2025’s Wave of U.S. Privacy Laws
November 20, 2024As we approach 2025, we prepare to welcome a wave of new U.S. state privacy laws. On January 1, 2025, Iowa’s Act relating to Consumer Data Protection (Iowa CDPA), the Delaware Personal Data Privacy Act (DPDPA), the Nebraska Data Privacy Act (NDPA), and New Hampshire’s Act relative to the Expectation of Privacy (NHPA) will become effective. Shortly thereafter, on January 15, 2025, New Jersey’s Act Concerning Online Services, Consumers, and Personal Data (NJDPA) will become effective. Then, on July 1, 2025, the Tennessee Information Protection Act (TIPA) will take effect. Also on July 1, 2025 the Oregon Consumer Data Privacy Act (OCDPA) will take effect for non-profit organizations, a year after it took effect for other businesses subject to the law. The Minnesota Consumer Data Privacy Act (MNDPA) will take effect on July 31, 2025, with the exception that postsecondary institutions regulated by the Minnesota Office of Higher Education have until July 31, 2029 to comply. Finally, the Maryland Online Data Privacy Act (MODPA) will take effect on October 1, 2025. Businesses should act now to ensure they are prepared and organized for the additional regulation that 2025 will bring, especially businesses that previously have not been subject to these types of comprehensive privacy laws.
Generally, these state comprehensive privacy laws regulate businesses’ uses of personal data of their respective residents and provide increased consumer protections regarding such data. While these laws contain numerous nuances, below is a condensed list of particularly important activities each business subject to these laws will want to conduct in order to facilitate compliance before they take effect.
- Audit and review all data-related operations to map out what personal data your business has, how you collect and use it, who has access to it, and where you store it. If you have an existing data map, this would be a good time to update it.
- Review public-facing privacy policies and notices to ensure you disclose the proper information therein, including information about consumer rights, such as a consumer’s right to access, delete, and correct the consumer’s personal data and to opt out of certain information processing, as well as how to utilize those rights. Note that laws, such as the Iowa CDPA, may not offer consumers all of these rights. Other laws, such as the MNDPA, may offer consumers additional rights, such as the right to obtain a list of third parties to which personal data was disclosed or the right to obtain additional information with respect to profiling performed on personal data.
- Develop a sufficient method for obtaining consumer consent where required.
- Update data processing agreements with third-party contractors to include all necessary provisions and protections for your personal data.
- Evaluate technological and security controls to ensure adequate protection of your personal data.
- Consider whether it may be appropriate to comply with a particular privacy or security framework. For example, if a business voluntarily creates, maintains and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology’s privacy framework or a comparable privacy framework, then there is an affirmative defensive to a cause of action for a TIPA violation.
- Implement procedures to handle consumer requests, including processes to receive and timely respond to requests and allow consumers to appeal your decisions, if required. If you already have these procedures in plan, update them to account for other consumer rights provided by these new laws.
- Ensure adequate record keeping policies are in place to document compliance, including to ensure you delete personal data when you no longer need it.
- Conduct and document data protection assessments as necessary, such as to engage in targeted advertising or profiling.
There are additional considerations for businesses subject to these comprehensive privacy laws, and compliance can take substantial effort and time, even if a business is just updating its existing compliance regime. Because there is significant overlap between these laws, it may be more cost-effective and efficient for your business to review and update its data privacy practices in accordance with all of the applicable laws at once. Lewis Rice’s Data Protection group is well-versed in the compliance process and has developed resources to assist clients with reaching and maintaining compliance with these laws.
If you have any questions about complying with these laws or other data privacy laws, or need assistance reviewing your data privacy practices in anticipation of 2025’s wave of new laws, please contact one of our Data Protection attorneys. For more information, you can also check out the resources found on our U.S. State Privacy Laws page.