Privacy Laws Taking Effect in 2025

Five new state privacy laws taking effect in January 2025 (Delaware, Iowa, Nebraska, New Hampshire, and New Jersey) will expand consumer privacy protections and impose new compliance requirements on businesses processing personal data, with varying thresholds, penalties, and specific protections for sensitive information.

BUSINESS LAW

1/22/20251 min read

New State Privacy Laws
New State Privacy Laws

January 2025 marks a significant expansion in state-level privacy protection as five new comprehensive privacy laws take effect. Delaware, Iowa, Nebraska, and New Hampshire will implement their laws on January 1, with New Jersey following on January 15. These laws introduce new compliance requirements for businesses while strengthening consumer privacy rights.

Key Features of the New Laws

Each state law has unique thresholds and requirements:

Delaware applies to businesses processing data of 35,000+ consumers or 10,000+ consumers with 20% revenue from data sales. Penalties reach $10,000 per violation, with a cure period ending January 2026.

Iowa covers entities processing data of 100,000+ consumers or 25,000+ consumers with 50% revenue from data sales. Violations can cost up to $7,500, with a permanent 90-day cure period.

Nebraska takes a unique approach by exempting small businesses as defined by federal law, with penalties up to $7,500 per violation and a permanent 30-day cure period.

New Hampshire's thresholds mirror Delaware's, but require 25% revenue from data sales for the lower threshold.

New Jersey applies to businesses processing data of 100,000+ consumers or 25,000+ consumers with revenue from data sales, with penalties up to $20,000 for subsequent violations.

Notable Distinctions and Common Ground

Delaware stands out by including nonprofits and educational institutions, while explicitly protecting pregnancy status and nonbinary identity as sensitive data. New Jersey expands sensitive data to include financial credentials, while Nebraska adopts a broad definition of data "sales" similar to California's approach.

Despite their differences, these laws share common consumer rights and business obligations:

  • Consumer opt-out rights for targeted advertising and data sales

  • Access, deletion, and data portability rights

  • Requirements for privacy notices and processor contracts

  • Data minimization and security measures

  • Protections against consumer discrimination

Looking Ahead

The privacy landscape will continue evolving throughout 2025. Maryland and Minnesota will introduce stronger protections, while Colorado will add new obligations for biometric and children's data. California is expected to finalize new AI and privacy regulations, further shaping the national privacy framework.