Reprinted with permission from the June 17, 2025 edition of The Legal Intelligencer. © 2025 ALM Global Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-256-2472 or asset-and-logo-licensing@alm.com.
Five new state privacy laws took effect in January 2025—Delaware (DPDPA), Iowa (ICDPA), Nebraska (NDPA), New Hampshire (NHPA), and New Jersey (NJDPA)—adding to the compliance maze for businesses operating across state lines. This latest wave of legislation creates a patchwork of requirements that include critical variations in three key areas: applicability thresholds, covered data categories and enforcement protocols.
Threshold variations alone present immediate compliance hurdles. Delaware casts the widest net, regulating businesses handling data of just 35,000 consumers (excluding payment data)—a standard that could ensnare regional retailers and mid-market SaaS providers. Iowa adopts a more conventional 100,000-consumer threshold, while New Jersey breaks from peer states by not providing a blanket exemption for employee or Business-to-Business (B2B) data. In contrast, Nebraska and New Hampshire exclude employee and B2B data, focusing instead on consumer data used in individual or household contexts. This lack of uniformity forces multistate operators to implement nuanced compliance matrices, as a business might be regulated in Delaware but exempt in Iowa despite identical operations. The operational implications are significant. Employers with multistate workforces must now reconcile New Jersey's inclusive approach with Nebraska and New Hampshire's B2B exemptions. Service providers face similar challenges when determining whether client engagements trigger compliance obligations. Comprehensive data mapping and tracking are legal necessities, as organizations must now track not just data categories but the precise residential jurisdictions of each data subject to properly assess their obligations.
Consumer rights provisions, though broadly aligned across the five states, reveal key operational differences. All laws grant rights to access, delete, correct, and port data, but response timelines vary: New Jersey and New Hampshire require action within 45 days, while Iowa allows 90 days, with differing rules for extensions. Opt-out requirements diverge as well, with New Jersey, Nebraska, Delaware, and New Hampshire including profiling that produces legal or similarly significant effects—a feature absent in Iowa which omits profiling entirely, limiting opt-outs to targeted advertising and data sales—activities that may involve profiling but aren’t explicitly defined as such. New Jersey’s mandate to honor universal opt-out mechanisms (e.g., global privacy controls) within six months of its Jan. 15, 2025, effective date is particularly significant, as this requirement may influence other states. Businesses must prioritize flexible rights-management systems capable of accommodating these nuances while preparing for broader opt-out obligations.
Sensitive data and minors’ privacy introduce further variability. New Jersey defines sensitive data expansively, encompassing gender identity, union membership, all financial data, and government ID numbers. Delaware explicitly includes transgender status under sexual orientation, and covers union membership, aligning with New Jersey but differing from the other states. Iowa excludes financial data, unlike Delaware and New Jersey, and does not explicitly include transgender status or union membership. Nebraska mirrors Iowa but explicitly includes status as transgender or nonbinary, and omits financial data like Iowa. New Hampshire’s definition of sensitive data includes status as transgender or nonbinary, like Nebraska, and financial data, like Delaware and New Jersey. All five states mandate explicit consent for processing sensitive data and align with Children's Online Privacy Protection Act (COPPA) rules for minors under 13, while New Jersey goes further by requiring opt-in consent for teens aged 13–16. These distinctions demand advanced consent management platforms that can handle jurisdiction-specific requirements, alongside reliable age-verification tools to ensure compliance with minor-specific protections.
Vendor management emerges as another critical compliance hurdle. While all five states require formal controller-processor agreements, specifics vary. New Jersey mandates written subcontractor agreements, while Nebraska emphasizes post-service data deletion. Processors must assist with compliance efforts, including consumer request responses and risk assessments. Companies should audit vendor contracts to incorporate state-specific terms, potentially adopting centralized compliance platforms to streamline multijurisdictional management.
Risk assessment obligations pose additional operational burdens, particularly for high-risk data processing. Delaware and New Jersey require documented analyses balancing consumer risks against business benefits, with New Jersey reserving the right to request assessments during investigations. Standardized templates and centralized documentation repositories will be essential to demonstrate compliance during regulatory scrutiny.
Enforcement mechanisms, though uniformly led by state attorneys general, vary in severity. New Jersey permits a 30-day cure period for the first 18 months, with penalties up to $10,000 per violation thereafter, while Iowa allows 90 days to remedy violations. New Hampshire’s 60-day cure period expires at the end of 2025, after which the AG may impose penalties without warning. Delaware and Nebraska also provide cure periods—Delaware’s duration is unspecified, while Nebraska offers 30 days. While grace periods offer temporary relief, businesses should prioritize immediate compliance to mitigate penalties and reputational harm.
Forward-looking organizations will treat these laws as both a mandate and an opportunity to build trust through transparent data practices. Scalable compliance frameworks—particularly for consumer rights requests and universal opt-out mechanisms—are an essential component of an overall privacy compliance program. Investments in consent management tools and vendor contract overhauls will pay dividends, as will meticulous documentation, to preempt enforcement challenges. With the January 2025 laws in full effect and more states anticipated to follow suit, businesses that prioritize adaptability today will be best positioned to navigate the fragmented regulatory landscape ahead and significantly reduce their risk of potential enforcement action, penalties, and the negative publicity associated with these types of claims.
