The Surge of U.S. State Privacy Laws in 2025: What It Means for Privacy Pros
If you’re studying for CIPP/US or working in privacy in 2025, you’ve probably noticed a tidal wave of new state privacy laws. In 2025 alone, eight U.S. state data privacy laws take effect, dramatically expanding consumers’ rights and companies’ obligations. On January 1, 2025, Iowa, Delaware, Nebraska, and New Hampshire’s new privacy statutes kicked in, followed by New Jersey’s on January 15. Come mid-year, Tennessee’s law takes effect July 1, and Oregon’s law, which started in 2024 for businesses, extends to non-profits on the same day. Minnesota joins the club on July 31, 2025, and Maryland rounds out the year with its law effective October 1. It’s a surge indeed; by the end of 2025, over a dozen states will have comprehensive privacy laws, creating a complex patchwork for organizations to navigate.
New consumer rights and unique twists:
Most of these laws follow a similar template (think rights to access, delete, correct data, and opt out of selling or sharing data). But there are some standout features. Minnesota, for example, goes further by giving people the right to learn the reasons behind automated decisions (profiling) that affect them and even how to seek a different outcome in the future. Minnesota and Oregon also introduce a transparency right: consumers can ask for a list of specific third parties their data was shared with, not just categories. This granular “who got my data?” right is new, as earlier laws like California’s only require disclosing categories. On the flip side, Iowa’s law is a bit more limited; it omits certain rights like correcting data or opting out of profiling, showing that not all state laws are created equal.
Notable provisions in Oregon, Nebraska, and others:
Oregon made headlines by including non-profits in its privacy law’s scope. Most states exempt charities and non-profits, but Oregon simply gave them an extra year to comply. This means even organizations like universities or hospitals (if not already under HIPAA) must play by Oregon’s privacy rules starting in mid-2025. Nebraska took a different approach; its law applies to all businesses handling Nebraskans’ personal data, regardless of size or volume (with a narrow small-business exception). That’s unusual since most state laws kick in only if a company processes data on tens of thousands of people or meets a revenue threshold. Meanwhile, Maryland’s new law gets stricter about data use: it requires that companies only collect what is “reasonably necessary and proportionate” for the service they provide. It even outright bans selling sensitive personal data (like health, biometrics) at all. These kinds of provisions, tougher than earlier laws, hint at a trend of increasing rigor in privacy standards.
Implications for the CIPP/US community:
For U.S. privacy professionals and certification candidates, this state law surge means more to learn and adapt to. The CIPP/US exam traditionally focused on federal laws (like HIPAA, GLBA, COPPA) and a couple of big state laws (like CCPA). Now, with a patchwork of state privacy regimes, professionals need at least a working knowledge of how these laws overlap and differ. Expect to see more exam prep content and questions on state law nuances, such as which states grant which rights, or how definitions vary. In practice, privacy teams are updating policies and compliance programs to address these new laws in parallel. The good news is the core principles (transparency, user rights, data security) are similar across states, so you don’t need to reinvent the wheel for each one. Still, keeping track of the differences, like Minnesota’s extra rights or Tennessee’s applicability only to larger companies, is now part of the job. Ultimately, the wave of state laws in 2025 underscores that privacy in the U.S. is rapidly evolving. For privacy pros, staying informed is essential. It’s an exciting (if slightly overwhelming) time, a strong reminder of why we stay sharp through CIPP/US training and continuous learning in the field.
