Past the Point of No Return: What U.S. Businesses Need to Know about Data Privacy for 2025

As global use of data about individuals continues to expand, concerns over privacy has reached new heights.  In response to growing fears due to data breaches, theft and misuse, and constant floundering by both houses of Congress on a rare bi-partisan issue, individual states in the U.S. continue to create an increasingly complicated web of data privacy laws to protect their residents that will increase risk to businesses until there is a national law in place.  Even if your business is not located in one of these states, if your customers are, your business will need to comply with these new regulations to avoid hefty fines and reputational damage.

As of January 2025, 34% of the U.S. population is protected by data privacy laws as five states’ new laws go into effect this month, with another six states having laws that will go into effect at later dates, and another four more have bills in the works.  If all currently active bills are approved, 55% of the total U.S. population, from twenty three states, will be protected by data privacy laws making it nearly impossible for non-local businesses to avoid compliance obligations.

What’s Changing in 2025?

The number of U.S. states with data privacy laws being enforced will double in 2025 with the addition of Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee.  Additionally, several states with existing data privacy laws have implemented updates, or have new enforcement rules or penalties going into effect in 2025.

Within the U.S., California has been a trailblazer for consumer data privacy, and being one of the largest economies in the world ($3.9 trillion GDP in 2023) it has been driving compliance as businesses want to maintain access to that market without falling afoul of the law. Not surprisingly, California’s CCPA updates for 2025 will keep it at the forefront of U.S. data privacy legislation. Key updates to the CCPA include:

• Express inclusion of generative AI systems ensuring data privacy and protection obligations that govern data storage, processing, and use apply to Artificial Intelligence (AB 1008 text)

• An expanded definition of Sensitive Personal Data to cover neural data (SB 1223 text)

• Expanded opt-out rights associated with mergers, acquisitions, or other business transfers (AB 1824 text)

Consumer data privacy bills are at various stages in Michigan (SB 659 text), Ohio (HB 345 text), Oklahoma (HB 1012 text), and Pennsylvania (HB 1201 text).  Of keynote, the current version of Michigan’s SB659 no longer contains a private right of action.  If the final version of the Michigan Personal Data Privacy Act (or any other state or national law) changes course to include this right, it will fundamentally alter the landscape of data privacy in the United States as it will empower consumers with the right to directly seek civil damages from a business that violates their data privacy rights.  Such empowerment of individuals will most likely lead to a significant increase in litigation and specifically class action lawsuits against companies violating data privacy laws.

Where Do Things Stand in Each State?

Existing Legislation

The following laws have been passed and are already in effect:

• California (“CCPA”; text): The California Consumer Privacy Act of 2018 came into effect on January 1st, 2020.  The California Privacy Rights Act (“CPRA”; text) expands on the rights included in the CCPA and went into full effect on January 1st, 2023.  The CPRA expands on the rights protected under the CCPA, closing most of the gap between the CCPA and the GDPR.  Compared to regulations in other U.S. states, the CCPA and CPRA grant California residents significantly more control over their personal data and require the highest level of compliance by those processing their data within the U.S..

• Virginia (SB 1392; text): The Virginia Consumer Data Protection Act went into effect on Jan. 1st, 2023.

• Colorado (SB 21-190; text): The Colorado Privacy Act is effective as of July 1st, 2023.

• Connecticut (SB 6; text): The Connecticut Data Privacy Act is effective as of July 1st, 2023.

• Utah (SB 227; text): The Utah Consumer Privacy Act is effective as of December 31st, 2023.

• Montana (SB0384; text): The Montana Consumer Data Privacy Act is effective as of October 1st, 2024.

• Oregon (SB0619; text): The Oregon Consumer Privacy Act is effective as of July 1st, 2024.

• Texas (HB4; text): The Texas Data Privacy and Security Act is effective as of July 1st, 2024.

New Legislation in 2025

The following laws have been enacted and will go into effect starting in 2025:

• Delaware (HB 154; text): The Delaware Personal Data Privacy Act is effective as of January 1st, 2025.

• Iowa (SF 262; text): The Iowa Consumer Data Protection Act is effective as of January 1st, 2025.

• Nebraska (LB 1074; text): The Nebraska Data Privacy Act is effective as of January 1st, 2025.

• New Hampshire (SB 255; text): The New Hampshire Privacy Act is effective as of January 1st, 2025.

• New Jersey (SB 332; text): The New Jersey Data Protection Act is effective as of January 15th, 2025.

• Tennessee (HB 1181; text): The Tennessee Information Protection Act is effective as of July 1st, 2025.

• Minnesota (HF4757; text): The Minnesota Consumer Data Privacy Act is effective as of July 31st, 2025.

• Maryland (SB 541; text): The Maryland Online Data Privacy Act is effective as of October 1st, 2025.

New Legislation in 2026

The following laws have been enacted and will go into effect starting in 2026:

• Indiana (SB 5; text): The Indiana Consumer Data Protection Act is effective as of January 1st, 2026.

• Kentucky (HB 15; text): The Kentucky Consumer Data Protection Act is effective as of January 1st, 2026.

• Rhode Island (H 7787; text): The Rhode Island Data Transparency and Privacy Protection Act is effective as of January 1st, 2026.

What Businesses Need To Know

1. Complexity and Costs Are Increasing.  Data privacy compliance complexity is increasing dramatically leading to higher operational costs.  This will continue until a harmonizing national data privacy law is passed in the U.S., similar to how the GDPR brought the EU/EEA under one law.  The costs of complying with these new data privacy regulations will not be insignificant, but are significantly lower than the potential penalties and the damage to brand reputations for non-compliance.  Businesses will need to invest in technical, organizational, and contractual mechanism to achieve compliance.

2. Risk of Fines Increasing: As businesses juggle compliance with more and more laws, all of which are different, the likelihood of a violation is increasing.  Businesses that fail to comply with these new regulations face the risk of severe penalties (up to $750 “per consumer per incident or actual damage” under CCPA).  If you multiply your customer or email database by $173 per record (the average cost per record for a data breach according to IBM), investing in compliance is easy to justify.

3. Compliance is Not Just a Legal Issue.  Compliance has become a consumer trust issue as data breaches and privacy violations damage brand reputations.  Consumer expectations about how their data should be protected and used by businesses has shifted, with “80% of impacted consumers said they are likely to stop doing business with a company after it is the victim of a cyberattack” according to the IAPP.   Additionally, depriving consumers of rights granted to others, solely because they live in a state without data privacy protections, creates an inconsistent, avoidable, and poor consumer experience so businesses need to consider how to best address this (hint: respect all data subjects and their rights requests as if they did have data privacy rights).

4. Business Growth Opportunities At Risk:  Non-compliance with, or violations of, data privacy laws are deal killers for risk adverse business prospects and investors.  The top ten largest economies in the world all have data privacy laws in place, and nearly all “developed” countries as well, so compliance has become table stakes for all multi-national businesses.

5. This is a Bi–Partisan Issue.  Bills have been introduced in both houses of Congress by both political parties in recent years, and states across the political spectrum have enacted data privacy laws, from Texas to California.  A national law is most likely to either mirror the most stringent U.S. laws (i.e. California’s CCPA/CPRA) to better align with the EU and the U.K. simplifying consumers’ and businesses’ understanding of their obligations and rights, or a law that follows the Virginia model but allows for states with more stringent requirements to supersede the national law.

Preparing for the Future Yesterday

As we move into 2025, businesses need to implement contractual, technical, and organizational mechanisms to ensure they are in full compliance with the new and existing data privacy laws. Whether you are just getting started or need to take the next steps, business should:

• Only invest in technology that supports your business’s data privacy and protection obligations

• Update privacy policies, cookie policies, consent terms, and other policies and processes that support compliance

• Implement staff training on information security and personal data handling

• Hire a Data Privacy Officer (as applicable) and identify a Data Protection Authority

• Evaluate processor and sub-processor compliance, update agreements, and create a Data Processing Agreement specific to your business (as applicable)

• Conduct a data privacy impact assessment (“DPIA”) to determine the risk to your business and enact mitigating actions

• Audit your data assets, delete all personal data that is no longer needed or does not have a legal basis for continued processing

• Create and implement a data classification system

• Collect affirmative re-consent where required

• Establish a data subjects’ rights request processes

• Verify your business is properly recording processing activities

• Draft or review breach protocols to verify compliance

• Implement privacy by design concepts

While the data privacy regulatory landscape will continue to evolve, the key takeaway for businesses in 2025 is that privacy is not optional—it’s an essential part of the customer experience and corporate responsibility.

The continuing changes to U.S. data privacy laws are fundamentally reshaping how businesses collect, manage, and protect consumer information.  Those who adapt early will be far more likely to avoid penalties and better position themselves as leaders in consumer trust and privacy, while those who delay may find themselves facing significant financial and reputational costs.

To find out more about our Data Privacy Services (click here) or email us at info@mkt-iq.com.

The contents of this blog are not legal advice.