As 2025 begins, businesses across the U.S. will be required to navigate an even more expanded landscape of state-level privacy regulations. In all, eight states are introducing comprehensive privacy laws, further adding to the growing patchwork of privacy requirements in the U.S.

January is kicking off with a flurry as five states (Iowa, Delaware, Nebraska, New Hampshire, and New Jersey) implement their laws in the first two weeks. Later this year, Tennessee, Minnesota, and Maryland will join the mix. For companies operating in the U.S., staying ahead in this shifting regulatory environment is essential. Failure to comply could result in hefty penalties, legal exposure, and a loss of consumer trust.

The good news? Businesses already aligned with current privacy laws may only need minor updates to meet the new requirements. However, it is important to be aware of all consumer-facing interactions, data collections, and sharing of personal information in each state to keep a firm handle on your compliance obligations.

Determining Applicability

Each state law sets its own thresholds, often based on factors like annual revenue or the volume of personal information processed. While most states apply their laws broadly to any company “doing business in the state,” some include additional criteria, such as Tennessee’s $25 million annual revenue threshold. Nebraska mirrors Texas’ approach by applying its law to any company that processes or sells personal data, provided it is not classified as a small business under the federal Small Business Act.

Key Dates and Applicability Thresholds by State

StateEffective DateApplicability Thresholds
IowaJanuary 1, 2025Control or process data for 100,000+ consumers OR 25,000+ consumers and 50%+ revenue from data sales.
DelawareJanuary 1, 2025Control or process data for 35,000+ consumers[1] OR 10,000+ consumers and 20%+ revenue from personal data sales.
NebraskaJanuary 1, 2025Applies to businesses that do business in Nebraska or target its residents, that process or sell personal data, and that are not considered a small business under the federal Small Business Act.
New HampshireJanuary 1, 2025Control or process data for 100,000+ consumers OR 25,000+ consumers and 25%+ revenue from personal data sales.
New JerseyJanuary 15, 2025Control or process data for 100,000+ consumers OR 25,000 consumers and any revenue or discounts on goods or services from personal data sales.
TennesseeJuly 1, 2025$25M+ annual gross revenue AND control or process 175,000+ consumers OR 25,000+ consumers and 50%+ revenue from data sales.
MinnesotaJuly 31, 2025Control or process data for 100,000+ consumers OR 25,000 consumers and 25%+ revenue from personal data sales.
MarylandOctober 1, 2025Control or process data for 35,000+ consumers OR 10,000 consumers and 20%+ revenue from personal data sales.

Maryland: A Standout Among 2025 Privacy Laws

Among the eight new privacy laws taking effect in 2025, Maryland’s Online Data Privacy Act distinguishes itself with its robust and specific requirements. Effective October 1, 2025, the law restricts data collection to what is “reasonably necessary and proportionate” for providing or maintaining a consumer-requested product or service. This goes slightly farther than what we call “purpose limitations” for the collection of data we have seen in other states, and further tightens controls on new and creative potential uses of personal information beyond “providing or maintaining a consumer-requested product or service.”

This is significant in that the usual formulation in other state laws is “necessary and proportionate” for the disclosed purpose for which it was obtained without additional notice and consent requirements. Maryland limits collection without consent only to what is reasonably necessary or compatible with “providing or maintaining a consumer-requested product or service.”

Additionally, the Maryland law prohibits targeted advertising to individuals under 18, limits the sale of sensitive data, and requires regular risk assessments for any processing “algorithms” that may present a risk to a consumer’s privacy. To comply with Maryland’s stringent standards, businesses should:

  • Evaluate data collection practices to ensure they meet the law’s proportionality requirements.
  • Implement enhanced controls to comply with age-based advertising restrictions.
  • Review sensitive data processing activities and identify any applicable exceptions.

These distinctive provisions emphasize the importance of adopting tailored compliance measures to meet Maryland’s heightened standards.

Simplifying Compliance: Will One Privacy Policy Work Everywhere?

Many businesses opt for a unified approach to compliance across states to streamline their operations. This approach reduces the need for ongoing assessments of individual state thresholds and ensures consistency in responding to consumer requests. However, companies should remain vigilant about unique state-level obligations, such as universal opt-out mechanisms required in New Jersey, New Hampshire, Nebraska, Delaware, and Minnesota.

How to Prepare for 2025 Privacy Laws

To stay compliant and build consumer trust in 2025’s evolving privacy landscape, businesses should focus on these key actions:

  1. Update Privacy Disclosures: Reflect new rights and obligations under applicable laws. Include categories of data collected, purposes for processing, opt-out mechanisms (e.g., data sale, targeted advertising, profiling), and third-party data-sharing disclosures. Remember, California’s CCPA requires updates every 12 months.
  2. Review Data Practices: Audit data collection and processing activities to identify gaps and ensure alignment with proportionality standards, especially under laws like Maryland’s.
  3. Strengthen Consumer Rights Processes: Implement systems to handle access, correction, deletion, and opt-out requests efficiently, including compatibility with universal opt-out signals like the Global Privacy Control (GPC).
  4. Train Your Team: Ensure staff understands state-specific requirements and how to execute compliance processes effectively.
  5. Monitor Regulatory Updates: Stay informed about changes, enforcement trends, and upcoming requirements to remain ahead of the curve.

With enforcement on the rise and privacy expectations evolving, now is the time to ensure your policies, processes, and practices are up to date. A strong compliance framework not only mitigates penalties and legal exposure but also positions your business as a leader in consumer trust and data protection. Companies should start the new year right by prioritizing privacy readiness and recognizing that a privacy initiative provides more than just compliance. It offers a competitive advantage.


[1] For the larger processing threshold that only requires control or processing over consumer personal data, Delaware, New Hampshire, New Jersey, Minnesota, and Maryland excludes data processed or controlled solely for the purpose of completing payment transactions.