sensitive data.
3. Maryland
Le Maryland Online Data Protection Act (MODPA) will go into effect on October 1, 2025. MODPA applies to businesses operating in Maryland or targeting Maryland residents. Organizations are subject to the law if, in the prior calendar year, they controlled or processed the personal data of at least 35,000 consumers (excluding payment transaction data) or processed the personal data of at least 10,000 consumers while deriving over 20% of gross revenue from selling personal data.
Non-compliance can result in penalties of up to $10,000 per violation and $25,000 for repeated violations. A 60-day cure period, available until April 1, 2027, is at the discretion of the Maryland Attorney General.
4. Minnesota
Le Minnesota Consumer Data Privacy Act (MCDPA) is set to take effect on July 31, 2025. It establishes privacy obligations for businesses targeting Minnesota residents. It applies to organizations that annually process the personal data of at least 100,000 consumers or derive over 25% of their gross revenue from selling personal data while processing the personal data of at least 25,000 consumers.
Violators face fines up to $7,500, with a 30-day cure period available until January 31, 2026. Notably, the MCDPA exempts small businesses, though they must secure opt-in consent before selling sensitive personal data. The law also uniquely mandates data inventories, a step that supports broader compliance but is rarely required by statute.
5. Nebraska
Le Nebraska Data Privacy Act (NDPA) became effective as of January 1, 2025 and establishes privacy obligations for entities conducting business in Nebraska or offering products and services to its residents. Unlike many state privacy laws, the NDPA applies to organizations processing or selling personal data, regardless of data volume, provided they are not classified as small businesses under federal Small Business Administration guidelines.
Violators face penalties of up to $7,500 per infraction, with a 30-day cure period that does not sunset. While small businesses are exempt from most requirements, they must obtain opt-in consent before selling sensitive personal data.
6. New Hampshire
Le New Hampshire Data Privacy Act (NHDPA) became effective January 1, 2025 and introduces significant privacy obligations for entities conducting business in the state or offering products and services to its residents. The law applies to organizations that, within a one-year period, control or process personal data for at least 35,000 consumers (excluding data solely processed for payment transactions) or derive over 25% of gross revenue from selling the personal data of at least 10,000 consumers.
Noncompliance may result in fines up to $10,000 per violation, with a 60-day cure period available until January 1, 2026.
Distinctive among state privacy laws, the NHDPA features relatively low applicability thresholds, increasing its reach to small businesses. Unlike Iowa, it mandates privacy impact assessments for certain activities, and unlike Delaware, it provides entity-level exemptions for nonprofits and federally regulated organizations under HIPAA ou GLBA. With its comprehensive scope, the NHDPA is set to enhance data protection practices across New Hampshire.
7. New Jersey
New Jersey Data Privacy Act (NJDPA) became effective as of 15 janvier 2025 and sets clear thresholds for compliance. It applies to entities that annually control or process the personal data of at least 100,000 consumers—excluding data processed solely for payment transactions—or those handling the data of at least 25,000 consumers and generating revenue or receiving discounts from selling personal data. Penalties for non-compliance reach up to $10,000 for a first violation and $20,000 for subsequent violations, with a 30-day cure period available until July 15, 2026.
Unlike other state laws, the NJDPA does not impose a revenue minimum for applicability, making it relevant beyond traditional data brokers and ad tech networks. Additionally, nonprofits are not exempt from the law, though financial data used exclusively for payment transactions is excluded. Notably, the NJDPA treats certain financial data as sensitive and requires opt-in consent for its processing outside of transactional purposes.
8. Tennessee
Loi sur la protection des informations du Tennessee (TIPA) will become effective July 1, 2025 and establishes privacy requirements for businesses operating in the state. The law applies to organizations with annual revenue exceeding $25 million that conduct business in Tennessee or target its residents and meet one of the following criteria: processing the personal information of at least 175,000 consumers annually or processing the personal data of 25,000 consumers while deriving over 50% of gross revenue from its sale. Violations can result in fines up to $7,500 per occurrence, with triple damages for intentional breaches and a 60-day non-sunsetting cure period.
The TIPA sets a notably high consumer threshold—175,000 compared to the standard 100,000—and applies exclusively to businesses with at least $25 million in revenue, narrowing its scope. Unique among state privacy laws, TIPA allows businesses to establish an affirmative defense by implementing a documented privacy program aligned with the NIST privacy framework or similar standards. While not a fail-safe, this proactive measure can mitigate liability for compliant organizations.
Achieve Privacy Compliance with BigID
No matter what industry your organization represents, 2025 will require your team to take a closer look at the various privacy legislation that may now impact your daily operations. BigID is the industry leading DSPM platform for data privacy, security, compliance, and AI data management. Get greater visibility from your enterprise data and achieve simple compliance with comprehensive data privacy laws like the MODPA, TIPA, NJDPA, and more.
Avec BigID, les organisations peuvent :
- Découvrez vos données : Découvrez et cataloguez vos données sensibles, y compris structurées, semi-structurées et non structurées, dans des environnements sur site et dans le cloud.
- Connaître ses données: Automatically classify, categorize, tag, and étiquette sensitive, personal data with accuracy, granularity, and scale.
- Cartographiez vos données : Associer automatiquement les IIP et les IP aux identités, aux entités et aux résidences afin de visualiser les données dans l'ensemble des systèmes.
- Appliquer les politiques de protection de la vie privée : Assurer l'alignement et l'application des politiques de données conformément aux mandats de protection de la vie privée afin de satisfaire aux exigences de conformité réglementaire.
- Gestion universelle du consentement et des préférences : Gérez et ajustez le consentement et les préférences des consommateurs de manière universelle et centralisée sur différents canaux en toute simplicité.
- Évaluer de manière exhaustive les risques liés à la confidentialité : Initier, gérer, documenter et réaliser diverses évaluations, notamment PIA, DPIA, vendor, AI, TIA, LIA, and more for compliance and risk reduction.
- Rationalisez la gestion du cycle de vie des données : Appliquez une approche basée sur des politiques pour automatiser la gestion du cycle de vie des données à travers la collecte, la conservation et la suppression.
Don’t wait for compliance deadlines to catch up to you — get ahead with a 1:1 demo from BigID’s privacy experts today.
Auteur
