News

Eight States Enact Privacy Laws Effective in 2025

By  |  

Five new state privacy laws have already taken effect in 2025, and three more state privacy laws will take effect later this year. In total, twenty states have enacted comprehensive state privacy laws since 2019. The laws grant consumers rights regarding personal data, which is defined as information linked to or reasonably linkable to a person, such as names, e-mail addresses, and IP addresses. Most of these laws follow a similar structure; however, there are several state-specific nuances.

Which state privacy laws go into effect in 2025?

Delaware, Iowa, Nebraska, New Hampshire, and New Jersey’s privacy laws went into effect in January of 2025. Tennessee, Maryland, and Minnesota’s privacy laws will go into effect in July of 2025. At least three other states have passed privacy laws that will go into effect in 2026.

To whom do the privacy laws apply?

The laws apply to entities that conduct business in a given state or produce products or services targeted towards residents of a given state. It is immaterial where the business is based. The laws generally only apply to entities that control or process the personal data of a requisite number of consumers in a given state. Depending upon the state, this threshold is typically either 100,000 or 35,000 consumers annually. However, the threshold is lower if an entity derives more than 25% of its gross revenue from personal sales data. A few state privacy laws only apply to entities with an annual revenue greater than $25 million.

What rights do the privacy laws grant consumers?

The consumer rights granted by each law differ slightly, resulting in different consumer protections and different business obligations by state. However, in general, the laws grant consumers the right to:

  • Access information about the consumer’s personal data
  • Correct inaccuracies
  • Delete certain personal data
  • Opt-out of personal data sales and targeted advertising
  • Request personal data in a format that is portable and readily usable
  • Non-discrimination in processing data and exercising privacy rights

What obligations do the privacy laws impose on businesses?

The laws impose several obligations on entities that control or process data. These obligations include, but are not limited to, the following:

  • Being transparent about the types of personal information they collect and how they use that information.
  • Only using personal information in accordance with the purposes disclosed in the company privacy policy that is available to consumers.
  • Ensuring reasonable data security to protect consumers’ personal data. In certain circumstances, businesses must conduct data protection impact assessments.

What should businesses do to comply?

Businesses should make sure that their privacy policies comply with the state privacy laws where they do business, being mindful of the fact that they may be subject to multiple states’ laws depending upon the locations and volume of their customers. Businesses should also start paying closer attention to the types of data they collect, process, and sell, and should implement internal processes for handling consumer rights requests. We will continue to monitor other pending state privacy laws.

What about Vermont?

In May of 2024, the Vermont Legislature passed a privacy bill. However, the bill was vetoed by Governor Phil Scott, in large part because the bill contained a private right of action whereby aggrieved individuals could sue companies directly. In March of 2025, the Vermont Senate passed a revised privacy bill, which no longer contains a private right of action. Instead, the bill follows the majority rule of granting the state’s attorney general exclusive enforcement authority. The bill would need to pass in the Vermont House of Representatives and be signed by Governor Scott before becoming law. As the legislative session comes to a close, the fate of Vermont’s privacy bill is still unknown.

Please contact Eleanor Moody (emoody@gravelshea.com), Chip Mason (cmason@gravelshea.com)

or Catherine Burke (cburke@gravelshea.com) at Gravel & Shea PC if you have questions or would like assistance.