Delaware: Delaware Personal Data Privacy Act (DPDPA)
- Effective Date: January 1, 2025
- Scope:
- Applies to businesses processing the personal information (PI) of:
- 100,000 or more Delaware residents.
- 25,000 or more Delaware residents if over 50% of gross revenue comes from selling PI.
- Consumer Rights:
- Access and Confirmation: Consumers can view and confirm what personal data businesses hold about them.
- Correction and Deletion: Businesses must honor requests to fix inaccuracies or delete unnecessary data.
- Data Transferability: Consumers can request their data in a portable format for use elsewhere.
- Opt-Out Rights: Includes the ability to opt out of data sales and targeted advertising.
Commentary: Delaware’s law is robust, mirroring elements of landmark legislation like the GDPR. It balances business needs with consumer rights, particularly by focusing on transparency and the control consumers have over their data.
Iowa: Iowa Consumer Data Protection Act (ICDPA)
- Effective Date: January 1, 2025
- Scope:
- Targets businesses processing the PI of:
- 100,000 or more Iowa consumers.
- 25,000 or more if over 50% of revenue derives from selling PI.
- Requirements:
- Businesses must explicitly define and limit data processing to specific purposes.
- Privacy notices must clearly state:
- The categories of data collected.
- How the data will be used.
- Consumers have rights to:
- Access their data.
- Delete data that is no longer relevant.
- Port data to other service providers.
- Opt out of the sale of PI.
Commentary: Iowa’s emphasis on purpose limitation ensures businesses can’t exploit collected data for unrelated activities, which should inspire consumer trust. However, enforcement mechanisms might need further scrutiny to determine their effectiveness.
Nebraska: Nebraska Data Privacy Act (NDPA)
- Effective Date: January 1, 2025
- Scope:
- Broadly applies to any business operating in Nebraska, excluding small businesses as defined by the U.S. Small Business Administration.
- Consumer Rights:
- Correction or deletion of personal data.
- Opting out of:
- Data sales.
- Targeted advertising.
- Profiling based on consumer data.
Commentary: Nebraska’s law stands out for its expansive reach, holding larger entities to stricter standards while exempting small businesses to reduce compliance burdens.
New Hampshire: New Hampshire Privacy Act (NHPA)
- Effective Date: January 1, 2025
- Scope:
- Applicable to companies processing data for:
- 35,000+ New Hampshire residents annually.
- 10,000+ residents, if over 25% of gross revenue comes from selling PI.
- Consumer Rights:
- Right to transparency regarding data collection.
- Ability to opt out of uses like targeted advertising.
Commentary: While narrower in scope than some laws, NHPA emphasizes transparency and gives residents a meaningful say in how their data is used commercially.
New Jersey: New Jersey Data Privacy Act (NJDPA)
- Effective Date: January 15, 2025
- Scope:
- Covers entities processing the PI of 25,000+ New Jersey residents and deriving any revenue or discounts from selling PI, without requiring a minimum percentage threshold.
- Consumer Rights:
- Access, correction, and deletion of PI.
- Opt-out rights for data sales and targeted advertising.
Commentary: The NJDPA’s lack of a revenue threshold for applicability could significantly broaden the number of businesses subject to compliance, making it one of the more stringent state laws.
Tennessee: Tennessee Information Protection Act (TIPA)
- Effective Date: July 1, 2025
- Scope:
- Applies to businesses with:
- $25 million+ in annual revenue and processing the PI of 175,000+ Tennessee consumers.
- 25,000+ consumers, if over 50% of revenue comes from PI sales.
- Requirements:
- Businesses must provide:
- Comprehensive privacy notices.
- Mechanisms for consumers to request data access or deletion.
- Opt-out options for data sales and targeted advertising.
Commentary: TIPA follows a measured approach by exempting smaller businesses while ensuring high-revenue entities with extensive data operations uphold consumer rights.
Minnesota: Minnesota Consumer Data Privacy Act (MCDPA)
- Effective Date: July 31, 2025
- Scope:
- Covers businesses processing the PI of:
- 100,000+ Minnesota consumers.
- 25,000+ consumers, if over 50% of revenue derives from PI sales.
- Consumer Rights:
- Access, correction, and deletion of personal data.
- Opt-outs for data sales and targeted advertising.
Commentary: Minnesota’s law is straightforward but comprehensive, aligning with national trends while emphasizing core consumer protections.
Maryland: Maryland Online Data Privacy Act (MODPA)
- Effective Date: October 1, 2025
- Scope:
- Targets businesses processing data for:
- 35,000+ Maryland consumers.
- 10,000+ consumers, if 20%+ of revenue comes from PI sales.
- Unique Feature:
- Prohibits the sale of personal data unless strictly necessary to maintain or provide consumer-requested services.
- Consumer Rights:
- Right to access, delete, and opt out of PI sales or processing for targeted advertising.
Commentary: Maryland’s prohibition on unnecessary PI sales is a significant step forward in prioritizing consumer trust over business interests.
Key Themes Across These Laws
Implications for Businesses
- Companies need to adopt robust data governance frameworks to ensure compliance.
- Failure to comply can result in significant reputational damage and financial penalties, particularly in states with stricter enforcement mechanisms like New Jersey and Maryland.
What you need to do about all of these new privacy laws:
These new privacy laws collectively signify a turning point in the U.S. approach to data privacy, raising the bar for consumer protections and requiring businesses to rethink their data practices. As the regulatory patchwork grows, companies must proactively adapt to ensure compliance and maintain consumer trust.
These new privacy laws collectively signify a turning point in the U.S. approach to data privacy, raising the bar for consumer protections and requiring businesses to rethink their data practices. As the regulatory patchwork grows, companies must proactively adapt to ensure compliance and maintain consumer trust.