With the absence of federal privacy laws, individual states continue to establish their own comprehensive data privacy regulations. In 2025, eight additional U.S. state privacy laws will come into effect. Here is an overview of US state data privacy laws coming into effect in 2025.
Key Trends
Several key trends are emerging across these new privacy laws:
- Enhanced Consumer Rights: Many of the new laws emphasize empowering consumers with more control over their personal data, including rights to access, correct, delete, and restrict the sale of their information.
- Obligations for Businesses: Businesses are facing increasing obligations to implement data privacy safeguards, conduct assessments of their data practices, and ensure compliance with a growing number of state-level privacy laws.
- Focus on Sensitive Data: There is a heightened focus on protecting sensitive information, such as genetic or biometric data, as well as data related to children, with specific provisions to safeguard these categories.
Delaware Personal Data Privacy Act (DPDPA) – Effective January 1, 2025
- Scope: Applies to entities conducting business in Delaware or targeting Delaware residents, provided they control or process the personal data of at least 35,000 consumers or derive over 20% of their gross revenue from the sale of personal data and process data of at least 10,000 consumers.
- Consumer Rights: Grants rights to access, correct, delete, and obtain a copy of personal data.
- Opt-Out Provisions: Allows consumers to opt out of the sale of personal data and targeted advertising.
- Data Protection Assessments: Requires assessments for processing activities involving personal data.
- Sensitive Data: Mandates opt-in consent for processing sensitive data.
Iowa Consumer Data Protection Act (ICDPA) – Effective January 1, 2025
- Scope: Applies to entities conducting business in Iowa or targeting Iowa residents, controlling or processing personal data of at least 100,000 consumers, or deriving over 50% of gross revenue from the sale of personal data and processing data of at least 25,000 consumers.
- Consumer Rights: Provides rights to access, delete, and obtain a copy of personal data.
- Opt-Out Provisions: Enables consumers to opt out of the sale of personal data.
- Data Protection Assessments: No explicit requirement.
- Sensitive Data: Requires opt-in consent for processing sensitive data.
Nebraska Consumer Data Privacy Act (NCDPA) – Effective January 1, 2025
- Scope: Targets entities conducting business in Nebraska or targeting Nebraska residents, controlling or processing personal data of at least 50,000 consumers, or deriving over 50% of gross revenue from the sale of personal data and processing data of at least 25,000 consumers.
- Consumer Rights: Includes rights to access, correct, delete, and obtain a copy of personal data.
- Opt-Out Provisions: Allows consumers to opt out of the sale of personal data and targeted advertising.
- Data Protection Assessments: No explicit requirement.
- Sensitive Data: Requires opt-in consent for processing sensitive data.
New Hampshire Data Privacy and Protection Act (NHDPA) – Effective January 1, 2025
- Scope: Applies to entities conducting business in New Hampshire or targeting New Hampshire residents, controlling or processing personal data of at least 25,000 consumers, or deriving over 50% of gross revenue from the sale of personal data.
- Consumer Rights: Grants rights to access, correct, delete, and obtain a copy of personal data.
- Opt-Out Provisions: Enables consumers to opt out of the sale of personal data and targeted advertising.
- Data Protection Assessments: Requires assessments for processing activities involving personal data.
- Sensitive Data: Mandates opt-in consent for processing sensitive data.
New Jersey Consumer Privacy Act (NJCPA) – Effective January 15, 2025
- Scope: Targets entities conducting business in New Jersey or targeting New Jersey residents, controlling or processing personal data of at least 25,000 consumers, or deriving over 50% of gross revenue from the sale of personal data.
- Consumer Rights: Provides rights to access, correct, delete, and obtain a copy of personal data.
- Opt-Out Provisions: Allows consumers to opt out of the sale of personal data and targeted advertising.
- Data Protection Assessments: Requires assessments for processing activities involving personal data.
- Sensitive Data: Requires opt-in consent for processing sensitive data.
Oregon Consumer Privacy Act (OCPA) – Effective July 1, 2025
- Scope: Applies to businesses that process the data of at least 100,000 Oregon residents annually or derive 25% or more of their revenue from the sale of personal data while processing the data of at least 25,000 Oregon residents.
- Consumer Rights: Right to access, correct, delete, and obtain a copy of personal data, and Right to opt-out of targeted advertising, the sale of personal data, and profiling in furtherance of significant decisions.
- Sensitive Data: Requires explicit opt-in consent to process sensitive data, such as racial or ethnic origin, biometric data, and sexual orientation.
- Data Protection Assessments: Mandatory for high-risk data processing activities, including profiling and handling sensitive data.
Texas Data Privacy and Security Act (TDPSA) – Effective March 1, 2025
- Scope: Targets businesses that process or control the data of more than 50,000 Texas residents or derive 25% or more of their revenue from the sale of personal data.
- Consumer Rights: Right to access, delete, correct, and obtain a copy of personal data, and Right to opt-out of the sale of personal data and targeted advertising.
- Sensitive Data: Requires opt-in consent to process sensitive personal data.
- Data Protection Assessments: No explicit requirement.
- Penalties: Introduces significant fines for non-compliance, including penalties for data breaches.
Montana Consumer Data Privacy Act (MCDPA) – Effective October 1, 2025
- Scope: Applies to businesses controlling or processing the personal data of at least 50,000 Montana residents annually or earning 25% or more of their gross revenue from selling personal data.
- Consumer Rights: Right to access, correct, delete, and obtain a copy of personal data, and Right to opt-out of data sales and targeted advertising.
- Sensitive Data: Explicit opt-in consent is required to process sensitive personal data.
- Data Protection Assessments: Businesses engaging in high-risk processing must conduct assessments.
The laws share common themes such as enhancing consumer rights, requiring opt-in consent for sensitive data processing, and, in some cases, mandating data protection assessments. Businesses must stay informed about the latest developments in data privacy legislation and take proactive steps to ensure compliance, not only to avoid legal repercussions but also to build trust with their customers in an increasingly digital world.
Let Us Help
As data privacy laws continues to evolve, understanding and compliance continue to be important. This is a high level overview of US data privacy laws coming into effect in 2025, and is not meant to be comprehensive. If you need further assistance, feel free to reach out. We’ll discuss your specific needs and help you through the process.
This post is not legal advice, and does not establish any attorney client privilege between Law Office of K.S. Kader, PLLC and you, the reader. The content of this post was assisted by generative artificial intelligence solutions.