Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Cybersecurity Law & StrategyPrivacyFeatures

Five State Privacy Laws Went Into Effect In 2025: Here’s What You Need to Know

By Coraleine Kitt
July 01, 2025

Five new state privacy laws took effect in January 2025 — Delaware (DPDPA), Iowa (ICDPA), Nebraska (NDPA), New Hampshire (NHPA), and New Jersey (NJDPA) — adding to the compliance maze for businesses operating across state lines. This latest wave of legislation creates a patchwork of requirements that include critical variations in three key areas: applicability thresholds, covered data categories and enforcement protocols.

Threshold variations alone present immediate compliance hurdles. Delaware casts the widest net, regulating businesses handling data of just 35,000 consumers (excluding payment data) — a standard that could ensnare regional retailers and mid-market SaaS providers. Iowa adopts a more conventional 100,000-consumer threshold, while New Jersey breaks from peer states by not providing a blanket exemption for employee or Business-to-Business (B2B) data. In contrast, Nebraska and New Hampshire exclude employee and B2B data, focusing instead on consumer data used in individual or household contexts. This lack of uniformity forces multistate operators to implement nuanced compliance matrices, as a business might be regulated in Delaware but exempt in Iowa despite identical operations. The operational implications are significant. Employers with multistate workforces must now reconcile New Jersey's inclusive approach with Nebraska and New Hampshire's B2B exemptions. Service providers face similar challenges when determining whether client engagements trigger compliance obligations. Comprehensive data mapping and tracking are legal necessities, as organizations must now track not just data categories but the precise residential jurisdictions of each data subject to properly assess their obligations.

This premium content is locked for Cybersecurity Law & Strategy subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
The DOJ's Corporate Enforcement Policy: One Year Later Image

The DOJ's Criminal Division issued three declinations since the issuance of the revised CEP a year ago. Review of these cases gives insight into DOJ's implementation of the new policy in practice.

Use of Deferred Prosecution Agreements In White Collar Investigations Image

This article discusses the practical and policy reasons for the use of DPAs and NPAs in white-collar criminal investigations, and considers the NDAA's new reporting provision and its relationship with other efforts to enhance transparency in DOJ decision-making.

The DOJ's New Parameters for Evaluating Corporate Compliance Programs Image

The parameters set forth in the DOJ's memorandum have implications not only for the government's evaluation of compliance programs in the context of criminal charging decisions, but also for how defense counsel structure their conference-room advocacy seeking declinations or lesser sanctions in both criminal and civil investigations.

Compliance Officers: Recent Regulatory Guidance and Enforcement Actions and Mitigating the Risk of Personal Liability Image

This article explores legal developments over the past year that may impact compliance officer personal liability.

Bankruptcy Sales: Finding a Diamond In the Rough Image

There is no efficient market for the sale of bankruptcy assets. Inefficient markets yield a transactional drag, potentially dampening the ability of debtors and trustees to maximize value for creditors. This article identifies ways in which investors may more easily discover bankruptcy asset sales.