Published:

Updated:

8 new privacy laws coming in 2025: What business owners need to know

General

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

The eight privacy laws of 2025

There’s no other way to say it. The year 2025 is going to be an absolute doozy for website owners when it comes to privacy.

2023 brought us six new privacy laws. 2024 brought us three new privacy laws. While both busy years for privacy, the year 2025 will see eight new privacy laws coming to the United States — almost the same as 2023 and 2024, combined.

While not all of these laws will apply to all businesses, some are pretty far-reaching — impacting businesses of all shapes and sizes and located in various different places. If these laws do apply to you, you’ll need to update your Privacy Policy accordingly to ensure it contains all the disclosures required by these new laws (unless you have Termageddon, where we determine all this for you and update policies automatically).

So, without further adieu, introducing the eight new privacy laws coming in 2025:

  • Delaware Personal Data Privacy Act (effective date: January 1, 2025)
  • Iowa SF262 (effective date: January 1, 2025)
  • Nebraska Data Privacy Act (effective date: January 1, 2025
  • New Hampshire SB 255 (effective date: January 1, 2025)
  • NJ SB 332 (effective date: January 16, 2025)
  • Tennessee Information Protection Act (effective date: July 1, 2025)
  • Minnesota Consumer Data Privacy Act (effective date: July 31, 2025)
  • Maryland Online Data Privacy Act of 2024 (effective date: October 1, 2025)

PLEASE NOTE: You don’t have to be located in these state for these privacy law to apply to you.

Delaware Personal Data Privacy Act (DPDPA)

Effective date: January 1, 2025

On September 11, 2023, the Governor of Delaware signed DE H 154, passing the Delaware Personal Data Privacy Act (DPDPA), providing residents of Delaware with privacy rights and requiring businesses that need to comply with the law to meet certain obligations. This privacy law will go into effect on January 1, 2025 so businesses should start work to adapt their privacy programs to this new law as soon as possible.

 Who does it apply to? 

The DPDPA applies to any person that conducts business in Delaware or that produces products or services that are targeted to residents of Delaware and that during the preceding calendar year: 

  • Controlled or processed the personal data of not less than 35,000 residents of Delaware; or 
  • Controlled or processed the personal data of not less than 100,000 residents of Delaware and derived more than 20% of their gross revenue from the sale of personal data. 

It is important to note that similar to other privacy laws, your business does not need to be located in Delaware for this privacy law to apply to you. The DPDPA exempts nonprofit organizations that provide services to victims of or witnesses to child abuse, domestic violence, human trafficking, sexual assault, violent felony or stalking but does not exempt nonprofits working in other areas. 

DPDPA at a glance

Requires a Privacy Policy?Yes
Requires cookie consent bannerNo
Applies to small businessesNo
Enforced byDelaware Attorney General
Right to correct dataYes
Right to restrict processingYes
Right to portabilityYes
Right to access dataYes
Right to delete dataYes
Prohibits discriminationYes
Right to withdraw consentNo
Right to opt-outYes
Opt-in consent requiredNo
Restrictions on profiling and/or automated decision-makingYes
Read our full, DPDPA Compliance Guide

Iowa SF262 Compliance Guide

Effective date: January 1, 2025

On March 28, 2023, the Governor of Iowa signed Iowa SF262. This new law will go into effect on January 1, 2025 and will provide residents of Iowa with new privacy rights, and require businesses to have a Privacy Policy that makes the disclosures required by this law. 

 Who does it apply to? 

Iowa SF262 applies to any person conducting business in Iowa or producing products or services that are targeted to residents of Iowa and that meet one of the following requirements: 

  • Controls or processes the personal data of at least 100,000 Iowa residents per year; or 
  • Controls or processes the personal data of at least 25,000 Iowa residents and derives over 50% of gross revenue from the sale of personal data per year. 

The law does not apply to employee data and specifically exempts nonprofit organizations.

Iowa SF262 at a glance 

Requires a Privacy Policy?Yes
Requires cookie consent bannerNo
Applies to small businessesNo
Enforced byIowa Attorney General
Right to correct dataNo
Right to restrict processingYes
Right to portabilityYes
Right to access dataYes
Right to delete dataYes
Prohibits discriminationYes
Right to withdraw consentNo
Right to opt-outYes
Opt-in consent requiredNo
Restrictions on profiling and/or automated decision-makingNo
Read our full, Iowa SF262 Compliance Guide

Nebraska Data Privacy Act

Effective date: January 1, 2025

On April 17, 2024, the Governor of Nebraska signed NE LB1074, enacting the Nebraska Data Privacy Act. This comprehensive privacy law will go into effect on January 1, 2025 and will provide privacy rights to residents of the State as well as impose compliance requirements on businesses that need to comply with this privacy law, such as the requirement to have a comprehensive Privacy Policy. 

Who does it apply to? 

The Nebraska Data Privacy Act applies to any person that: 

  1. Conducts business in Nebraska or that produces a product or service consumed by residents of Nebraska;
  2. Processes or engages in the sale of personal data. 

The Nebraska Data Privacy Act does not apply to small businesses as defined by the Small Business Act. A “small business” is generally defined as any independent business that has fewer than 500 employees, though this definition may also be based upon the industry that the business is operating in as well as their revenue size. It is also important to note that this privacy law specifically exempts nonprofits from compliance. 

As you can see from the above, the Nebraska Data Privacy Act can apply to businesses outside of the state but will usually apply to large businesses only. However, since Nebraska’s privacy law requires businesses to ensure that the personal data is protected even when it is shared with third parties, small businesses may be subject to this privacy law through contract if they process personal data for clients that do need to comply with this law.

Nebraska Data Privacy Act at a glance

Requires a Privacy Policy?Yes
Requires cookie consent bannerNo
Applies to small businessesNo
Enforced byNebraska Attorney General
Right to correct dataYes
Right to restrict processingYes
Right to portabilityYes
Right to access dataYes
Right to delete dataYes
Prohibits discriminationYes
Right to withdraw consentNo
Right to opt-outYes
Opt-in consent requiredNo
Restrictions on profiling and/or automated decision-makingYes
Read our NE LB1074 Compliance Guide

New Hampshire SB 255

Effective date: January 1, 2025

On March 7, 2024 the Governor of New Hampshire signed NH SB 255, adding a new privacy law that establishes an expectation of privacy when using business websites to the State’s books. This new law will go into effect on January 1, 2025 and will protect the privacy of residents of New Hampshire by providing them with new rights and by including a requirement for certain businesses to provide a comprehensive Privacy Policy to consumers.

Who does it apply to? 

New Hampshire’s privacy law takes into account the fact that consumers can submit their personal data to businesses that may be located anywhere by specifying that you do not have to be located in the State for this law’s requirements to apply to you. More specifically, this law applies to persons that conduct business in New Hampshire or that produce products or services that are targeted to residents of the State and that meets one or more of the following factors: 

  1. Controlled or processed the personal data of not less than 100,000 residents of New Hampshire; or
  2. Controlled or processed the personal data of not less than 25,000 residents of the State and derived more than 25% of their gross revenue from the sale of personal data. 

It is important to note that NH SB 255 specifically excludes nonprofits, institutions of higher education, financial institutions, and institutions covered by HIPAA so these types of entities will not need to comply with this law.


 NH SB 255 at a glance

Requires a Privacy Policy?Yes
Requires cookie consent bannerNo
Applies to small businessesNo
Enforced byNew Hampshire Attorney General
Right to correct dataYes
Right to restrict processingYes
Right to portabilityYes
Right to access dataYes
Right to delete dataYes
Prohibits discriminationYes
Right to withdraw consentNo
Right to opt-outYes
Opt-in consent requiredNo
Restrictions on profiling and/or automated decision-makingYes
PenaltyUp to $10,000 per violation
Read our full, NH SB 255 Compliance Guide

NJ SB 332

Effective date: January 16, 2025

On January 16, 2024, the Governor of New Jersey signed NJ SB 332, making New Jersey the 14th state to pass a privacy law that provides individuals with comprehensive privacy protections. This law will take effect 365 days from enactment (on January 16, 2025) and will provide privacy rights to residents of New Jersey, as well as require certain businesses to have a comprehensive Privacy Policy and to follow the requirements set forth below.

Who does it apply to? 

New Jersey’s privacy law applies to controllers who conduct business in New Jersey or that produce products or services targeted to residents of the State and that during a calendar year:

  • Control or process the personal data of at least 100,000 residents of New Jersey; or 
  • Control or process the personal data of at least 25,000 residents of New Jersey and derive revenue or receive a discount on the price of any goods or services from the sale of personal data. 

The law defines “controller” as an individual or a legal entity that determines the purposes and means of processing personal data. For example, if your website collects names and email addresses and you determine when to send those individuals email marketing, you would be considered a “controller.” If you meet the thresholds cited above, you will need to comply with this privacy law, including having a comprehensive Privacy Policy and the honoring of consumer privacy rights. 

NJ SB 332 at a glance

Requires a Privacy Policy?Yes
Requires cookie consent bannerNo
Applies to small businessesNo
Enforced byNew Jersey SB332
Right to correct dataYes
Right to restrict processingYes
Right to portabilityYes
Right to access dataYes
Right to delete dataYes
Prohibits discriminationYes
Right to withdraw consentNo
Right to opt-outYes
Opt-in consent requiredNo
Restrictions on profiling and/or automated decision-makingYes
PenaltiesNot yet stated
Read our full NJ SB 332 Compliance Guide

Tennessee Information Protection Act (TIPA)

Effective date: July 1, 2025

On May 15, 2023, the Tennessee HB1181 was enrolled into law, enacting the Tennessee Information Protection Act (TIPA). TIPA was passed to protect the privacy of residents of Tennessee by providing them with privacy rights and imposing certain requirements, such as having a Privacy Policy upon businesses. This new law will go into effect on July 1, 2025 so businesses who need to comply should start their compliance efforts now.

Who does it apply to? 

TIPA applies to persons that conduct business in Tennessee or that produce products or services that are targeted to residents of the state and that: 

  • During a calendar year, control or process the personal information of at least 100,000 residents of Tennessee; or 
  • Control or process the personal information of at least 25,000 Tennessee residents and derive more than 50% of gross revenue from the sale of personal information. 

It is important to note that TIPA applies to businesses that are located in Tennessee, as well as businesses that are not so business in other states must still pay attention to and comply with this law if it applies to them.

TIPA at a glance

Requires a Privacy Policy?Yes
Requires cookie consent bannerNo
Applies to small businessesNo
Enforced byTennessee Attorney General
Right to correct dataYes
Right to restrict processingYes
Right to portabilityYes
Right to access dataYes
Right to delete dataYes
Prohibits discriminationYes
Right to withdraw consentNo
Right to opt-outYes
Opt-in consent requiredNo
Restrictions on profiling and/or automated decision-makingNo
PenaltiesUp to $15,000 per violation
Read our TIPA Compliance Guide 

Minnesota Consumer Data Privacy Act

Effective date: July 31, 2025

On May 24, 2024, the Governor of Minnesota signed MN HF 4757, enacting the Minnesota Consumer Data Privacy Act (MCDPA), a comprehensive state privacy law that will go into effect on July 31, 2025. This new law will ensure the privacy of residents of the State by providing them with privacy rights and by requiring businesses that need to comply with this law to meet certain requirements, such as providing a comprehensive and up to date Privacy Policy, maintaining a data inventory, practicing data minimization and more.

Who does it apply to? 

The MCDPA applies to legal entities that do business in the Minnesota or that produce products or services that are targeted to residents of Minnesota and that meet one or more of the following thresholds: 

  1. During a calendar year, controls or processes the personal data of 100,000 Minnesota residents or more; 
  2. Derives over 25% of gross revenue from the sale of personal data and processes or controls the personal data of 25,000 Minnesota residents or more. 

It is important to note that the MCDPA does not apply to nonprofit organizations that are established to detect and prevent fraudulent acts in connection with insurance, but it will apply to nonprofits that meet the criteria above if they perform their work in other fields. It is also important to note that Minnesota’s new privacy law specifically exempts small businesses, as defined by the United States Small Business Administration from certain compliance requirements. Generally speaking, businesses with less than $2.25 million per year in revenue and less than 100 employees will be considered a “small business” by the SBA. However, businesses exceeding these thresholds may not be considered a “small business” based on their industry.  The sole requirement that a small business is subject to is that a small business must not sell a consumer’s sensitive data without their consent. 

MCDPA at a glance

Requires a Privacy Policy?Yes
Requires cookie consent bannerNo
Applies to small businessesNo
Enforced byMinnesota Attorney General
Right to correct dataYes
Right to restrict processingYes
Right to portabilityYes
Right to access dataYes
Right to delete dataYes
Prohibits discriminationYes
Right to withdraw consentNo
Right to opt-outYes
Opt-in consent requiredNo
Restrictions on profiling and/or automated decision-makingYes
PenaltiesUp to $7,500 per violation
Read the full MCDPA Compliance Guide

Maryland Online Data Privacy Act

Effective date: October 1, 2025

On May 9, 2024, the Governor of Maryland signed MD SB541, enacting the Maryland Online Data Privacy Act of 2024. This law will go into effect on October 1, 2025 and will provide privacy rights to residents of the State and will impose various compliance obligations on businesses such as the requirement to have a comprehensive Privacy Policy that includes all of the disclosures enumerated in this privacy law.

Who does it apply to? 

Maryland’s new privacy law has a broad application in the sense that your business does not have to be located in Maryland for this privacy law to apply to you. The Maryland Online Data Privacy Act applies to persons that conduct business in the State or that provide services or products that are targeted to residents of the State and that during the immediately preceding calendar year: 

  1. Controlled or processed the personal data of at least 35,000 residents of Maryland; or 
  2. Controlled or processed the personal data of at least 10,000 residents of Maryland and derived more than 25% of its gross revenue from the sale of personal data. 

It is important that the law specifically exempts nonprofits that process personal data to assist law enforcement agencies in investigating criminal or fraudulent acts relating to insurance or first responders in responding to catastrophic events. However, the law does not exempt nonprofits working in other causes.

MD SB 541 at a glance

Requires a Privacy Policy?Yes
Requires cookie consent bannerNo
Applies to small businessesNo
Enforced byMaryland Attorney General
Right to correct dataYes
Right to restrict processingYes
Right to portabilityYes
Right to access dataYes
Right to delete dataYes
Prohibits discriminationNo
Right to withdraw consentNo
Right to opt-outYes
Opt-in consent requiredNo
Restrictions on profiling and/or automated decision-makingYes
PenaltiesUp to $10,000 per violation
Read the full MD HB567 Compliance Guide

Next steps for business owners

Just a few years back it was rare to see one privacy law passed per year. Not anymore.

While this is great for protecting people’s online data and privacy, it can be a real hassle of website owners who now have to read each privacy law, determine if it applies to them, and then update their policies accordingly. This must be done for EVERY. SINGLE. LAW.

That’s why we recommend first and foremost getting a privacy attorney to draft your policies for you and manage them on an ongoing basis to ensure they remain up to date.

Granted, this can get expensive. Which is why we created Termageddon for a secondary option. While we can’t provide legal advice, our Privacy Policy Generator can find out what laws apply to your website, draft policies accordingly, and then auto-update your policies as privacy laws change or go into effect. It’s a true solution for websites and apps.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates