Womble Perspectives
Welcome to Womble Perspectives, where we explore a wide range of topics from the latest legal updates to industry trends to the business of law. Our team of lawyers, professionals and occasional outside guests will take you through the most pressing issues facing businesses today and provide practical and actionable advice to help you navigate the ever-changing legal landscape. With a focus on innovation, collaboration and client service, we are committed to delivering exceptional value to our clients and to the communities we serve.
Womble Perspectives
Mastering U.S. State Privacy Laws: What to Know for 2025
Data privacy has evolved from being an IT afterthought to a business-critical priority. With consumers demanding greater control over their personal information, U.S. states continue to step up with new legislation—making 2025 a landmark year. Eight new state privacy laws are going into effect, joining existing frameworks like California’s CPRA. For businesses, 2025 brings both legal challenges and an opportunity to enhance trust and transparency.
Read the full article
…But Wait, There’s More!
About the authors
Kyle G. Kessler, CIPP/E
Christine Xiao, CIPP/US
Tyler Connor, CIPP/US
Welcome to Womble Perspectives, where we explore a wide range of topics, from the latest legal updates to industry trends to the business of law. Our team of lawyers, professionals and occasional outside guests will take you through the most pressing issues facing businesses today and provide practical and actionable advice to help you navigate the ever changing legal landscape.
With a focus on innovation, collaboration and client service. We are committed to delivering exceptional value to our clients and to the communities we serve. And now our latest episode.
Data privacy has evolved from being an IT afterthought to a business-critical priority. With consumers demanding greater control over their personal information, U.S. states continue to step up with new legislation—making 2025 a landmark year. Eight new state privacy laws are going into effect, joining existing frameworks like California’s CPRA. For businesses, 2025 brings both legal challenges and an opportunity to enhance trust and transparency.
Whether you’re a business owner, legal expert, or tech leader, staying ahead of these changes is key to navigating what could otherwise be a regulatory maze.
By 2025, eight additional states will implement new privacy legislation, marking a significant step forward in data protection across the U.S. Beginning January 1, Delaware will introduce the Personal Data Privacy Act, alongside Iowa’s Consumer Data Protection Act, Nebraska’s Data Privacy Act, and New Hampshire’s Privacy Act. Shortly after, New Jersey will follow with its Data Privacy Act, effective January 15. Later in the year, Tennessee’s Information Protection Act will take effect on July 1, while Minnesota’s Consumer Data Privacy Act will roll out on July 31.
Finally, Maryland will close the year of privacy advancements with the implementation of the Online Data Privacy Act on October 1. These laws highlight a growing commitment to safeguarding consumer data.
These laws build on existing frameworks like the California Privacy Rights Act, adding new nuances to the privacy landscape. For example, Delaware, New Hampshire, and Maryland introduce among the lowest processing thresholds (35,000 consumers' data) while Minnesota and Maryland extend their rules to include non-profits. While there are similarities across all states, businesses must pay close attention to state-specific differences.
State privacy laws across the U.S. share a number of similarities, many of which are inspired by frameworks like the CPRA, but they also feature key differences that make compliance a nuanced process. On common ground, most of these laws establish core consumer rights, such as the ability for individuals to access, delete, and correct their personal data, as well as to opt out of its sale. While data portability rights are generally included, the specifics can vary between states.
Transparency is another shared focus, with states requiring privacy notices that disclose the types of data collected, how it is shared, and provide clear mechanisms for opting out. Additionally, high-risk data activities, like processing sensitive information or engaging in profiling, often necessitate privacy assessments to evaluate potential risks.
However, the distinctions between state laws are equally important. For example, data processing thresholds differ significantly. Maryland, Delaware, and New Hampshire apply their laws to businesses processing data for as few as 35,000 state consumers, whereas states like Texas set the bar higher at 100,000 consumers. Some states, like Maryland and Minnesota, have taken the rare step of including non-profits within the scope of their privacy laws. When it comes to sensitive data, approaches vary widely. Maryland prohibits the sale of sensitive data outright, Nebraska requires opt-in consent for such activities, and Texas mandates clear notices.
These differences make it clear that a one-size-fits-all compliance strategy won’t work. Businesses must carefully navigate the nuances of each state’s laws to ensure proper adherence. Understanding both the commonalities and distinctions is crucial for effective compliance in this rapidly evolving regulatory landscape.
Here's a state-by-state breakdown of the unique features in these upcoming privacy laws
First up, Maryland's Online Data Privacy Act. Maryland introduces the strictest data minimization requirements. Businesses must prove processing is “reasonably necessary” for the service provided. This state also bans selling sensitive data, including children’s information for targeted ads.
Meanwhile, the Minnesota Consumer Data Privacy Act stands out for requiring transparency on profiling and third-party data disclosures. Consumers can even question profiling results that impact legal outcomes, adding an extra layer of accountability for AI-driven decisions.
Nebraska's Data Privacy Act takes a straightforward approach with thresholds similar to Texas. However, controllers must obtain explicit opt-in consent for sensitive data processing—a step stricter than many.
Following the trend of other states, the Tennessee Information Protection Act requires privacy assessments for any activities posing a "heightened risk of harm," such as targeted advertising or biometric data processing.
Finally, New Jersey has relatively standard provisions but emphasizes consumer rights management systems and efficient request processing as part of its compliance framework.
As businesses prepare for 2025, there are several key considerations to navigate the evolving landscape of state privacy laws. First, it’s essential to assess the applicability of these rules to your organization. This involves evaluating the types and volume of data you process to identify which state regulations apply. Pay close attention to states with unique thresholds, such as Maryland’s 35,000-consumer rule, or states that extend requirements to non-profits.
Another critical focus is data minimization. Certain states, like Maryland, mandate that businesses collect and process only what is necessary. To stay ahead, businesses should audit their practices early to ensure compliance with proportionality standards. In addition, aligning with consumer rights is vital, as all states grant rights to data access, correction, and deletion.
Thank you for listening to Womble Perspectives. If you want to learn more about the topics discussed in this episode, please visit The Show Notes, where you can find links to related resources mentioned today. The Show Notes also have more information about our attorneys who provided today's insights, including ways to reach out to them.
Don't forget to subscribe via your podcast player of choice so that you never miss an episode. Thank you again for listening.