Ready for 2025? Your Data Privacy New Year’s Resolution

The arrival of 2025 marks a pivotal year in privacy compliance. In 2025, a total of 18 state privacy laws will be in effect, bringing new regulations and updates that organizations must prepare to navigate. To get ahead of these changes and ensure your organization is prepared, think of this as your “New Year, New Privacy Law” resolution, broken down into achievable goals each quarter.

Here’s a quick look at the new and updated laws coming into effect in 2025 and how you can prepare:

Q1: Get Ready for January 1st Changes

The first quarter of 2025 is a busy one for privacy professionals, with five states implementing comprehensive new privacy laws.

New Laws Taking Effect:

• Delaware Personal Data Privacy Act (January 1, 2025)
• Iowa Consumer Data Protection Act (January 1, 2025)
• Nebraska Data Privacy Act (January 1, 2025)
• New Hampshire Privacy Act (January 1, 2025)
• New Jersey Privacy Law (January 15, 2025)

Your Q1 Checklist:

• Assess Applicability: With these five laws going into effect right at the start of the year, determine whether your organization is subject to these laws based on residency thresholds, revenue, or data processing criteria. Check out our Guide to State Privacy Laws for a breakdown of each state law’s key components and how they impact your business. 
• Revise Privacy Notices: Ensure your privacy policies align with each law’s requirements, such as data subject rights, data processing disclosures, and opt-out rights. Delaware’s new right to obtain a list of third-party categories requires specific disclosures.
• Consider Exemptions: Nonprofits and higher education institutions are not exempt under Delaware and New Jersey, although Delaware includes certain exceptions for nonprofit organizations serving victims of sensitive crimes.
• Perform PIAs: Be mindful of nuances. Iowa does not require Privacy Impact Assessments (PIAs), but Delaware’s thresholds require them for controllers processing data of at least 100,000 consumers. New Jersey mandates PIAs before initiating processing activities.

Q2: Strengthen Your Privacy Program and Look to Mid-Year Changes

As you enter the second quarter, you’ll need to shift focus to maintaining and strengthening your compliance posture, particularly with laws that come into effect mid-year.

Upcoming Laws Taking Effect:

• Tennessee Information Protection Act (July 1, 2025)
• Minnesota Consumer Data Privacy Act (July 31, 2025)

Your Q2 Checklist:

• Prepare for State Specific Requirements:
  • Minnesota’s law mandates data inventories—a strict requirement that sets it apart from other state laws.
  • Tennessee exempts state-licensed insurance companies but introduces a generous 60-day cure period.
• Leverage Legal Protections: Tennessee introduces an affirmative defense for businesses adhering to the U.S. National Institute of Standards and Technology’s (NIST) Privacy Framework, allowing them to defend against legal claims by demonstrating they’ve taken reasonable steps to protect consumer data. 
• Strengthen Data Processing Systems: Ensure your data intake, processing, and storage systems align with the new rights and obligations under Tennessee and Minnesota.
• Train Your Teams: Ensure staff are equipped to handle requirements like data mapping (required in Minnesota) and consumer rights requests.

Q3: Ensure Compliance for the Fall and Start Preparing for 2026

Heading into Q3, the legislative calendar gets quieter, but preparation remains essential. With your privacy program running smoothly, fine-tune compliance processes and prepare for upcoming changes.

Upcoming Law Taking Effect:

• Maryland Online Data Privacy Act (October 1, 2025)

Your Q3 Checklist:

• Perform Internal Audits: Identify gaps in compliance with laws already in effect and implement corrective measures.
• Understand Maryland’s Unique Provisions:

• • Revenue Threshold: The Maryland Online Data Privacy Act (MODPA) applies to entities processing data for a) at least 35,000 consumers, or b) control or process the personal data of at least 10,000 consumers and derive more than 20% of gross revenue from the sale of personal data.This 20% gross threshold is lower than most other U.S. state privacy laws, making it relevant for a broader set of organizations.

• • Sensitive Data: Controllers can only collect, process, or share sensitive data when strictly necessary to provide or maintain a requested product or service. The law prohibits the sale of sensitive data entirely.

• • Consent Revocation: Under MODPA, if a consumer withdraws their consent, you must stop processing their data within 30 days.

• • Algorithmic Impact Assessments: MODPA requires businesses to conduct Data Processing Assessments (DPAs) for any algorithmic activities that pose higher risks to consumers, ensuring transparency and accountability in AI and data practices.

• • Health Data Protections: Special requirements apply to the processing of consumer health data, so ensure that your organization is aware of and compliant with these heightened protections.

• Review Privacy Impact Assessments: Reassess PIAs for new data processing activities initiated since the start of the year.

Q4: Audit and Get Ready for 2026

The final quarter of 2025 focuses on wrapping up compliance for the year and planning for 2026.

Your Q4 Checklist:

1. Conduct Year-End Reviews: Perform a comprehensive review of your compliance efforts to ensure full implementation of laws from Delaware, Iowa, New Jersey, Tennessee, Minnesota, and Maryland. 
2. Look Ahead to 2026: Begin preparing for new privacy laws taking effect on January 1, 2026, such as the Indiana Consumer Data Protection Act, Kentucky Consumer Data Protection Act, and Rhode Island Data Transparency and Privacy Protection Act.
3. Maintain Ongoing Compliance: Regularly monitor for additional regulatory updates and refine your compliance processes accordingly.

Conclusion: The Year of Privacy Compliance

2025 is poised to be a year of both opportunity and challenge for privacy teams. From the sweeping changes of Delaware and New Jersey to the evolving requirements of Tennessee and Minnesota, your organization needs to be proactive, not reactive, to meet these new obligations head-on. By setting clear quarterly goals and addressing each law as it comes into effect, you’ll ensure that your privacy program remains both compliant and resilient.

To help you stay ahead, you can watch our recent virtual event on demand: How January’s 5 New Privacy Laws Will Change Data Privacy in 2025. Our panel of privacy experts shared crucial insights on what you need to know about these new laws, along with proven strategies for staying compliant as data privacy regulations continue to evolve.