New State Privacy Laws in 2025: What Businesses Need To Know to Stay Compliant

Ensure your recordkeeping practices are comliant with the latest privacy laws.

SecureScan
Written By: SecureScan
Updated
New Privacy Laws in 2025

Eight new state privacy laws are going into effect in 2025, adding to the growing list of data protection regulations across the United States. After efforts to pass a federal data privacy law stalled in June of 2024, state legislatures stepped in to fill the gaps, creating a patchwork of rules that can be difficult to navigate.

With these latest additions, 19 states now have their own comprehensive data privacy laws that businesses need to be aware of to stay compliant.

In this article, we’ll explain which states have new privacy laws in 2025, what types of businesses must comply, and the key provisions companies should prepare for.

What States Have New Privacy Laws in 2025?

Several states are introducing new privacy laws in 2025, expanding consumer rights by setting strict guidelines for businesses that collect and process personal data. Here’s a look at the states with laws taking effect:

State Law Name Bill Number Effective Date
Iowa Iowa Consumer Data Protection Act (ICDPA) Senate File 262 January 1, 2025
Delaware Delaware Personal Data Privacy Act (DPDPA) House Bill NO. 154 January 1, 2025
Nebraska Nebraska Data Privacy Act (NDPA) LB1074 January 1, 2025
New Hampshire New Hampshire Privacy Act (NHPA) RSA 507-H January 1, 2025
New Jersey New Jersey Data Privacy Law (NJDPL) S332/A1971 January 15, 2025
Tennessee Tennessee Information Protection Act (TIPA) HB1181 July 1, 2025
Minnesota Minnesota Consumer Data Privacy Act (MCDPA) H.F. 2309 July 31, 2025
Maryland Maryland Online Data Privacy Act (MODPA) House Bill 567 October 1, 2025

Each law has its own set of rules, but most share a similar focus on strengthening consumer privacy rights and increasing business accountability. In the following sections, we’ll explain what kinds of businesses these laws apply to and what steps companies should take to prepare.

What Kinds of Businesses Do These Laws Apply To?

The new state privacy laws taking effect in 2025 generally apply to businesses that collect, process, or sell personal data belonging to residents of the state where the law is in place. While the specific thresholds vary by state, most laws target businesses that:

  • Process data for a large number of consumers, starting at 25,000 or 100,000 individuals.
  • Generate a significant portion of their revenue from selling personal data.

These laws are designed to cover businesses of all sizes, but there are some exceptions. Entities already regulated by laws like HIPAA or the Gramm-Leach-Bliley Act (GLBA) may be excluded from these laws. Small businesses that do not meet volume or revenue thresholds may also fall outside the scope of these laws.

Because the criteria vary from state to state, it is important to carefully review each law in the states where you do business to determine whether they affect you.

Breaking Down the 2025 Privacy Laws

In this section, we’ll take a closer look at each law, explaining who it applies to, the rights it gives consumers, and what penalties businesses could face if they don’t follow the rules. Whether your business operates in one of these states or collects data from their residents, knowing the details can help you stay compliant and avoid penalties.

Iowa Consumer Data Protection Act (ICDPA)

Effective Date: January 1, 2025

Iowa’s Consumer Data Protection Act focuses on businesses handling personal data for at least 100,000 residents or 25,000 residents if more than 50% of their revenue comes from selling data. It gives consumers the right to access, correct, and delete their personal information, along with opting out of targeted ads and data sales. Businesses also need to provide clear privacy policies and keep security measures up to date.

Penalties for Non-Compliance:
Businesses that fail to comply could face fines of up to $7,500 per violation, enforced by the Iowa Attorney General.

Delaware Personal Data Privacy Act (DPDPA)

Effective Date: January 1, 2025

Delaware’s Personal Data Privacy Act applies to businesses that process the personal data of at least 35,000 residents or 10,000 residents if more than 20% of their revenue comes from selling data. It grants consumers rights to access, correct, and delete their data while letting them opt out of targeted advertising and data sales. Businesses must provide clear privacy policies and take steps to protect the data they collect.

Penalties for Non-Compliance:
Violations can lead to fines of up to $10,000 per violation, enforced by the Delaware Department of Justice.

Nebraska Data Privacy Act (NDPA)

Effective Date: January 1, 2025

Nebraska’s Data Privacy Act applies to businesses that handle the personal data of at least 100,000 residents or 25,000 residents if more than 50% of their revenue comes from selling data. It gives consumers rights to access, correct, and delete their personal data, along with the ability to opt out of targeted advertising and data sales. Businesses are required to publish clear privacy notices and put reasonable security measures in place to protect data.

Penalties for Non-Compliance:
Businesses that violate the law may face fines of up to $7,500 per violation, enforced by the Nebraska Attorney General.

New Hampshire Privacy Act (NHPA)

Effective Date: January 1, 2025

New Hampshire’s Privacy Act applies to businesses that process data for at least 100,000 residents or 25,000 residents if over 25% of their revenue comes from selling personal data. Consumers can request access to their data, correct inaccuracies, delete information, and opt out of targeted advertising and data sales. Businesses are required to provide privacy notices and take reasonable steps to secure personal information.

Penalties for Non-Compliance:
Violations can lead to fines of up to $10,000 per violation, enforced by the New Hampshire Attorney General.

New Jersey Data Privacy Law (NJDPL)

Effective Date: January 15, 2025

New Jersey’s privacy law applies to businesses that handle data for at least 100,000 residents or 25,000 residents if 50% or more of their revenue comes from selling personal data. It gives consumers rights to access, correct, and delete their data, as well as opt out of targeted advertising and data sales. Businesses must provide clear privacy policies and take reasonable steps to protect collected data.

Penalties for Non-Compliance:
Violations may result in fines of up to $10,000 per violation, enforced by the New Jersey Attorney General.

Tennessee Information Protection Act (TIPA)

Effective Date: July 1, 2025

Tennessee’s privacy law applies to businesses processing data for 100,000 or more residents, or 25,000 residents if at least 50% of revenue comes from selling personal data. It allows consumers to access, correct, and delete their data and opt out of data sales and targeted advertising. Businesses must adopt privacy policies, limit data collection, and maintain security practices.

Penalties for Non-Compliance:
Fines can reach $7,500 per violation, enforced by the Tennessee Attorney General.

Minnesota Consumer Data Privacy Act (MCDPA)

Effective Date: July 31, 2025

Minnesota’s law applies to businesses processing data for 100,000 residents or 25,000 residents if 25% or more of revenue is from selling data. Consumers can access, correct, and delete data while opting out of targeted ads and sales. Companies must be transparent about data practices and keep information secure.

Penalties for Non-Compliance:
Violations may result in fines of up to $7,500 per violation, enforced by the Minnesota Attorney General.

Maryland Online Data Privacy Act (MODPA)

Effective Date: October 1, 2025

Maryland’s privacy law applies to businesses processing data for at least 100,000 residents or 25,000 residents if 50% of revenue comes from selling data. It grants rights to access, correct, and delete data, and opt out of targeted advertising and sales. Businesses must post privacy notices, limit data collection, and follow security practices.

Penalties for Non-Compliance:
Non-compliance can result in fines of up to $10,000 per violation, enforced by the Maryland Attorney General.

Final Thoughts

As more states introduce privacy laws in the coming years, businesses need to stay informed and up to date, ready to adapt their recordkeeping practices. The new laws taking effect in 2025 highlight a growing trend of state-level regulations designed to give consumers more control over their personal data. While the specific rules vary, they share common themes like transparency, data security, and consumer rights.

Preparing now by reviewing your data practices, updating privacy policies, and implementing security measures, can help your business avoid fines and stay compliant as new privacy laws roll out.

Get in touch with SecureScan

We're here to help you tackle your paper problems. Contact us for more information, and someone will get back to you as soon as possible.

Speak With Us

Learn More About Our Services

SecureScan offers convenient and secure document scanning services to help you modernize your business's paper processing workflows.

Scan and Shred

Read More

13 Best Practices For Scanning Medical Records

Medical practices are moving away from paper-based records in favor of electronic systems. Whether it’s to improve efficiency, meet compliance requirements, or enhance patient care, this transition is becoming standard across the medical industry. Electronic records offer several advantages for healthcare providers and their patients. They simplify organizing and accessing information, reduce the risk of

Read Article

Reasons Why You Should Scan Your Records
10 Signs It’s Time to Scan Your Documents, And Why You Should

Most businesses go through big changes at one point or another. Whether it’s a merger, restructuring, relocation, or even just rapid growth, these kinds of events usually demand your full attention. For that reason, most people don’t put much thought into what is going to happen with their records, and who can blame them? However,

Read Article

Human Resources Department Employee Meeting a Candidate
Streamline the Hiring Process with Paperless HR

It can be difficult to keep track of all the records generated during the hiring process. Its even more challenging when these records are a mix of paper and digital communications. Taking your HR department paperless is one of the most effective ways to simplify onboarding and streamline the management of records created in the process.

Read Article