As the landscape of state privacy regulations continues to develop in the U.S., businesses must be ready for substantial changes set to take effect in January 2025. New laws from Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota and Maryland, will introduce important consumer rights, heightened data protection requirements, and increased transparency obligations. With approximately 150 million Americans — about 43% of the U.S. population — covered by these laws, understanding their implications is vital for organisations to ensure compliance and mitigate risks.
Assessing Applicability
When gearing up to comply with the new legislation, the first thing businesses need to do is to ascertain whether these regulations apply to them. Each state's privacy legislation has distinct criteria that depend on the company's revenue and the amount of personal data it processes. Generally, most states require compliance from any entity "doing business within the state," irrespective of its annual revenue. Notably, the Tennessee Information Protection Act establishes a specific revenue threshold, requiring companies to have at least $25 million in annual revenue to fall under its jurisdiction.
With the exception of Nebraska, most states utilise thresholds based on the number of residents whose personal data is processed, imposing lower thresholds for companies that derive significant income from the sale of personal data. In Nebraska, however, the law applies to any company that operates in the state and processes or sells personal data, provided it does not qualify as a small business under the federal Small Business Act.
The table below summarises the applicability thresholds in each of the states where changes are to be implemented.
| Iowa | Delaware | Nebraska | New Hampshire | New Jersey | Tennessee | Minnesota | Maryland | |
| Jurisdiction Threshold | Doing business in the state | Doing business in the state | Doing business in the state | Doing business in the state | Doing business in the state | Doing business in the state | Doing business in the state | Doing business in the state |
| PLUS ONE OF: | ||||||||
| Processing Threshold | 100k+ clients | 35k+ clients excl payment transactions | Processes or sells personal data and not a small business | 35k+ clients | 100k+ clients excl payment transactions | 175k+ clients | 100k+ clients | 35k+ clients excl payment transactions |
| Sales Threshold | 25k+ clients & 50% of revenue from selling data | 10k+ clients & 25% of revenue from data selling | None | 10k clients & 25% of revenue from selling data | 25k+ clients & any revenue or discounts from selling data | 25k+ clients & 50% of revenue from selling data | 25k+ clients & 25% of revenue from selling data | 10k+ clients & 25% of revenue from selling data |
Overview of the New State Privacy Laws
Delaware Personal Data Privacy Act (DPDPA)
The Delaware Personal Data Privacy Act (DPDPA) will come into force on 1 January 2025. This legislation is distinct in that it encompasses a wide range of entities, including non-profits and educational institutions, without significant exemptions. In response to consumer inquiries, one of the act's key features is its stipulation that businesses must provide consumers with information on the categories of third parties with whom their personal data has been shared. Additionally, starting in 2026, companies will be required to implement a universal opt-out mechanism, allowing consumers to manage their data preferences across various platforms.
Iowa Consumer Data Protection Act (ICDPA)
The Iowa Consumer Data Protection Act (ICDPA), effective 1 January 2025, presents a more limited framework compared to other states. It does not include consumer rights, such as the ability to correct personal data or opt out of targeted advertising. However, it does require that businesses provide an option for consumers to opt out of data sales. The law's applicability is determined by specific thresholds related to the volume of data processed and the revenue generated from data sales.
Nebraska Data Privacy Act (NDPA)
The Nebraska Data Privacy Act (NDPA), also effective 1 January 2025, introduces a universal opt-out mechanism for consumers, allowing them to decline data sales and targeted advertising. A notable aspect of this law is its prohibition of "dark patterns," which are deceptive practices that coerce users into providing their personal information. The NDPA emphasises the need for enhanced transparency and empowers consumers to exert greater control over their personal data by requiring businesses to evaluate high-risk activities like profiling and targeted advertising.
New Hampshire Data Privacy Act (NH SB 255)
The New Hampshire Data Privacy Act (NH SB 255), again set to take effect on 1 January 2025, has undergone amendments that shift the responsibility for compliance directly onto businesses, eliminating prior requirements for state guidance. This law is characterised by its lack of revenue thresholds, which means it applies to a broader spectrum of businesses, including smaller enterprises. This inclusivity may lead to significant implications for compliance, despite New Hampshire's smaller population size.
New Jersey Data Privacy Act (NJ SB 322)
Effective from 15 January 2025, the New Jersey Data Privacy Act introduces comprehensive requirements, including the necessity for businesses to conduct data protection assessments prior to processing sensitive information. The definition of sensitive data in this context is notably expansive. Furthermore, the law mandates that businesses halt the processing of personal data within 15 days of a consumer revoking consent, a notable acceleration compared to the longer timelines seen in other states. This provision underscores New Jersey's commitment to prioritising consumer control over personal data.
Tennessee Information Protection Act
The Tennessee Information Protection Act, effective July 1, 2025, introduces critical privacy requirements for businesses operating within the state. This legislation mandates that organisations conduct data protection assessments to evaluate the risks associated with their data handling practices. Additionally, companies must inform consumers about their personal data sharing practices and provide clear options for opting out of data sales and targeted advertising. These measures are designed to enhance consumer transparency and control over personal data.
Minnesota Consumer Data Privacy Act
Effective from 15 July 2025, the Minnesota Consumer Data Privacy Act establishes comprehensive protections for consumers regarding their personal data. Under this law, individuals are granted rights to access, delete, and correct their personal information held by businesses. Organisations are required to disclose the categories of personal data they collect and share, along with the purposes for which this data is used. This emphasis on transparency aims to empower consumers and foster trust in how their data is managed.
Maryland Online Data Privacy Act
The Maryland Online Data Privacy Act, set to take effect on 1 October 2025, imposes stringent regulations on the collection and use of personal data. This law stipulates that businesses may only gather data that is "reasonably necessary" for the specific services provided to consumers. Furthermore, it prohibits the sale of sensitive personal data, thereby reinforcing the protection of individuals' private information. Organisations will also be required to implement clear mechanisms for consumers to exercise their privacy rights, further enhancing consumer control over their personal data.
Steps for Ensuring Compliance
With these new laws set to be implemented, businesses must take decisive actions to achieve compliance. Here’s a structured approach to prepare for the upcoming requirements:
- Revise Privacy Notices: Each law demands updated privacy notices detailing data collection practices, consumer rights, and third-party sharing. Ensuring that privacy policies are current and compliant with state-specific requirements is essential for transparency.
- Establish Consumer Rights Framework: Organisations should develop systems to efficiently manage consumer requests for data access, deletion, and rectification. Particular attention should be paid to the stricter requirements outlined in Delaware and New Jersey's laws.
- Conduct Data Protection Impact Assessments: Companies will need to perform data protection impact assessments to identify and mitigate risks associated with high-risk processing activities, as mandated by Delaware and New Jersey.
- Implement Universal Opt-Out Mechanisms: Businesses must prepare to make technical adjustments necessary to comply with universal opt-out requirements. This may involve enhancing existing consent management systems to accommodate these new obligations.
The Importance of Proactive Monitoring
Navigating the complexities inherent in these new state privacy laws is crucial for businesses operating in the U.S. Non-compliance can result in regulatory fines, legal issues, and a loss of consumer trust. Therefore, it is essential for organisations to remain vigilant regarding ongoing legal developments and adjust their compliance strategies as needed.
Conclusion
As the new state privacy laws come into effect in 2025, businesses must prioritise compliance to mitigate risks effectively. A thorough understanding of each law's nuances and implementing necessary changes will not only help meet regulatory obligations but also strengthen consumer trust. By taking proactive measures now, organisations can adeptly navigate the evolving landscape of data privacy and maintain compliance in the face of growing scrutiny.
Add comment
Comments