Key Takeaways

• Seven new state privacy laws are set to take effect in 2025, including those in Iowa, Delaware, Florida, and Minnesota.
• Youth data protection is expanding
• Tennessee introduces NIST-based safe harbor
• Maryland sets stricter limits on data use
• Colorado and California tighten compliance around dark patterns and data brokers.

The Patchwork of U.S. Privacy Laws

If you’ve been tracking U.S. privacy law, you already know that there’s no single national rulebook. Instead, we’re living in a growing mosaic of state-by-state legislation.

Some states aim for GDPR-style rights and transparency. Others focus narrowly on age-appropriate design or limiting targeted ads. Some carve out exceptions for small businesses or nonprofits. We’ve created a vibrant diversity of approaches, often overlapping, sometimes conflicting, and always evolving.

In 2025, that patchwork quilt is slowly covering more of the United States.

Several states are launching brand-new state privacy laws this year. Others are layering in amendments that redefine compliance obligations, especially around youth data protections, dark patterns, and data broker accountability. 

Explainer: Why States Are Moving Faster Than Congress

It’s worth stepping back to ask: Why has the U.S. defaulted to a state-led model at all?

In short, federal privacy efforts remain gridlocked. While frameworks like the American Data Privacy Protection Act (ADPPA) have circulated in Congress, they’ve failed to gain traction, largely due to conflicts over state preemption and private rights of action.

Meanwhile, state legislatures have found ways to act faster. State data security laws have become the de facto national standard, with businesses required to comply across jurisdictions, regardless of whether federal law ever materializes.

That state-first dynamic has only accelerated due to:

• High-profile data breaches
• Public concern over algorithmic influence
• The rise of AI, geolocation tracking, and surveillance advertising

Privacy Laws Going Into Effect in 2025

These are the brand-new state privacy laws taking effect for the first time in 2025.

Iowa Consumer Data Protection Act (ICDPA)

Effective: January 1, 2025

Iowa’s new data protection law offers a clean, low-friction entry point into the privacy space. It grants standard rights, such as access, correction, deletion, and opt-out of sales, but deliberately avoids some of the operational burdens seen in other states.

For example, it doesn’t require data protection assessments or the honoring of universal opt-out signals. This positions Iowa as part of a quieter wave of states opting for minimalist, business-friendly frameworks. It’s not meant to break new ground but rather to create baseline protections that are politically palatable and easy to implement. These lighter-touch models often act as a signal of what’s possible in more moderate legislatures.

At a glance:

• No data protection assessments
• No universal opt-out requirements
• Exempts employee and de-identified data

Delaware Personal Data Privacy Act

Effective: January 1, 2025

Delaware’s law stands out for its aggressive stance on youth data. While many laws only apply special protections to children under 13, Delaware extends safeguards to anyone under 18, pushing the conversation from child privacy to teen protection. It also applies broadly, including small and midsize businesses, with no revenue-based exemption. 

Delaware may not make headlines like California or Colorado, but it reflects a meaningful trend: states are starting to legislate not just for data rights, but for age-based digital dignity.

What makes it different:

• Youth protections apply up to the age of 18
• No small-business exemption
• Explicit restrictions on profiling and sensitive data use

Florida Digital Bill of Rights (FDBR)

Enforced: January 1, 2025

Florida’s law is narrowly designed, targeting Big Tech companies with more than $1 billion in global revenue. While this limits its direct applicability, the law addresses politically charged issues, including algorithmic transparency, parental rights, and digital surveillance by government actors. It’s less about consumer rights in general and more about reining in the perceived overreach of dominant online platforms. Laws like this often serve a dual role- as policy and as a political statement. This one definitely represents the state’s cultural and ideological stance on the role of technology in society.

Highlights:

• This applies only to Big Tech
• Bans warrantless government surveillance
• Requires algorithmic and parental control disclosures

Tennessee Information Protection Act (TIPA)

Effective: July 1, 2025

TIPA takes a novel approach by integrating data privacy compliance with cybersecurity maturity. Rather than just mandating consumer rights or providing opt-out buttons, it offers a legal safe harbor to companies that maintain a written privacy program aligned with the NIST or similar frameworks. 

This is a significant step toward risk-based regulation, where companies aren’t just judged on static policies but on the strength of their actual operational controls. It’s a sign that privacy is moving out of legal departments and into enterprise risk and GRC programs, especially in states prioritizing pragmatic governance.

Key features:

• Safe harbor for NIST-aligned programs
• Risk-based rather than checkbox compliance
• Includes standard access and deletion rights

Minnesota Consumer Data Privacy Act

Effective: July 31, 2025

Minnesota brings a more consumer-centric vision, requiring companies to honor universal opt-out mechanisms, such as the Global Privacy Control. It also applies to nonprofits, unlike many of its predecessors. These design choices indicate a broader shift in privacy thinking- from merely notifying consumers to actually reducing friction and defaulting to protection. 

You should know:

• Mandatory recognition of browser opt-out signals
• This applies to nonprofit organizations
• Data minimization and consent rules included

Maryland Online Data Privacy Act

Effective: November 1, 2025

Maryland’s law is among the most aggressive yet, moving beyond consumer access rights into the realm of purpose limitation and use restriction. It requires businesses to collect only the data they actually need, clearly state the reason, and avoid secondary uses without explicit permission. Profiling is heavily restricted, and companies must honor universal opt-out signals. 

Maryland is part of a growing movement toward substantive restrictions with actual limitations on what businesses can do with personal data, regardless of user specifications. This reflects a rising expectation that companies will practice data restraint by default, not just disclosure.

Core principles:

• Purpose and use limitation at its core
• Profiling is restricted unless opt-in
• Universal opt-out signals required

Amended Privacy Laws Taking Effect in 2025

Several states are tightening existing ones, particularly to address minors, ad tech, and automated decision-making.

Colorado SB 41 (Amendment to CPA)

Effective: July 1, 2025

Colorado already had one of the strongest privacy laws in the U.S., but with SB 41, it’s now leading the charge in new data protection regulation for teens.

Key updates:

• Bans profiling and targeted ads for users under 13 without consent
• Requires opt-in for teens aged 13–15
• Bars use of dark patterns to obtain consent
• Clarifies “sensitive data” and strengthens disclosure rules

This amendment draws directly from regulatory trends around AI, youth safety, and ad targeting. It’s also a prime example of a state revisiting its initial law to respond to real-world concerns.

California Delete Act

Implementation: Throughout 2025
Enforcement: January 1, 2026

Passed in 2023, the Delete Act is California’s answer to data broker opacity. The law will require the CPPA to build a one-stop-shop portal where consumers can request deletion from all registered data brokers in the state.

What’s happening now:

• Data brokers must register annually
• The CPPA is actively developing the deletion mechanism
• Enforcement is coming, but implementation is already shaping policy and vendor workflows

Practical tip: Even if your business isn’t a broker, the Delete Act sets the tone for how centralized deletion requests could roll out nationwide.

What You Should Be Doing Now

If you’re operating in multiple states, your compliance strategy can’t be one-size-fits-all. Here’s how to adapt:

1. Audit Your State Exposure

• Which laws are already in effect where you operate?
• Which ones will apply later this year or next?

2. Review Youth and Consent Mechanisms

• Do you need to implement age-gating, parental consent, or teen-specific opt-ins?
• Are your cookie banners or modals clear, or could they be seen as dark patterns?

3. Update Your Data Broker Policies

• Are you selling or sharing data with third parties?
• Are you listed as a broker in CA, TX, or other states requiring registration?

4. Leverage NIST and Risk Frameworks

• If you’re subject to Tennessee’s law, map your program to an accepted framework like NIST 800-53 or NIST Privacy Framework to gain safe harbor protections.

5. Prepare for Deletion-at-Scale

• As the Delete Act rolls out, centralized deletion will become the norm.
• Make sure you have data lifecycle policies in place to accommodate bulk requests.

Looking Ahead to 2026

Indiana Consumer Data Protection Act

Effective: January 1, 2026

Indiana’s law follows the now-familiar structure of consumer rights, data controller obligations, and opt-outs for targeted ads and sales. It also includes data protection assessment requirements, placing it closer to Colorado in maturity expectations.

Kentucky Consumer Data Privacy Act

Effective: January 1, 2026

Kentucky’s new law mirrors Virginia’s model, offering access, correction, deletion, and opt-out rights. It doesn’t go as far as California or Colorado- no mandatory assessments, and no universal opt-out signal requirements- making it relatively easy to implement for most businesses.

Rhode Island Data Transparency and Privacy Protection Act

Effective: January 1, 2026

Rhode Island emphasizes clear disclosures and opt-out options but avoids the heavier operational rules seen in some other states. It’s another example of a notice-and-choice law aimed at basic consumer control without excessive complexity.

New York SAFE for Kids Act + Child Data Protection Act

Effective: TBD (likely late 2025–early 2026)

Restricts algorithmic feeds for minors and limits data sharing; awaiting final AG regulations.

Arkansas CTOPPA (Children and Teens Online Privacy Protection Act)

Effective: July 1, 2026

Requires default-safe settings, limited data collection, and youth-specific design controls.

Nebraska Parental Rights in Social Media Act

Effective: July 1, 2026

Platforms must obtain parental consent for users under 18 and implement robust age verification procedures.

Centraleyes Privacy Framework

With numerous state privacy laws taking effect and more on the way, it’s no surprise that teams are struggling to keep up. Each law brings its own nuances, timelines, and terminology, but they’re not as different as they seem. Beneath the surface, many share common principles: transparency, user rights, consent, risk awareness, and purpose limitation.

At Centraleyes, we’ve built a Centraleyes Privacy Framework that helps bring those threads together.

It’s designed to highlight the overlaps, streamline your workflows, and make multi-state compliance a little less… patchy. Whether you’re preparing for new laws in Minnesota and Maryland or revisiting your controls for older ones, we’re happy to be part of your privacy toolkit, helping you manage it all from one place, with a little more clarity.

The patchwork may be here to stay, but who said you have to stitch it together by hand?

FAQs

1. Which states require universal opt-out signals in 2025?

California, Colorado, Connecticut, Delaware, Montana, Texas, Oregon, Maryland (Nov), and Minnesota (July 31) all require businesses to honor browser-based opt-out signals like Global Privacy Control.

2. Which states apply privacy laws to nonprofits?

Minnesota and Colorado both include nonprofit organizations in the scope of their privacy laws, unlike most others that exempt them.

3. Which states require data protection assessments?

Colorado, Connecticut, Oregon, Virginia, and Indiana (as of 2026) mandate privacy impact or risk assessments for specific processing activities.

4. Is Vermont’s new privacy law going into effect in 2025?

Yes. Vermont’s Data Privacy Act is set to go into effect on July 1, 2025. However, its private right of action doesn’t begin until 2027. The law includes provisions related to age-appropriate design and the processing of sensitive data.

5. Are there any new laws in 2025 that focus specifically on data brokers?

Yes. The California Delete Act is being implemented throughout 2025, with enforcement beginning in 2026. It requires the state to build a centralized portal allowing consumers to delete their data from all registered data brokers with a single request.

6. Why do some state privacy laws follow an opt-in model while others use opt-out?

This difference reflects the fragmented nature of U.S. privacy law. States like Colorado and Connecticut have adopted opt-in requirements for sensitive data or teen profiling, while others, such as California and Iowa, lean more heavily on opt-out models. Businesses operating across states need to support both approaches.

The post New State Privacy Laws Going into Effect in 2025: What You Need to Know appeared first on Centraleyes.

*** This is a Security Bloggers Network syndicated blog from Centraleyes authored by Rebecca Kappel. Read the original post at: https://www.centraleyes.com/new-state-privacy-laws-going-into-effect-in-2025-what-you-need-to-know/