New State Data Privacy Laws for 2025

As we roll into 2025, the parade of new state data privacy laws continues. The states with data privacy laws going into effect in 2025 are as follows:

• Delaware
• Iowa
• Maryland
• Minnesota
• Nebraska
• New Hampshire
• New Jersey
• Tennessee

All of the laws follow the same general pattern as state data privacy laws that have gone into effect in the last few years. Each state law has minimum requirements for applicability based upon the number of residents of the state whose personal data is processed and/or a combination of data processing and a percentage of a company’s gross revenue from the sale of personal data.

The laws have exceptions for certain types of data or industries. They exclude employee and job applicant personal data and, in most cases, personal data that is processed pursuant to a business-to-business relationship. The data privacy laws also exclude personal information that qualifies as protected health information under HIPAA and entities that are subject to HIPAA, the Gramm-Leach-Bliley Act, or certain other laws that already provide protection for personal data.

The laws prohibit the processing of sensitive data without the consent of the individual and prohibit using personal data for targeted advertising if the entity knows or has reason to know that the individual is below a certain age. The age differs from state to state, with some laws restricting targeted advertising if the entity knows the individual is under 16, some are under 17, and some are under 18 years of age. All the laws require entities to implement reasonable security practices, include certain information in their privacy policy, and provide data rights to individuals.

Most of the state laws require a data protection assessment if certain data is processed or if there is potential for a heightened risk of harm to the individual. Some of the state laws, although not all, specifically state that the Attorney General of the state has exclusive authority to enforce the data privacy law and that the law shall not be a basis for a private right of action. The latter limitation is undoubtedly in response to plaintiffs’ attorneys that attempt to use a data privacy law as a standard when alleging that a company was negligent because they did not comply with the data privacy law.

One area in which there can be a wide disparity between the state laws is determining whether a specific law is applicable to a company. While they are all applicable to companies that do business in the respective state or sell or target products or services to residents of the state, the minimum number of persons whose personal data is processed in order for the law to be applicable can vary greatly from state to state. For example, the Delaware law applies to companies that process the data of 35,000 residents (excluding data for payment processing only) or companies that process the data of 10,000 residents and derive 20% of their gross revenue from the sale of personal data. On the other end of the spectrum, the Tennessee law applies to companies that have $25 million in annual gross revenue and either process the personal data of 175,000 residents or process the data of 25,000 residents and get 50% of their gross revenue from the sale of personal data. The Nebraska Data Privacy Act does not apply to businesses with less than 500 employees.

Disclaimer

This material is provided for informational purposes only. It is not intended to constitute legal advice nor does it create a client-lawyer relationship between Hall Booth Smith, P.C. and any recipient. Recipients should consult with counsel before taking any actions based on the information contained within this material. This material may be considered attorney advertising in some jurisdictions. Prior results do not guarantee a similar outcome.