New Year, New State Privacy Laws Take Effect

With the?calendar recently turning?to?2025, businesses across the United States have more new data privacy compliance laws to be aware of. Eight states have added new?privacy laws that have already started to go into effect, adding new layers of complexity to an already intricate regulatory landscape.

With no comprehensive federal privacy law in place, states continue to forge their own paths in protecting consumer data. These eight new laws—covering New Hampshire, Delaware, Iowa, Nebraska, New Jersey, Tennessee, Minnesota, and Maryland—should be reviewed by all companies, as some of them are already in place as of the 1st of January.

Effective Dates

• January 1, 2025: New Hampshire, Delaware, Iowa, Nebraska
• January 15, 2025: New Jersey
• July 1, 2025: Tennessee
• July 31, 2025: Minnesota
• October 1, 2025: Maryland

Key Compliance Thresholds

Most of these laws apply to businesses that meet specific criteria:

• Processing a certain number of state residents' personal data annually
• Deriving significant revenue from selling personal data

Each state has unique parameters. For instance:

• Tennessee requires an annual revenue of at least $25 million
• Nebraska takes a broad approach, applying to companies not classified as "small businesses"
• Thresholds range from 10,000 to 175,000 consumer records depending on the state

Common Consumer Rights

These laws introduce or reinforce critical consumer protections:

• Right to access personal data
• Right to correct inaccurate information
• Right to delete stored data
• Right to opt out of certain data processing activities
• Right to data portability

What Do Businesses Need to Do?

Preparing for compliance isn't just a checklist—it's a comprehensive strategy. Companies should:

1. Audit Current Practices: Determine if you meet the applicability thresholds for any of these states.
2. Update Privacy Policies: Revise consumer-facing documents to reflect new rights and obligations.
3. Enhance Data Governance: Implement robust data protection agreements and impact assessments.
4. Develop Opt-Out Mechanisms: Create clear processes for consumers to control their data.

The Bottom Line

The proliferation of state-level privacy laws underscores the growing importance of data protection. While navigating these regulations may seem daunting, proactive companies will turn compliance into a competitive advantage.

Now is the time to reassess your data privacy strategies. Don't wait until these laws take effect—start preparing today.

Other Privacy News of Note

Protecting Consumers’ Location Data: Key Takeaways From Four Recent Cases

Since the start of this year, the FTC has announced four groundbreaking cases addressing issues with how businesses collect and, in some cases misuse, people’s location data. If your business collects, buys, sells, or uses location data, take a minute to read about the FTC’s most recent enforcement actions against data brokers and aggregato —?Mobilewalla,?Gravy/Venntel,?InMarket, and?X-Mode/Outlogic?— and consider the takeaways. Read more.

US Federal Agencies FTC & CFPB Stamp Down on Data Sharing, Ringing Warning Bell in Adland

The US’s Consumer Financial Protection Bureau (CFPB) is seeking to tighten the reins on data brokers, proposing a rule that would subject them to stricter oversight, including restrictions on the sale of consumers’ sensitive personal information such as phone numbers and Social Security numbers. It would also ensure that consumers’ financial information – such as their income – is only shared for “legitimate purposes, such as facilitating a mortgage approval, and not sold to scammers targeting those in financial distress,” according to the filing. Read more.