New State Privacy Laws Set to Take Effect in 2025

Insights

Our insights are intended to discuss in a general nature the legal developments relating to our core areas of practice. Insights should not be construed as legal advice or legal opinion. Furthermore, these matters are continually subject to change, and therefore the information below may not reflect the most current legal developments. Readers should not act or rely upon the information without seeking specific advice relating to their facts and circumstances from legal counsel.

Privacy Law richtfirm December 13, 2024

Contents show

On January 1, 2025, four new comprehensive state privacy laws will come into effect, with a fifth following shortly after on January 15. These laws are part of a growing trend of state-level privacy legislation in the United States, aiming to protect consumer data and give individuals more control over their personal information.

The new laws taking effect are:

Delaware Personal Data Privacy Act (DPDPA)
Iowa Consumer Data Protection Act (ICDPA)
Nebraska Data Privacy Act (NDPA)
New Hampshire Data Privacy Law (NHPA)
New Jersey Data Privacy Act (NJDPA) – effective January 15, 2025

These laws will significantly impact businesses operating in these states or targeting their residents, introducing new compliance requirements and consumer rights.

Who Must Comply?

Each law applies to businesses that conduct operations in the respective state or produce products or services targeted to its residents. However, the specific thresholds for compliance vary.

Delaware Personal Data Privacy Act (DPDPA)

Businesses must meet one of the following criteria in the preceding calendar year:

Controlled or processed personal data of at least 35,000 consumers, excluding data processed solely for payment transactions.
Controlled or processed personal data of at least 10,000 consumers and derived over 20% of gross annual revenue from personal data sales.

Iowa Consumer Data Protection Act (ICDPA)

During a calendar year, businesses must meet one of these thresholds:

Control or process personal data of at least 100,000 consumers.
Control or process personal data of at least 25,000 consumers and derive over 50% of gross annual revenue from personal data sales.

Nebraska Data Privacy Act (NDPA)

Businesses must meet both of the following criteria:

Process or engage in the sale of personal data.
Not qualify as a small business under the federal Small Business Act.

New Hampshire Data Privacy Law (NHPA)

During a calendar year, businesses must meet one of these thresholds:

Controlled or processed personal data of at least 35,000 consumers, excluding data processed solely for payment transactions.
Controlled or processed personal data of at least 10,000 consumers and derived over 25% of gross annual revenue from personal data sales.

New Jersey Data Privacy Act (NJDPA)

During a calendar year, businesses must meet one of these criteria:

Control or process personal data of at least 100,000 consumers, excluding data processed solely for payment transactions.
Control or process personal data of at least 25,000 consumers and derive revenue or receive discounts from personal data sales.

Key Provisions and Consumer Rights

While specific details vary, these laws generally grant consumers similar rights, including:

Right to access and confirm personal data.
Right to correct inaccuracies.
Right to delete personal data.
Right to data portability.
Right to opt-out of personal data sales and targeted advertising as well as certain processing sensitive data.

Business Obligations

Businesses subject to these laws must implement various measures, including:

Providing clear privacy notices.
Implementing reasonable data security practices.
Conducting data protection assessments for certain activities.
Obtaining consent for processing sensitive data.
Honoring consumer rights requests.
Establishing contracts with data processors.

Enforcement and Penalties

These laws are typically enforced by the respective state Attorney General. Penalties for violations can be significant, with fines ranging up to $7,500 per violation in some cases. Most of these laws provide a cure period for businesses to address alleged violations before penalties are imposed. In addition to the five laws coming into effect in January 2025, three additional laws will go live later in 2025, as per the following:

Tennesse Information Protection Act (TIPA) goes into effect July 1, 2025
Minnesota Consumer Data Privacy Act (MCDPA) goes into effect July 31, 2025
Maryland Online Data Protection Act (MODPA) goes into effect October 1, 2025

As the privacy landscape continues to evolve, businesses operating across multiple states face increasing complexity in compliance requirements. It’s crucial for companies to carefully evaluate their data practices and take proactive steps to ensure compliance with these new laws before they come into effect in 2025.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Insights