As January 2025 draws to a close, five new states have taken their places in the patchwork of U.S. comprehensive privacy laws. The laws of Delaware, Iowa, Nebraska, and New Hampshire took effect on New Year’s Day, with New Jersey’s law effective two weeks later. While these laws share many core features of existing state privacy laws, several introduce unique obligations.
Businesses covered by these laws have plenty to consider as they evaluate (and re-evaluate) their privacy compliance programs, especially with more state laws and their attendant nuances coming into play later this year. For now, some notable features of the latest five laws include the following:
Attention to Sensitive Data
- Greater protection for sensitive data, including racial or ethnic origin, citizenship, sexual orientation, and religious beliefs
- Variations in definitions of “sensitive data” exist beyond these core similarities, with New Jersey (like California) recognizing financial-related data as sensitive, and Delaware including pregnancy and non-binary status in its definition
- New Jersey (like Colorado) requires businesses to conduct data protection assessments before engaging in any processing that poses a heightened risk to consumers, including the processing of sensitive data
Consumer Rights
- All five states grant the right to access, delete, correct inaccuracies, and request copies of personal data (data portability) – except Iowa, which does not grant the right to correct or to data portability
- These states also provide the right to opt out of targeted advertising, the sale of personal data, and profiling that leads to a legally significant outcome (although no such profiling right exists in Iowa)
- Delaware (like Oregon) provides the additional consumer right to request a list of categories of third parties to whom the controller has disclosed that consumer’s personal information
Applicability and Exemptions
- Applicability thresholds are generally determined based on the number of consumers whose personal data is processed in the state – but Nebraska joins Texas in applying its law to all companies except those that qualify as small businesses as defined by the U.S. Small Business Administration
- The five latest state laws vary in exemptions for health data under HIPAA and financial data under GLBA – with some granting full entity-level exemptions and others only data-level exemptions
- Unlike the laws of most other states, the laws of Delaware and New Jersey broadly apply to non-profits and the data they collect (with limited exceptions), and cover institutions of higher education
Considering these five new state privacy laws—and not forgetting the eight already in effect since before 2025—companies must not only pay attention to their ongoing compliance obligations but also determine whether any of these new laws apply to them and, if so, expand their compliance programs accordingly. Such requirements may entail revising website privacy notices, offering data subject rights in additional states, conducting data protection assessments, adhering to stricter data minimization standards, honoring standardized opt-out mechanisms, increasing focus on the privacy of children and minors, reviewing contracts with third parties, examining and enhancing security measures, and scrutinizing the processing of sensitive data.
The privacy laws of Maryland, Minnesota and Tennessee will add new twists to the privacy landscape when they become effective later this year. As we move deeper into 2025, and with regulators ramping up their enforcement efforts across a growing number of states, now is the time for businesses to take a close look at their privacy compliance programs to ensure that they are working as efficiently and effectively as possible to meet their obligations.