In the absence of a comprehensive federal privacy law, the number of states with their own data privacy laws continues to increase. In 2025, this number will reach 19 with the addition of eight new states. Iowa, Delaware, Nebraska, New Hampshire, and New Jersey's laws took effect in January 2025. Tennessee and Minnesota's laws will follow in July 2025, and Maryland's in October 2025.

Each of the laws taking effect this year incorporate core components of other existing state comprehensive privacy laws while also introducing unique requirements, further highlighting the patchwork nature of state-level privacy regulations and the compliance challenges facing covered organizations.

Key provisions across these laws include:

Consumer Rights:

• Each state privacy law grants individuals the right to access their data.
• Nearly all, with the exception of Iowa, also provide for the right to correct and delete personal data, as well as the right to opt-out of data sales and certain types of processing.

Business Obligations:

• The new comprehensive state privacy laws join the existing ones in requiring the organizations subject to them to provide privacy notices to consumers and to place limits on the types of data collected.
• This year, organizations will also be required to recognize universal opt-out mechanisms that enable individuals to automatically exercise privacy rights across the internet in states including Nebraska, Minnesota, New Jersey, and Maryland.

Heightened Protections for Sensitive Information: 

• Each state law recognizes a requirement for increased protections for sensitive categories of information.

• There is unanimity among them for categories like racial or ethnic origin, citizenship status, religious beliefs, and sexual orientation.
• Beyond that, states differ on what is covered. For example, California and New Jersey are currently the only states with privacy laws that consider finance-related data to be “sensitive” information.

Thresholds:

• The patchwork nature of the laws is most evident when it comes to the thresholds for applicability of the laws in each state.
• In Tennessee, an entity wouldn't be subject to the state's law unless it was collecting or processing data from 175,000+ consumers, or 25,000 if the entity was also making more than half of its revenue from selling data.
• At the other end of the spectrum, Nebraska's new law has no minimum threshold and applies to non-exempt entities controlling any amount of personal data.

As of now, there is no federal privacy law on the horizon. However, several additional state legislatures are considering comprehensive privacy laws for future adoption. In 2022, online retailer Sephora settled with the California Attorney General for $1.2 million for alleged breaches of the California Consumer Privacy Act of 2018, which was the first comprehensive state privacy law passed in the United States. 

While states continue to contribute more and more fabric to the patchwork of U.S. privacy laws, organizations must be mindful of their obligations under these laws. It is only a matter of time before states impose fines on additional organizations for failure to comply with these new data privacy laws.