The U.S. is seeing a surge in state privacy laws, with comprehensive bills gaining traction everywhere, making it crucial for businesses to stay updated on these ever-changing data governance rules.
Various resources, including trackers and reports, are maintained to assist businesses in understanding these developments. These tools focus on comprehensive approaches to governing personal information, excluding bills that are narrow in scope, coverage, or the specific rights they grant. This ensures a clear focus on broad-impact legislation.
As 2025 approaches, businesses face the imperative to adapt to new legal frameworks and refine existing privacy programs. While eight new state privacy laws are specifically slated to go into effect in 2025, other existing laws will also see critical provisions or compliance deadlines become active. Understanding these changes is essential for maintaining compliance and mitigating risk.
1. **Delaware Personal Data Privacy Act**
The Delaware Personal Data Privacy Act was signed into law on September 11, 2023, and is set to go into effect on January 1, 2025. This legislation marks a significant addition to the comprehensive privacy laws across the United States. It introduces new obligations for data controllers operating within the state, impacting how personal data is collected, processed, and managed.
The Act sets low thresholds, applying to businesses that process personal data for 35,000+ consumers or generate over 20% of gross revenue from selling personal data for 20,000+ consumers, potentially including more organizations than anticipated.
Key provisions include the requirement for data protection assessment requirements to apply to processing activities created or generated after July 1, 2025. Additionally, the mandatory right to cure period for violations expires on December 31, 2025, after which the Attorney General will have discretion to grant cure periods. The law also mandates that businesses honor universal opt-out signals, with this requirement going into effect on January 1, 2026.
Delaware’s law also expands the definition of sensitive information to include national origin and transgender or non-binary status, alongside other categories. This broader scope necessitates that businesses conduct Data Protection Impact Assessments (DPIAs) when processing sensitive data or engaging in other high-risk activities, aligning with a growing trend among state privacy laws to impose heightened restrictions on such information.
2. **Iowa Consumer Data Protection Act**
The Iowa Consumer Data Protection Act was signed into law on March 29, 2023, and will become effective on January 1, 2025. This comprehensive privacy law adds to the varied legal landscape businesses must navigate, presenting distinct requirements and consumer rights that differ from other state statutes.
Iowa’s law generally relies on volume-based criteria for its applicability thresholds, typically applying to businesses that process the personal data of 100,000 or more residents or derive a certain portion of revenue from selling data. Organizations operating within Iowa are encouraged to assess their data processing activities against these criteria to determine their compliance obligations.
Notably, the Iowa Consumer Data Protection Act presents specific limitations regarding consumer rights. Unlike most state privacy laws, it does not affirmatively establish a right for consumers to correct inaccurate data. Furthermore, it does not explicitly provide for a right to opt-out of online targeted advertising, which is a common feature in many other comprehensive privacy statutes.
Despite these differences, the law does require controllers to provide notice and an opportunity to opt out of the processing of sensitive data. This provision underscores a baseline protection for sensitive personal information, requiring businesses to be transparent about such practices and offer consumers a choice regarding its use. Businesses must therefore ensure their privacy notices are updated to reflect these specific requirements.
3. **Nebraska Data Privacy Act**
Signed into law on April 17, 2024, the Nebraska Data Privacy Act is slated to go into effect on January 1, 2025. This legislation broadens the scope of privacy regulation, presenting new compliance considerations for organizations operating in the state. Its applicability thresholds are notably broad, aligning with an expansive approach to data governance.
The Nebraska Data Privacy Act applies to any organization that operates in the state, processes or sells personal data, and is not classified as a small business as defined by the U.S. Small Business Administration. This broad definition means that many businesses, irrespective of numerical data thresholds, will fall under the purview of this law, requiring a thorough review of their data handling practices.
Nebraska’s law is quite strict, requiring opt-in consent for selling sensitive data, unlike some states with opt-out options, and mandates data protection impact assessments for high-risk activities like selling data or targeted advertising.
Furthermore, the Nebraska Data Privacy Act requires businesses to honor universal opt-out preference signals. Such signals allow consumers to communicate their preferences regarding the sale of personal data and targeted advertising across all websites without needing to opt out individually. Businesses should prepare to integrate mechanisms that recognize and respond to these signals to ensure compliance by the effective date.
4. **New Hampshire Privacy Act (Senate Bill 255)**
The New Hampshire Privacy Act, codified as Senate Bill 255, was signed into law on March 6, 2024, and is scheduled to become effective on January 1, 2025. This new comprehensive privacy legislation introduces a set of obligations for businesses processing personal data of New Hampshire residents, adding another layer to the intricate national privacy framework.
Applicability for the New Hampshire Privacy Act begins at a threshold of processing the personal information of 35,000 residents or more. Additionally, the law requires data protection assessment requirements to apply to processing activities created or generated after July 1, 2024. This means businesses should already be considering these assessments for newer activities.
A crucial aspect going into effect on January 1, 2025, is the requirement for businesses to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals. This aligns New Hampshire with several other states in empowering consumers with broad control over how their data is used for advertising and commercial purposes.
The law also specifies that the mandatory right to cure period for violations expires on December 31, 2025. After this date, attorneys general will have discretion to grant cure periods, signaling a transition to potentially stricter enforcement. This timeline highlights the importance of achieving compliance within the initial year of the law’s effectiveness.
Like many other comprehensive state privacy laws, New Hampshire’s Act also mandates that businesses conduct Data Protection Impact Assessments (DPIAs) when processing sensitive data or engaging in other high-risk processing activities. This requires a proactive approach to risk management for certain data processing operations.
5. **New Jersey Data Privacy Act (Senate Bill 332)**
The New Jersey Data Privacy Act, known as Senate Bill 332, was signed into law on January 16, 2024, with its effective date set for January 15, 2025. This legislation introduces comprehensive data privacy requirements for businesses operating within New Jersey, contributing to the growing body of state-level privacy regulations in the U.S.
Under the New Jersey Data Privacy Act, businesses are required to honor opt-out preference signals. These signals provide a standardized mechanism for consumers to express their desire to opt out of the sale of personal data and targeted advertising across different online services without needing to make individual requests on each site. Organizations should integrate the necessary technical infrastructure to recognize and respond to these signals.
The law expands the definition of sensitive information to include several new categories. These encompass national origin, transgender or non-binary status, and specific types of financial account information. This broadened scope for sensitive data means businesses handling such information will face heightened restrictions on its collection and processing, requiring careful review of current practices.
Furthermore, the Act mandates that businesses conduct Data Protection Impact Assessments (DPIAs) when processing sensitive data. This requirement extends to other high-risk processing activities as well, reinforcing the need for comprehensive risk assessments. Businesses must identify and document such activities to ensure compliance with this aspect of the law.
6. **Colorado Privacy Act**
The Colorado Privacy Act, signed into law on July 7, 2021, and initially effective on July 1, 2023, continues to evolve with significant compliance obligations going into effect throughout 2025. Businesses operating in Colorado must pay close attention to these upcoming dates, as they introduce new layers of responsibility regarding consumer data.
A critical date for compliance is January 1, 2025, when the mandatory notice of violation and right to cure period expires. After this date, the Colorado Attorney General will no longer be obligated to provide a cure period, gaining discretion to pursue enforcement actions immediately. This shift emphasizes the importance of sustained compliance and proactive remediation of any identified issues.
Further obligations take effect on July 1, 2025, focusing on the collection and processing of biometric data. Businesses engaging in such activities will face specific requirements to protect this sensitive information, including stricter consent provisions and data handling practices. This reflects a broader trend toward enhanced protection for biometric identifiers across state privacy laws.
Additionally, as of October 1, 2025, the Act imposes new obligations for data controllers that provide online services, products, or features to minors. These provisions are designed to enhance the protection of personal data belonging to individuals under a certain age, necessitating a careful review of services directed at or accessible by minors.
Since July 1, 2024, Colorado has required businesses to honor opt-out preference signals for targeted advertising or data sales, so compliance should already be in place, but staying vigilant is key as the law evolves.
As the regulatory landscape continues to evolve, businesses must maintain vigilance throughout 2025, with several additional comprehensive state privacy laws and critical compliance dates becoming effective in the mid-to-late parts of the year. This ongoing progression underscores the imperative for organizations to adapt their data governance frameworks to a fragmented but increasingly robust U.S. privacy regime. Understanding these subsequent legal developments is crucial for ensuring sustained compliance and mitigating potential risks as the year unfolds.
This second section examines six further pivotal state privacy laws, highlighting their unique requirements, advanced compliance dates, and broader implications for businesses managing personal data. These laws include both new statutes coming into effect and existing legislation with significant new provisions activating in 2025, presenting a complex but navigable challenge for privacy professionals. The analysis aims to provide clear, factual insights into these developments, consistent with the objective reporting standards required for effective compliance strategies.
