The question of privacy is one of the foremost issues of the digital age. From our smartphones to our smart doorbells, we live in a world where many of us always have one foot in cyberspace. While this offers a host of conveniences, it also leaves us open to pervasive invasions of privacy. There have been a number of lawsuits in recent years alleging that these new technologies have infringed people’s right to privacy:

• In 2023, Amazon was fined $25.8 million over claims that the company violated the Children's Online Privacy Protection Act (COPA) when its Alexa voice assistant retained records of children's conversations with the device. 
• More recently, Google is facing a class-action lawsuit alleging that it collected users’ mobile device data without their content. 

Regulation could go a long way toward addressing these concerns, but the federal government is unlikely to act anytime soon. Faced with paralysis in Washington, many American states have taken it upon themselves to protect their residents by passing data privacy legislation. This article will look at some of the new laws that will come into force in 2025 and discuss tips for navigating these new regulatory realities.

Delaware Personal Data Privacy Act

When does it come into effect? 

January 1, 2025

Who does it apply to? 

Companies that do business in Delaware or produce products or services marketed to Delaware residents and–

• control or process the personal data of 35,000 or more Delaware consumers (though personal data controlled for the exclusive purpose of completing a payment transaction doesn’t apply); or 
• control or process the personal data of not less than 10,000 Delaware consumers and derive more than 20% of their gross revenue from the sale of personal data. 

What are a consumer’s rights under the act?

Consumers can–

• Ask whether a controller is processing their personal data and, if they are, access that data;
• Fix inaccurate information in their personal data;
• Ask for their personal data to be deleted;
• Obtain a copy of their personal data;
• Obtain a list of third parties that have been given access to their personal data;
• Opt out of processing their personal data for targeted advertisements or profiling.

What are the penalties for non-compliance?

A fine of up to $10,000 per violation, though until January 1, 2026 they will be able to fix the infraction within 60 days.

The Iowa Consumer Data Protection Act

When does it come into effect? 

January 1, 2025

Who does the act apply to?

Companies that do business in Iowa or produce products or services marketed to Iowa residents and–

• control or process the personal data of 100,000 or more Iowan consumers; or
• derive 50% or more of their revenue from the sale of personal data from at least 25,000 Iowan consumers. 

What are a consumer’s rights under the act?

Consumers can–

• Ask whether a controller is processing their personal data;
• Request the deletion of their personal data, though this is limited to data obtained from the consumer.
• Opt-out of the sale of their personal data.

What are the penalties for non-compliance?

A fine of up to $7,500, though they will always have 90 days to fix the violation.

Maryland Online Data Protection Act

When does it come into effect?

October 1, 2025

Who does the act apply to?

Companies that do business in Maryland or produce products or services marketed to Maryland residents and–

• control or process the personal data of 35,000 or more consumers (except for data collected solely for processing a payment transaction); or
• derive 20% or more of their revenue from the sale of personal data from at least 10,000 consumers. 

What are a consumer’s rights under the act?

Consumers can–

• Confirm the existence of their personal data and request a copy;
• Correct inaccuracies;
• Obtain a list of the categories of third-parties that have received the consumer’s personal data;
• Opt out of the use of their personal data for targeted advertising, sale, or profiling that could be used in legally significant ways.

What are the penalties for non-compliance?

Until April 1, 2027, the Attorney General of Maryland may allow controllers and processors 60 days to fix a breach of the law. Fines can be up to $10,000 per violation or $25,000 for each repeated violation.

Special restrictions

Maryland’s act also imposes some unusual restrictions, including–

• Controllers can’t collect, process, or share sensitive data (including race/ethnicity, religious belief, health data, sex life, status as transgender or nonbinary, or citizenship or immigration status) unless it’s strictly necessary to provide or maintain a product or service requested by the consumer.
• The sensitive data mentioned above cannot be sold.

For more about Maryland’s law, check out this post by Osano.

The Nebraska Data Privacy Act

When does it come into effect? 

January 1, 2025

Who does the act apply to?

Any entity that–

• does business in Nebraska or produces a good or service marketed to Nebraskans;
• processes or sells personal data; and
• is not a small business (as defined by the Small Business Administration).

What are a consumer’s rights under the act?

Consumers can–

• Ask whether a controller is processing their personal data;
• Fix inaccuracies in their personal data;
• Delete personal data that they provided, or was obtained about them;
• Obtain a copy of their personal data;
• Opt out of the processing of their personal data for targeted advertising, or the sale of personal data, or for profiling that could have a significant impact on the consumer.

What are the penalties for non-compliance?

A fine of up to $7,500, though they will always have 30 days to fix the violation.

The Tennessee Information Protection Act

When does it come into effect?

July 1, 2025

Who does the act apply to?

Organizations that–

• Exceed $25 million in revenue;
• Conducts business in Tennessee or provides products or services targeted at residents of the state.

In addition, they must also–

• Control or process the personal data of at least 175,000 consumers in a calendar year; or
• Control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal data.

What are a consumer’s rights under the act?

Consumers can–

• Confirm the existence of personal data held by a controller and request a copy of it;
• Fix inaccuracies in their personal data;
• Delete personal information provided by or about the consumer unless it’s aggregated or anonymized;
• Opt out of having their personal data processed for sale, targeted advertising, or profiling.

What are the penalties for non-compliance?

A fine of up to $7,500 per violation. Additionally, the consumer can be awarded triple damages if the breach is deemed intention. However, there will be a 60-day period in which the violation can be fixed.

Other states with data protection laws coming into effect this year include New Hampshire, New Jersey, and Minnesota. 

Impact on content distribution and curation

These new data privacy laws pose a number of challenges for companies. The architecture of the Web is built around the collection of personal data such as user analytics, subscriber information, or cookies. This means a wide range of organizations will likely be subject to these new regulations, and if they do business in multiple states, they will need to make sure they adhere to the rules of each jurisdiction. Compliance may require them to update their privacy policy, revise opt-in/opt-out mechanisms, or establish uniform data protection standards for all platforms where their content appears. Given the steep penalties imposed by many of these new regimes, it’s vital to get this right.

States are getting serious about data protection

With so many of us tethered to the Internet throughout the day, data privacy is an increasingly important issue. In the absence of US-wide legislation, individual states are taking it upon themselves to protect their citizens’ data. Unfortunately, this means a patchwork of different rules across the country. But while this may be frustrating for companies, individual consumers will (hopefully) benefit from having more control over the data that now plays an ever-more vital role in daily life.

‍