2025 promises to be yet another big year for privacy law in the United States. Five states enacted new privacy laws in January, and three additional states will implement privacy laws by the end of the year. Now is an ideal time for businesses to review and update their privacy policies, and those that meet the applicability thresholds below should carefully consider whether their privacy practices are up to date.
Key States and Dates
| State | Effective | Applies if... |
| Delaware | Jan. 1, 2025 |
|
| Iowa | Jan. 1, 2025 |
|
| Nebraska | Jan. 1, 2025 |
|
| New Hampshire | Jan. 1, 2025 |
|
| New Jersey | Jan. 15, 2025 |
|
| Tennessee | July 1, 2025 |
|
| Minnesota | July 31, 2025 |
|
| Maryland | Oct. 1, 2025 |
|
Like other state privacy laws, these new laws apply to businesses that process a significant amount of consumer data. However, there are some notable distinctions:
- Nebraska applies its law to all businesses operating in the state, unless they qualify as a “small business” as defined by the SBA.
- Delaware, Maryland, Minnesota and New Jersey do not exempt nonprofits.
Consumer Rights
The new laws grant consumers similar rights to currently enacted state privacy laws such as:
- Right to access, correct, and delete personal information;
- Right to opt out of or limit certain data processing; and
- Right to opt out of sales of the consumer’s personal information.
Notably, Iowa does not provide consumers with the right to correct their personal information or opt-out of certain data processing.
Notable Compliance Requirements
- Data Protection Assessments – Before processing sensitive data, businesses in New Jersey must conduct formal, written risk assessments and obtain the consumer’s consent.
- Universal Opt-Out Mechanisms – Several states, including Delaware, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey require businesses that “sell” personal information (as further discussed below) to implement standardized opt-out systems such as the Global Privacy Control on their websites. This requirement applies even if a business has placed a cookie consent banner on its website.
- Children’s Privacy Protections – Although the federal Children’s Online Privacy Protection Act already protects the personal information of children under 13, several states, including Delaware, Maryland, Minnesota, New Hampshire, and New Jersey, have added new protections for older teenagers. These laws require affirmative consent before a business can collect personal information from 13 to 15-year-olds (New Hampshire), 13 to 16-year-olds (Minnesota and New Jersey), and 13 to 17-year-olds (Delaware) for targeted advertising, sale, or profiling. Maryland’s privacy law goes even further, prohibiting the sale or use of personal information for targeted advertising under all circumstances when the consumer is under 18 years of age.
“Sale of Personal Information”
Many state privacy laws define a “sale” of personal information broadly to include more than just the exchange of personal information for monetary payment. Under these laws, a “sale” occurs when a business discloses a consumer’s personal information to a third party in exchange for any valuable consideration. In most cases, allowing third parties to place cookies on your website is considered a sale of personal information. Additionally, common practices, such as sharing user personal information with ad networks or analytics providers in exchange for insights or targeted ad placement may be a sale. Delaware, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey all define “sale” in this manner.
Businesses should consider reviewing their cookie policies to ensure compliance with both current and upcoming state laws.
We’re Here to Help!
With over a dozen different state privacy laws currently in effect, ensuring compliance with each can be complicated and requires careful assessment of data collection practices. Our Privacy & Data Security team is here to help you understand these laws, mitigate risks, and implement solutions that align with your business goals. Please contact any of the following members of our Privacy & Data Security team with any questions to ensure your business is prepared to comply with these privacy requirements: Kevin DeBré, ; Brian Hall, ; and Taylor Osher, .
