What to Expect for the U.S. Riding a New Wave of State Privacy Laws in 2025

The wave of new and updated U.S. state privacy laws is propelling the country towards stronger data protection standards as of January 2025. Evolving state laws are beginning to align with more seasoned privacy regulations of California and other jurisdictions worldwide, creating a unified and robust framework for data privacy.

Below are the U.S. state privacy laws that will become enforceable in 2025:

1. Iowa’s Data Privacy Law – Effective January 1, 2025

2. Delaware’s Personal Data Privacy Act – Effective January 1, 2025

3. Nebraska’s Data Privacy Act – Effective January 1, 2025

4. New Hampshire’s Privacy Act – Effective January 1, 2025

5. New Jersey’s Data Privacy Law – Effective January 15, 2025

6. Tennessee’s Information Protection Act – Effective July 1, 2025

7. Minnesota’s Consumer Data Privacy Act – Effective July 15, 2025

8. Maryland’s Online Data Privacy Act – Effective October 1, 2025

The 3 Applicability Thresholds

So, what do businesses need to understand regarding how these privacy laws will affect them?

Businesses must understand three thresholds when it comes to determining U.S. state law applicability: (1) Jurisdictional Threshold, (2) Data Processing Threshold and, (3) Sale of Data Threshold.

1.        Jurisdictional Threshold:

First and foremost, a business must determine the jurisdictional scope of a privacy law. There are two questions to ask yourself: (1) Do you conduct business in State X and/or, (2) Do you produce products or services that are targeted towards the residents of State X?

A business will pass the Jurisdictional Threshold if they answer yes to at least 1 of those questions.

Once jurisdictional applicability has been confirmed, a business then needs to meet either the Data Processing Threshold or the Sale of Data Threshold to determine if a state law is applicable to them.

2.        Data Processing Threshold:

To meet the requirements of the Data Processing Threshold, a business must “control or processes personal data of at least Y number of State X residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction.” This is how most U.S. state laws outline data processing applicability. However, each state differs in its minimum requirement for the Y number of residents, which would trigger law applicability. The range starts as low as 35,000 for some states and as high as 100,000 for others. With some state exceptions.

Suppose the Data Processing Threshold does not relate to your business’ data privacy practices. In that case, state law applicability will only apply if the Sale of Data Threshold confirms how you conduct your business and deal with consumer personal information.

3.        Sale of Data Threshold

The last test a business must pass to determine if a U.S. state law applies to how they handle personal information is determining how much revenue they make from selling data. As outlined in most state privacy laws, the Sale of Data Threshold will apply to businesses that “control or process personal data of at least Y number of State residents and derive over Z% of gross revenue from the sale of personal data.”  

The minimum requirement number for the state residents (generally starting from 10,000 or 25,000) and gross revenue percentages (generally starting at 25% or 50%) will vary by state with some state exceptions.

A Practical Business Approach

While this new wave brings about enforced privacy laws to better unify the country’s approach to data protection, there still exists a tug of war when it comes to the underlying priorities of state laws. Based on the thresholds outlined above, some laws lean towards being more consumer-friendly (i.e. aligning with more data subject rights) while others are more business-friendly depending on how low a minimum threshold for applicability is set and how strict enforcement is.

For a practical business strategy, streamlining your approach by adhering to the most stringent privacy laws is a viable option for businesses operating across multiple states. This approach simplifies compliance and enables businesses to operate on uniform standards (i.e. a consistent set of policies and procedures and employee training) while also reducing risks for non-compliance and subsequent penalties.

Adhering to the strictest state privacy law also allows a company to “future-proof”. As more states adopt or update their privacy laws, compliance with the strictest standards positions businesses to adapt more easily to new regulations. This regimented approach can also help businesses align with international (and strict) privacy laws, such as the EU’s GDPR, which opens the door for global operations.

Action Items Moving Forward

Other than understanding the applicability of these laws to your business, there are a few general considerations to keep in mind when evaluating your business’ privacy program in relation to U.S. state privacy laws, including reviewing and updating the following:

• Privacy notice

• Contracts with your third parties

• Data minimization

• Policies and practices that sustain a comprehensive privacy program and enable fulfilling data subject rights (e.g. opt-out rights)

• Privacy impact assessments

• Privacy training

Consider these action items as you enter the year 2025 and assess the applicability of these laws and what they mean for the future of your business.

Keep an eye out for future Bamboo articles that will further outline U.S. state privacy laws and their rules and exceptions.