ARTICLE
14 January 2025

A New Year And New Compliance Requirements: Additional State Privacy Laws Take Effect In 2025

SS
Seyfarth Shaw LLP

Contributor

With more than 900 lawyers across 18 offices, Seyfarth Shaw LLP provides advisory, litigation, and transactional legal services to clients worldwide. Our high-caliber legal representation and advanced delivery capabilities allow us to take on our clients’ unique challenges and opportunities-no matter the scale or complexity. Whether navigating complex litigation, negotiating transformational deals, or advising on cross-border projects, our attorneys achieve exceptional legal outcomes. Our drive for excellence leads us to seek out better ways to work with our clients and each other. We have been first-to-market on many legal service delivery innovations-and we continue to break new ground with our clients every day. This long history of excellence and innovation has created a culture with a sense of purpose and belonging for all. In turn, our culture drives our commitment to the growth of our clients, the diversity of our people, and the resilience of our workforce.
As 2025 begins, businesses across the U.S. will be required to navigate an even more expanded landscape of state-level privacy regulations.
United States Delaware Iowa Nebraska New Hampshire New Jersey Privacy

As 2025 begins, businesses across the U.S. will be required to navigate an even more expanded landscape of state-level privacy regulations. In all, eight states are introducing comprehensive privacy laws, further adding to the growing patchwork of privacy requirements in the U.S.

January is kicking off with a flurry as five states (Iowa, Delaware, Nebraska, New Hampshire, and New Jersey) implement their laws in the first two weeks. Later this year, Tennessee, Minnesota, and Maryland will join the mix. For companies operating in the U.S., staying ahead in this shifting regulatory environment is essential. Failure to comply could result in hefty penalties, legal exposure, and a loss of consumer trust.

The good news? Businesses already aligned with current privacy laws may only need minor updates to meet the new requirements. However, it is important to be aware of all consumer-facing interactions, data collections, and sharing of personal information in each state to keep a firm handle on your compliance obligations.

Determining Applicability

Each state law sets its own thresholds, often based on factors like annual revenue or the volume of personal information processed. While most states apply their laws broadly to any company "doing business in the state," some include additional criteria, such as Tennessee's $25 million annual revenue threshold. Nebraska mirrors Texas' approach by applying its law to any company that processes or sells personal data, provided it is not classified as a small business under the federal Small Business Act.

Key Dates and Applicability Thresholds by State

State Effective Date Applicability Thresholds
Iowa January 1, 2025 Control or process data for 100,000+ consumers OR 25,000+ consumers and 50%+ revenue from data sales.
Delaware January 1, 2025 Control or process data for 35,000+ consumers1 OR 10,000+ consumers and 20%+ revenue from personal data sales.
Nebraska January 1, 2025 Applies to businesses that do business in Nebraska or target its residents, that process or sell personal data, and that are not considered a small business under the federal Small Business Act.
New Hampshire January 1, 2025 Control or process data for 100,000+ consumers OR 25,000+ consumers and 25%+ revenue from personal data sales.
New Jersey January 15, 2025 Control or process data for 100,000+ consumers OR 25,000 consumers and any revenue or discounts on goods or services from personal data sales.
Tennessee July 1, 2025 $25M+ annual gross revenue AND control or process 175,000+ consumers OR 25,000+ consumers and 50%+ revenue from data sales.
Minnesota July 31, 2025 Control or process data for 100,000+ consumers OR 25,000 consumers and 25%+ revenue from personal data sales.
Maryland October 1, 2025 Control or process data for 35,000+ consumers OR 10,000 consumers and 20%+ revenue from personal data sales.

Maryland: A Standout Among 2025 Privacy Laws

Among the eight new privacy laws taking effect in 2025, Maryland's Online Data Privacy Act distinguishes itself with its robust and specific requirements. Effective October 1, 2025, the law restricts data collection to what is "reasonably necessary and proportionate" for providing or maintaining a consumer-requested product or service. This goes slightly farther than what we call "purpose limitations" for the collection of data we have seen in other states, and further tightens controls on new and creative potential uses of personal information beyond "providing or maintaining a consumer-requested product or service."

This is significant in that the usual formulation in other state laws is "necessary and proportionate" for the disclosed purpose for which it was obtained without additional notice and consent requirements. Maryland limits collection without consent only to what is reasonably necessary or compatible with "providing or maintaining a consumer-requested product or service."

Additionally, the Maryland law prohibits targeted advertising to individuals under 18, limits the sale of sensitive data, and requires regular risk assessments for any processing "algorithms" that may present a risk to a consumer's privacy. To comply with Maryland's stringent standards, businesses should:

  • Evaluate data collection practices to ensure they meet the law's proportionality requirements.
  • Implement enhanced controls to comply with age-based advertising restrictions.
  • Review sensitive data processing activities and identify any applicable exceptions.

These distinctive provisions emphasize the importance of adopting tailored compliance measures to meet Maryland's heightened standards.

Simplifying Compliance: Will One Privacy Policy Work Everywhere?

Many businesses opt for a unified approach to compliance across states to streamline their operations. This approach reduces the need for ongoing assessments of individual state thresholds and ensures consistency in responding to consumer requests. However, companies should remain vigilant about unique state-level obligations, such as universal opt-out mechanisms required in New Jersey, New Hampshire, Nebraska, Delaware, and Minnesota.

How to Prepare for 2025 Privacy Laws

To stay compliant and build consumer trust in 2025's evolving privacy landscape, businesses should focus on these key actions:

  1. Update Privacy Disclosures: Reflect new rights and obligations under applicable laws. Include categories of data collected, purposes for processing, opt-out mechanisms (e.g., data sale, targeted advertising, profiling), and third-party data-sharing disclosures. Remember, California's CCPA requires updates every 12 months.
  2. Review Data Practices: Audit data collection and processing activities to identify gaps and ensure alignment with proportionality standards, especially under laws like Maryland's.
  3. Strengthen Consumer Rights Processes: Implement systems to handle access, correction, deletion, and opt-out requests efficiently, including compatibility with universal opt-out signals like the Global Privacy Control (GPC).
  4. Train Your Team: Ensure staff understands state-specific requirements and how to execute compliance processes effectively.
  5. Monitor Regulatory Updates: Stay informed about changes, enforcement trends, and upcoming requirements to remain ahead of the curve.

With enforcement on the rise and privacy expectations evolving, now is the time to ensure your policies, processes, and practices are up to date. A strong compliance framework not only mitigates penalties and legal exposure but also positions your business as a leader in consumer trust and data protection. Companies should start the new year right by prioritizing privacy readiness and recognizing that a privacy initiative provides more than just compliance. It offers a competitive advantage.

Footnote

1. For the larger processing threshold that only requires control or processing over consumer personal data, Delaware, New Hampshire, New Jersey, Minnesota, and Maryland excludes data processed or controlled solely for the purpose of completing payment transactions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More