The U.S. privacy landscape is undergoing a seismic shift in 2025. Eight new state privacy laws are taking effect, expanding consumer rights, raising the bar for data governance, and increasing compliance complexity for businesses nationwide. Here’s what you need to know about each law, their unique features, and what they mean for organizations and consumers.
The 2025 State Privacy Law Wave: Who, When, and Why It Matters
Effective in 2025:
- Delaware Personal Data Privacy Act (DPDPA) – Jan 1
- Iowa Consumer Data Protection Act (ICDPA) – Jan 1
- Nebraska Data Privacy Act (NDPA) – Jan 1
- New Hampshire Data Privacy Act (NHDPA) – Jan 1
- New Jersey Data Privacy Act (NJDPA) – Jan 15
- Tennessee Information Protection Act (TIPA) – July 1
- Minnesota Consumer Data Privacy Act (MCDPA) – July 31
- Maryland Online Data Protection Act (MODPA) – Oct 1
What’s New? Key Trends and Standout Provisions about the New Privacy Laws
1. Universal Opt-Out Mechanisms
Most new laws require businesses to honor universal opt-out signals (like the Global Privacy Control) for sales of personal data and targeted advertising. Delaware, Minnesota, and Nebraska mandate these mechanisms, with phased deadlines for implementation.
2. Enhanced Sensitive Data Protection
Several states now require opt-in consent before collecting or processing sensitive data, such as race, health, biometrics, or geolocation. Nebraska and Delaware are especially strict, and Maryland goes further by limiting collection to what’s strictly necessary.
3. Data Protection Assessments
Businesses must conduct risk assessments for high-risk data processing activities—such as large-scale profiling or handling sensitive data. Delaware, Minnesota, and New Jersey have explicit requirements for these assessments.
4. Ban on Dark Patterns
Deceptive or manipulative user interface designs (“dark patterns”) that trick consumers into sharing data are prohibited in several new laws, notably in Nebraska.
5. Broader Applicability
Some laws, like Delaware’s, apply to nonprofits and educational institutions, not just for-profit businesses. Applicability thresholds vary, but the trend is toward broader coverage.
6. Affirmative Defense (Tennessee)
Tennessee’s law is unique: it offers businesses an “affirmative defense” against enforcement if they maintain a privacy program aligned with recognized frameworks like NIST or APEC.
7. No Private Right of Action
All eight new laws reserve enforcement for state attorneys general—consumers cannot sue directly for violations.
8. Rulemaking and Future Regulations
New Jersey’s law grants rulemaking authority to its Division of Consumer Affairs, so expect further regulations and clarifications in the coming years.
What Each New Privacy Law Covers — Quick Descriptions
Delaware (DPDPA)
Covers both for-profits and nonprofits, mandates opt-in for sensitive data, and sets a strong foundation for data subject rights. Universal opt-out is required by 2026.
Iowa (ICDPA)
Grants broad consumer rights like data access and deletion. Its generous 90-day cure period provides flexibility for businesses new to privacy compliance.
Nebraska (NDPA)
Takes a firm stance on sensitive data with opt-in requirements, bans dark patterns, and applies a relatively strict 30-day cure period.
New Hampshire (NHDPA)
Modeled after other state laws with core consumer rights, it includes a 60-day cure period until the end of 2025.
New Jersey (NJDPA)
Adds special protections for teenagers and grants regulatory powers to the Division of Consumer Affairs—hinting at evolving compliance expectations.
Tennessee (TIPA)
Provides businesses with legal protection if they adhere to approved frameworks like NIST. The affirmative defense is a notable incentive for best-practice privacy programs.
Minnesota (MCDPA)
Requires companies to maintain data inventories and comply with universal opt-out requests. The law encourages proactive privacy governance.
Maryland (MODPA)
Takes a strict data minimization stance. It limits sensitive data collection and imposes requirements aligned with necessity and proportionality.
State-by-State Privacy Law Highlights
State | Effective Date | Unique Features and Requirements |
Delaware | 01/01/2025 | Applies to nonprofits; universal opt-out by 2026; strict sensitive data rules; 60-day cure period until 2026. |
Iowa | 01/01/2025 | Broad consumer rights; 90-day cure period with no sunset. |
Nebraska | 01/01/2025 | Applies broadly; opt-in for sensitive data; dark pattern ban; 30-day cure period, no sunset. |
New Hampshire | 01/01/2025 | Similar core rights; 60-day cure period until end of 2025. |
New Jersey | 01/15/2025 | Data protection assessments; consent for minors (13–17) for targeted ads/sale; rulemaking authority. |
Tennessee | 07/01/2025 | Affirmative defense for NIST/APEC-aligned programs; 60-day cure period, no sunset. |
Minnesota | 07/31/2025 | Data inventories required; universal opt-out; 30-day cure period until Jan 2026. |
Maryland | 10/01/2025 | Strict data minimization; sensitive data limits; 60-day cure period until April 2027. |
What Should Businesses Do Now About the New Privacy Laws?
- Assess Applicability: Determine which state laws apply based on your business footprint and data processing activities.
- Update Privacy Programs: Implement universal opt-out, review consent mechanisms, and enhance transparency in privacy notices.
- Conduct Data Inventories and Assessments: Especially if operating in Minnesota or Delaware.
- Train Teams: Ensure staff understands new rights, obligations, and how to respond to consumer requests.
- Monitor Rulemaking: Stay alert for new regulations, especially in New Jersey.
Conclusion
The eight new privacy laws debuting in 2025 mark a new era of consumer empowerment and regulatory scrutiny. For businesses, the message is clear: proactive compliance and a robust privacy culture are no longer optional—they’re essential for trust and legal certainty in the digital age.
Stay tuned for deeper dives into each law and practical compliance tips in future posts. Contact us on how we can help your business!