On January 1, 2025, privacy legislation in Delaware, Nebraska, New Hampshire, and Iowa entered into effect, joining California, Texas, and Colorado among other US states that already have privacy laws in force. January will also see the entrance into effect of New Jersey's Act concerning commercial Internet websites, online services, consumers, and personally identifiable information (NJDPA) on the 15th of the month. OneTrust DataGuidance breaks down the key provisions of the five state privacy laws. General similaritiesAlthough there are distinct differences in the provisions of each law, similar principles related to data processing are given, including:data minimization: controllers must
Insight
USA: State privacy laws entering into effect in 2025
January 7, 2025
Summary
In January 2025, new privacy laws took effect in Delaware, Nebraska, New Hampshire, Iowa, and New Jersey, joining other US states with existing privacy legislation. These laws share common principles such as data minimization, purpose limitation, and confidentiality, but have unique provisions. Delaware's law, for example, requires opt-in consent for sensitive data and has a 60-day cure period for violations. Nebraska's law applies broadly and allows a 30-day cure period, while New Hampshire's law limits the right to confirm processing to protect trade secrets. Iowa's law does not address Data Protection Assessments (DPAs), and New Jersey's law includes financial information as sensitive data and requires a universal opt-out mechanism for targeted advertising by July 2025.