Are You Ready for 2025? New State Privacy Laws to Take Effect Beginning on January 1
2025 is set to be another important year for US state privacy laws, with five new laws effective in January and three more coming into effect through October. New laws in Delaware, Iowa, Nebraska, and New Hampshire will go into effect on January 1, 2025, while New Jersey’s law will follow on January 15, 2025. Below, we detail these laws effective in January. Make sure to check back here in 2025 for more information on the laws effective in July and October.
Below are the effective dates, thresholds, and key aspects of these new laws.
Delaware Personal Data Privacy Act – Effective January 1, 2025
The Delaware law applies to entities that conduct business in Delaware or produce products or services targeted to Delaware residents and, during the previous calendar year, did at least one of the following:
- Controlled or processed the personal data of 35,000 or more Delaware residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or
- Controlled or processed the personal data of 10,000 or more Delaware residents and derived more than 20% of their gross revenue from the sale of personal data.
Delaware’s law differs from most of the comprehensive state privacy laws in effect now or through January 2025 in that it applies to nonprofit organizations and educational institutions. The law also has a unique definition of “sensitive data,” which includes pregnancy status and nonbinary identity.
Iowa Consumer Data Protection Act – Effective January 1, 2025
The Iowa law applies to organizations that conduct business in Iowa or produce products or services that are targeted to Iowa residents and, during a calendar year, do at least one of the following:
- Control or processes the personal data of 100,000 or more Iowa residents, or
- Control or processes the personal data of 25,000 or more Iowa residents and derive more than 50% of their gross revenue from the sale of personal data.
Iowa’s law differs from most comprehensive state privacy laws in that it does not provide consumers with a right to correct their personal data. Businesses subject to the Iowa law are not required to conduct risk assessments for activities that pose a significant risk of harm to consumers, which is a requirement in other states.
Nebraska Data Privacy Act – Effective January 1, 2025
The Nebraska law applies to organizations that:
- Conduct business in Nebraska or produce products or services consumed by Nebraska residents,
- Process or engage in the sale of personal data, and
- Are not small businesses (as defined by the US Small Business Administration).
Nebraska follows Texas by excluding small businesses from the scope of its privacy law. On the other hand, Nebraska’s law includes a broad definition of “sale,” similar to definitions in the laws of California, Connecticut, Delaware, and New Jersey: the exchange of personal data for “monetary or other valuable consideration.”
New Hampshire Data Privacy Act – Effective January 1, 2025
The New Hampshire law applies to organizations that conduct business in New Hampshire or produce products or services that are targeted to New Hampshire residents and, during a one-year period, do at least one of the following:
- Control or process the personal data of 35,000 or more unique New Hampshire residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction), or
- Control or process the personal data of 10,000 or more unique New Hampshire residents and derive more than 25% of their gross revenue from the sale of personal data.
The New Hampshire law requires businesses to allow consumers to opt out of processing their personal data by using universal opt-out mechanisms. The law also requires businesses to obtain the consumer’s consent before processing their sensitive data. Unlike other state privacy laws, the law requires the New Hampshire attorney general to provide a 60-day cure period to businesses for violations through December 31, 2025. After that time, the New Hampshire Attorney General will have continuing discretion to provide the 60-day cure period.
New Jersey Data Privacy Act – Effective January 15, 2025
The New Jersey law applies to organizations that produce products or services that are targeted to New Jersey residents and, during a calendar year, do at least one of the following:
- Controls or process the personal data of 100,000 or more New Jersey residents (excluding personal data processed solely for the purpose of completing a payment transaction), or
- Control or process the personal data of 25,000 or more New Jersey residents and derive revenue, or receive a discount on, the price of any goods or services from the sale of personal data.
New Jersey’s law defines “sensitive data” broadly compared to other comprehensive state privacy laws, including in the definition financial credentials such as account numbers, login details, and PINs. Unlike most comprehensive state privacy laws, nonprofits are largely not exempt from the New Jersey law and must comply with it if they meet the other threshold requirements. Starting July 15, 2025, the law requires businesses to allow consumers to opt out of processing their personal data by using a user-selected universal opt-out mechanism to be clarified in rules set out by the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety.
Future Forecast
As new state laws continue come into effect, it is crucial for businesses to be aware of the quickly changing legal landscape and to invest in robust compliance programs. ArentFox Schiff regularly assists clients in navigating this complex legislative and regulatory environment, ensuring that their policies and personal data processing practices meet the diverse requirements of state laws. By staying ahead of the curve, businesses can avoid regulatory penalties and build trust, thereby enhanced loyalty from their customers.
Contacts
- Related Practices