Data Privacy Laws in 2025: Current State & New Developments

As 2025 unfolds, data privacy is advancing with new regulations to reshape how organisations manage personal data. Before we examine the changes set to take effect, it’s worth understanding the foundation already in place.

Existing privacy laws have driven significant shifts in compliance and data handling practices across sectors, setting the stage for what’s next. In this discussion, we’ll explore the current state of data privacy laws and the new regulations coming into effect in 2025.

If you want to skip to a certain section of this document, please use the contents section to the right! ➡️

State of Data Privacy Laws Upto 2025

The United States has relied on a fragmented approach to data privacy so far. California led the way with the CCPA and CPRA, while states like Virginia and Colorado introduced their own laws. Without federal legislation, businesses faced challenges navigating varying state rules alongside sector-specific laws like HIPAA and COPPA.

Federal U.S. Data Privacy Laws

Despite many efforts, the United States has yet to establish a federal data privacy law. Instead, individual states have taken the lead, creating a patchwork of regulations that expand consumer protections but introduce complicated compliance for businesses. Proposed laws like ADPPA and APRA have attempted to address these gaps but remain unpassed.

With a new Republican administration led by Donald Trump set to take control of the White House and Congress in January 2025, it’s worth examining these proposals to evaluate their potential impact under the new leadership.

American Data Privacy and Protection Act (ADPPA)

Introduced in 2022, the ADPPA progressed further than any other U.S. data privacy laws, securing bipartisan support with a 53-2 committee vote. However, it has failed to advance to the House or Senate floors. The ADPPA seeks to create a unified federal standard, preempting state laws while allowing enforcement by the FTC and state attorneys general.

Critics have highlighted concerns over its enforcement mechanisms and preemption provisions, particularly how they would impact stronger state laws like California’s CPRA. Despite its stalled progress, the ADPPA remains a blueprint for potential federal legislation.

American Privacy Rights Act (APRA)

The APRA proposal was introduced in April 2024 by Washington lawmakers Senator Maria Cantwell and Representative Cathy McMorris Rodgers. It aims to unify fragmented state laws under a single federal framework. It focuses on giving consumers control by requiring companies to collect less data, allow users to access and delete their information, and get explicit permission before using it.

The bill addresses key areas like targeted advertising, first-party data, and third-party cookies. The APRA takes inspiration from state laws like the CPRA, but its future is uncertain due to the struggles of past federal privacy bills. Even so, it shows a growing push for a unified national data privacy law.

US State Data Privacy Laws (Pre-2025)

In the absence of federal legislation, US states have created their own privacy laws, leading to a mixed and often inconsistent regulatory environment. These state-level frameworks share common themes of consumer rights, including data access, deletion, and opt-out rights.

However, they differ significantly in their scope, compliance requirements, and enforcement approaches. These laws have pushed businesses to adapt to varying compliance needs, creating challenges and opportunities simultaneously.

Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)

California led the way in state-level data privacy laws with its California Consumer Privacy Act (CCPA) and the amended California Privacy Rights Act (CPRA). These laws grant California residents significant control over personal data, including rights to access, delete, and correct information and limit sensitive data use.

It applies to businesses that:

1. Generate annual revenue exceeding $26.6 million (adjusted for 2025)
2. Process data of 100,000+ California residents
3. Derive 50%+ revenue from selling personal data

The CPRA, which was enacted on January 1, 2023, further strengthened the CCPA by imposing different requirements on businesses, including transparency in data collection and transfer practices.

Note: The maximum penalty for a CPRA is $7,988 per intentional violation. Penalties double for violations involving minors’ data

Update: The California Privacy Protection Agency (CPPA) handles audits, rulemaking (e.g., 2025 data broker registration mandates), and investigations, replacing the Attorney General as a primary enforcer. Businesses no longer receive an automatic 30-day cure period for violations.

Virginia Consumer Data Protection Act (VCDPA)

The VCDPA (Virginia Consumer Data Protection Act) was passed on March 2, 2021, and officially became effective on January 1, 2023. It grants Virginia residents rights to access, delete, and correct personal data. It applies to businesses that:

1. Has data of at least 100,000 Virginia residents
2. Has data of 25,000 or more residents and derives 50% or more revenue from data sales

Businesses under the VCDPA must provide clear privacy notices, allow users to opt out of targeted advertising, and obtain consent before processing sensitive data. Non-compliance can result in significant penalties. Enforcement is handled by the state attorney general, who may impose fines of up to $7,500 per violation.

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA), which took effect on July 1, 2023, ensures that Colorado residents are treated fairly regarding their data. It gives them several key rights, including access, correct, delete, and opt-out of targeted advertising and data sales.

Businesses subject to the CPA must meet specific criteria. For instance, they should process data from at least 100,000 Colorado residents or derive revenue from the sale of data from 25,000 or more consumers. The CPA applies to both for-profit and nonprofit entities, ensuring a broad scope of compliance.

Note: Non-compliance with the CPA can incur penalties of up to $20,000 per violation.

Connecticut Data Privacy Act (CTDPA)

Effective July 1, 2023, the Connecticut Data Privacy Act (CTDPA) became the state’s flagship privacy law, granting residents control over their personal data. Businesses must comply if they:

1. Process data of 100,000+ Connecticut residents annually (excluding payment transaction data) or
2. Handle data of 25,000+ residents and earn over 25% of revenue from selling personal information.

Consumers gained the right to opt out of targeted advertising, data sales, and profiling. Unlike earlier laws, the CTDPA explicitly shields payment-related data, which is a relief for SMEs.

Enforcement Update: The CTDPA’s initial 60-day cure period, allowing companies to resolve violations, expired on December 31, 2024. As of 2025, noncompliance now carries penalties of up to $5,000 per violation, enforceable by the Connecticut Attorney General.

Utah Consumer Privacy Act (UCPA)

Enacted in March 2022, the Utah Consumer Privacy Act (UCPA) took effect on December 31, 2023, prioritising a balanced approach between consumer rights and business needs. It targets companies earning over $25 million annually that either:

1. Process or control data of 100,000+ Utah residents, or
2. Generate 50%+ of revenue from processing or controlling data of 25,000+ residents.

Unlike stricter state laws, the UCPA apply broad exceptions for government agencies, nonprofits, healthcare (HIPAA), financial (GLBA) data, and employee records.

Residents can access, delete, and opt out of data sales or targeted advertising. However, unlike other states, Utah does not grant rights to correct data or avoid automated profiling.

Note: Utah’s privacy regulation maintains a permanent 30-day cure period for violations, allowing businesses to address compliance gaps without penalties. After this window, penalties may apply under Utah law.

Oregon Consumer Privacy Act (OCPA)

Enacted on June 23, 2023, and operational since July 1, 2024, Oregon’s Consumer Privacy Act (OCPA) is one of the nation’s most rigorous privacy laws. Unlike many counterparts, it applies equally to for-profit and nonprofit entities, with nonprofits granted a delayed compliance deadline of July 1, 2025.

Businesses fall under OCPA if they process data of 100,000+ Oregon residents (excluding payment transactions) or handle data of 25,000+ residents while deriving 25%+ of revenue from data sales.

Oregon residents can access, correct, delete, and opt out of targeted advertising, data sales, and automated profiling. Unique to Oregon, consumers can request a list of specific third parties that received their data.

The Oregon Attorney General holds exclusive enforcement authority. There is a 30-day violation cure period until January 1, 2026. After the deadline, penalties reach $7,500 per violation.

Note: The OCPA mandates explicit consent for processing sensitive data or targeting ads to teens aged 13–15.

Florida Digital Bill of Rights (FDBR)

Signed June 6, 2023, and effective July 1, 2024, Florida’s Digital Bill of Rights (FDBR) targets large tech enterprises with $1+ billion annual revenue that meet one of three criteria:

1. Derive 50%+ revenue from online ads,
2. Operate smart speaker/voice assistant services (e.g., Amazon Alexa), or
3. Manage app stores with 250,000+ downloadable apps.

Floridians have the right to access, correct, delete, and opt out of targeted ads, data sales, profiling, or biometric data collection (e.g., facial/voice recognition).

The Florida Department of Legal Affairs holds exclusive authority. Violations risk $50,000 per incident, tripled for mishandling children’s data or ignoring opt-outs. The state may grant a 45-day cure period before penalties apply. But it’s not guaranteed.

Exemptions: Nonprofits, government agencies, and entities regulated by HIPAA or GLBA fall outside the law’s scope.

Note: The FDBR uniquely restricts device surveillance features (e.g., inactive microphones/cameras) and mandates transparency in search engine ranking algorithms, emphasising accountability for tech giants.

Texas Data Privacy and Security Act (TDPSA)

Signed June 18, 2023, and effective July 1, 2024, the Texas Data Privacy and Security Act (TDPSA) applies broadly to any entity operating in Texas or providing products/services consumed by Texas residents. Key scope criteria include:

1. Exempting small businesses (as defined by the U.S. Small Business Administration), nonprofits, government agencies, and entities regulated by HIPAA or GLBA.

Texans gain rights to access, correct, delete, and opt out of data sales, targeted advertising, or profiling, though the law lacks a formal appeals process for denied requests. Organisations must obtain explicit consent for processing sensitive data (e.g., health, biometrics), respond to consumer requests within 45 days (extendable once with notice), and disclose potential sales of sensitive information via clear notices like “NOTICE: We may sell your sensitive data.”

Enforced solely by the Texas Attorney General, violations face $7,500 penalties per incident. Unlike states with expiring grace periods, the law also includes a permanent 30-day cure period to resolve issues. The law explicitly bans dark patterns designed to manipulate consent.

Update: Since January 1, 2025, the TDPSA has mandated recognition of global opt-out signals and avoided revenue thresholds, prioritising flexibility for smaller businesses while holding tech moguls accountable.

Montana Consumer Data Privacy Act (MTCDPA)

With its signing on May 19, 2023, and effective implementation on October 1, 2024, the Montana Consumer Data Privacy Act (MTCDPA) is designed with fairness in mind, adopting a threshold-based approach for compliance that avoids imposing broad revenue mandates. Key scope criteria:

1. Applies to for-profit businesses processing data of 50,000+ Montana residents (excluding payment transactions) or 25,000+ residents if 25%+ of revenue comes from data sales.
2. Exempts nonprofits, government entities, and organizations regulated by HIPAA or GLBA.

Residents can access, correct, delete, and opt out of targeted ads, data sales, or profiling. Unique to Montana, businesses must honour universal opt-out signals (e.g., Global Privacy Control) starting January 1, 2025.

Businesses must receive explicit consent for processing sensitive data (e.g., health diagnostics, biometrics) or personal information of children under 13, with parental approval required for minors. They must respond to customer requests within 45 days (extendable to 90 days) and conduct data protection assessments for high-risk activities like profiling or sensitive data use. The law explicitly bans dark patterns that trick users into consenting.

Note: The Montana Attorney General is exclusively responsible for managing the MTCDPA. Violations receive a 60-day cure period until April 1, 2026. Post-deadline penalties apply, but the amounts aren’t codified. No private lawsuits are permitted.

EU Data Privacy Laws

The EU leads global data governance with foundational laws like the GDPR and newer rules tackling digital challenges. The Digital Services Act (DSA) and Digital Markets Act (DMA) have refined regulations for Gatekeepers(Alphabet, Amazon, Apple, ByteDance, Meta, and Microsoft), algorithmic accountability, and market fairness.

Simultaneously, laws like the EU AI Act and the EU-U.S. Data Privacy Framework tackle emerging risks tied to artificial intelligence and cross-border data flows. Understanding these laws is key to complying with privacy requirements for EU-focused businesses.

The General Data Protection Regulation (GDPR)

Enforced on May 25, 2018, the GDPR remains the EU’s cornerstone privacy law, setting a global benchmark for data protection. It applies to any organisation worldwide processing the personal data of EU residents, whether offering goods/services or monitoring behaviour (e.g., via cookies).

Here are some key points about GDPR:

1. Data collection requires explicit, unambiguous consent, with strict rules against pre-ticked boxes or vague terms.
2. It grants EU residents the right to access, correct, delete, and port their data and object to profiling or automated decisions.
3. It mandates reporting data breaches to authorities within 72 hours if risks exist.
4. It excludes personal/household activities, national security, and specific journalistic or research purposes.

Penalties: Noncompliance risks fines of up to €20 million or 4% of global annual revenue, whichever is higher. Therefore, businesses operating in the EU should follow a GDPR compliance checklist & become compliant.

Update: The European Commission’s 2024 procedural regulation now streamlines cross-border GDPR enforcement, requiring stricter coordination among EU data authorities.

Digital Services Act (DSA)

Enacted in November 2022 and fully applicable since February 2024, the Digital Services Act (DSA) targeted companies with over 45 million EU users, establishing comprehensive digital safety standards:

1. Covering internet service providers, hosting platforms, social media networks, and massive online platforms (Think TikTok, Amazon, etc.)
2. Providing strategic exemptions for personal communications and smaller digital businesses

Platforms must remove illegal content (e.g., hate speech, counterfeit goods) within hours of notification. Very large online platforms (VLOPs) face stricter mandates: annual risk assessments, independent audits, and transparency in recommendation algorithms. The DSA bans targeted ads using sensitive data (e.g., race, health data) or aimed at minors while prohibiting dark patterns that trick users into consent.

Penalties: Violations risk fines up to 6% of global annual revenue, which is higher than GDPR’s standard penalties or temporary EU service bans for systemic failures.

The Digital Markets Act (DMA)

Since March 2024, the DMA has been reshaping the digital market, particularly for Big Tech Gatekeepers like Alphabet, Meta, and Amazon. These companies, which control core EU digital services such as app stores and search engines, are now subject to the DMA’s regulations. To qualify as a gatekeeper, a company must have 45 million monthly EU users and a minimum market valuation of €75 billion.

Key rules of DMA include:

1. Ban self-preferencing: Gatekeepers can’t prioritise their products over rivals in search results or app stores.
2. Interoperability: Messaging apps (e.g., WhatsApp) must allow cross-platform communication.
3. Data consent: Combining user data across services (e.g., Google Search + YouTube) requires explicit opt-in.
4. App freedom: Users can uninstall preloaded apps (e.g., Apple’s Safari) and install third-party alternatives.

Penalties: Violations could result in fines up to 10% of global annual revenue (20% for repeat offences) or forced business divestitures.

Exemptions: Smaller platforms and non-dominant firms face no obligations.

EU-U.S. Data Privacy Framework

Effective July 10, 2023, the EU-U.S. Data Privacy Framework (DPF) replaces the defunct Privacy Shield and establishes a legal mechanism for transferring personal data between the EU and U.S. companies that certify compliance.

Key features of DPF:

1. Restricts U.S. intelligence access to EU data to “necessary and proportionate” uses.
2. Establishes an independent Data Protection Review Court for EU citizens to challenge violations.
3. Grants rights to access, correct, and delete personal data held by certified entities.
4. U.S. firms that are not certified must count on Standard Contractual Clauses (SCCs) or Binding Corporate Rules.

Enforcement: This is managed by the U.S. Department of Commerce and the Federal Trade Commission (FTC). Noncompliant companies face loss of certification, which blocks their ability to import EU data legally.

Despite improvements over the Privacy Shield, concerns remain about its durability, with potential legal challenges questioning its long-term viability under EU law.

The EU AI Act

Adopted in July 2024, the EU Artificial Intelligence Act (EU AI Act) is the world’s first thorough AI regulation. It establishes a tiered risk-based framework to govern AI applications within the EU, including systems developed outside but deployed in the region. The law is set to be phased in from February 2025, with full enforcement by August 2027.

The EU AI Act categorises AI systems into four distinct risk levels:

1. Unacceptable Risk – Bans AI applications, including social scoring and real-time biometric tracking in public areas.
2. High Risk – Strict compliance requirements for AI in critical areas like healthcare, finance, and law enforcement.
3. Limited Risk – Transparency obligations for generative AI, requiring disclosure of AI-generated content and training data sources.
4. Minimal Risk – No specific regulatory obligations covering systems like spam filters and AI-powered recommendations.

Penalties: Violations could result in fines of up to 7% of global annual revenue or €35 million, whichever is higher.

Exemptions: Open-source AI for research and non-professional use is mainly exempt.

General Product Safety Regulation (GPSR)

On December 13, 2024, the General Product Safety Regulation (GPSR) replaced the General Product Safety Directive (GPSD), modernising product safety standards across the EU. This regulation applies to:

1. Manufacturers, importers, and distributors selling consumer products in the EU.
2. Online marketplaces facilitate the sale of products to EU consumers.
3. Non-EU businesses selling products in the EU market.

Businesses must proactively assure compliance with product safety rules, traceability, and risk mitigation strategies. Here are some of the key requirements to keep in mind:

1. All consumer products must be “safe” under normal and foreseeable use conditions.
2. Businesses must conduct comprehensive risk analyses and maintain technical documentation.
3. Non-EU businesses must designate an EU-based person responsible for overseeing compliance.
4. Products must display batch numbers, manufacturer details, and contact information.
5. Businesses must notify authorities about serious product-related accidents and offer at least two restoring options (e.g., repair, replacement, or refund).
6. Online marketplaces must ensure third-party sellers comply with GPSR and remove non-compliant listings.
7. Connected devices and AI-driven products must meet cybersecurity standards to prevent misuse.

Note: National authorities have enhanced surveillance powers to inspect and enforce compliance. For severe violations, non-compliance may result in product recalls, removal from the market, and stricter financial penalties.

Other Noteworthy International Data Privacy Laws

137 countries now enforce national data privacy laws, creating a complex web for global enterprises. While we can’t cover every law in detail, here are some of the most significant global data privacy laws that may affect your compliance strategy.

Brazil: General Data Protection Law (LGPD)

Brazil’s Lei Geral de Proteção de Dados (LGPD), or General Data Protection Law in English, effective in 2020, establishes robust protections for personal data processing. Modelled after the GDPR, it applies to organisations operating in Brazil or handling data from Brazilian residents, regardless of their physical location.

Here are the key features of LGPD:

1. Extraterritorial Scope: Governs entities outside Brazil if they process data from Brazilian users or offer services locally.
2. Individual Rights: Grants Brazilians access, correction, deletion, and data portability. They can revoke consent at any time.
3. Legal Bases: Requires one of 10 legal grounds for processing, including explicit consent, contractual necessity, or legitimate interest.
4. Sensitive Data: Imposes stricter rules for health, biometric, or racial data, mandating explicit consent.
5. Accountability: Organisations must appoint a Data Protection Officer (DPO) and conduct data protection impact assessments for high-risk processing.

Penalties: Non-compliance risks fines of up to 2% of annual revenue (capped at BRL 50 million per violation) or temporary data processing bans.

Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

Enacted in 2000,PIPEDA remains Canada’s federal privacy law governing commercial use of personal data. It applies to private-sector organisations nationwide, excluding provinces with similar laws (Quebec, Alberta, British Columbia).

Built on ten Fair Information Principles, the key features of this law includes:

1. Organisations must obtain meaningful consent for data collection, use, or sharing.
2. The Privacy Commissioner and affected individuals are required to be informed of breaches posing a “real risk of significant harm” (e.g., identity theft, financial loss).
3. Canadians can access, correct, or withdraw consent for their data.

Exemptions: Nonprofits, charities, and political parties fall outside PIPEDA’s scope unless engaging in commercial activities.

Enforcement: Unlike the GDPR, PIPEDA does not empower the Office of the Privacy Commissioner (OPC) to impose direct fines. However, severe violations risk federal prosecution with penalties of up to CAD 100,000 per violation.

China’s Personal Information Protection Law (PIPL)

Enacted August 20, 2021, and effective November 1, 2021, China’s Personal Information Protection Law (PIPL) regulates organisations handling personal data of individuals in China, regardless of their location. It applies to:

1. Domestic/foreign entities are processing data on Chinese residents.
2. Cross-border businesses transferring data outside China (e.g., e-commerce platforms, financial institutions).
3. Handlers of sensitive data (e.g., health, biometrics, financial accounts).

Here are some of the key rights & requirements of PIPL:

1. Mandatory for collecting or sharing sensitive personal data (e.g., race, religion, health).
2. Require data security assessments, government approvals, or certification. Critical data must be stored domestically.
3. Access, correct, delete, and withdraw consent for personal data.
4. Required for processing sensitive data, automated decision-making, or international data transfers.

Penalties: Under this law, businesses can be fined up to 5% of annual revenue or RMB 50 million (whichever is higher) for violations. Severe breaches risk operational suspensions or criminal charges (up to 7 years imprisonment).

Enforcement is led by the Cyberspace Administration of China (CAC), with support from sector-specific regulators.

Exemptions: This law doesn’t apply to the following cases:

1. Processing for national security, public health emergencies, or judicial investigations.
2. Non-commercial research/statistical activities with anonymised data.

India’s Digital Personal Data Protection Act (DPDPA)

Passed on August 11, 2023, and fully effective as of January 1, 2025, India’s Digital Personal Data Protection Act (DPDPA) establishes a timely framework for protecting digital personal data in India. The law applies to:

1. Entities processing personal data within India.
2. Foreign organisations targeting Indian residents or offering goods and services in India.

It has issued several key rights for Indians, including:

1. Individual Rights to access, correct, delete, and withdraw consent for their data.
2. Consent-based processing is mandatory for collecting and processing personal data.
3. Prohibits targeted advertising and behavioural monitoring of minors under 18.
4. Permits transfers to approved countries while restricting transfers to blocklisted nations.

Exemptions: This law doesn’t apply to the following cases:

1. Government activities related to national security, public order, or emergencies.
2. Anonymised data is used for research or statistical purposes.

Penalties: Violations may result in fines up to ₹250 crores (~$30 million) per misconduct. Mishandling children’s data or failing to address grievances may lead to higher penalties.

The newly established Data Protection Board (DPB) oversees compliance and handles the abovementioned penalties.

Data Privacy Laws in 2025 and Beyond

With new US state laws granting millions of Americans the right to control their data, 2025 significantly changes data privacy in the United States as we know it. Globally, laws like the GDPR and Brazil’s LGPD enforcement intensify, while emerging frameworks in Asia and Africa prioritise consumer sovereignty and algorithmic transparency.

New US State Data Privacy Laws

Eight new state privacy laws will take effect in 2025. Businesses now navigate a patchwork of regulations, balancing compliance complexity with operational demands. While core principles like consumer rights to access, delete and opt-out align with existing frameworks, each law introduces subtle variations in scope, enforcement, and exemptions.

Let’s give you a gist of these new laws so you’re not left playing whack-a-mole with compliance updates.

Delaware Personal Data Privacy Act (DPDPA)

Effective January 1, 2025, the Delaware Personal Data Privacy Act (DPDPA) applies to businesses operating in Delaware or offering services to state residents if they meet one of the following criteria:

1. Process personal data of at least 35,000 consumers, excluding data used solely for payment transactions.
2. Process personal data of at least 10,000 consumers while deriving 20% or more of gross revenue from selling personal data.

With its low applicability threshold and strict compliance requirements, the DPDPA grants several consumer rights, including:

1. Access, delete, correct, or obtain a copy of personal data.
2. Opt out of data sales, targeted ads, and profiling.
3. Request a list of third parties holding their data.

Businesses must adopt strict practices under the DPDPA, such as:

1. Limit data collection to what’s necessary and obtain explicit consent for sensitive data (e.g., health, race, biometrics).
2. Conduct data protection assessments for high-risk activities.
3. Honour universal opt-out signals starting January 1, 2026.

Penalties: Businesses can fined up to $10,000 per violation, with a 60-day cure period until December 31, 2025. Post-2025, curing violations is at the Attorney General’s discretion.

Unlike many other state laws, nonprofits are not exempt, and HIPAA-regulated entities must still comply for non-health-related consumer data.

Iowa Consumer Data Protection Act (ICDPA)

Effective January 1, 2025, the Iowa Consumer Data Protection Act (ICDPA) is one of the most business-friendly state privacy laws. The law applies to businesses operating in Iowa or targeting Iowan consumers that meet one of the following criteria:

1. Control or process the personal data of at least 100,000 consumers.
2. Derive over 50% of gross revenue from selling the personal data of at least 25,000 consumers.

Focusing on foundational protections, the ICDPA grants residents the right to:

1. Access, delete, or obtain a portable copy of personal data.
2. Opt out of data sales, targeted advertising, or automated profiling.

The law prioritises streamlined compliance, requiring businesses to:

1. Disclose data practices through clear privacy notices.
2. Implement proper security measures to protect consumers’ sensitive information.
3. Allow opt-outs for sensitive data processing (e.g., health, biometrics).

Exemptions: This law doesn’t apply to:

1. Government agencies, nonprofits, and entities that HIPAA or GLBA covers.
2. Data regulated under FERPA, FCRA, or other federal laws.

Penalties: Violations can result in fines up to $7,500 per incident, and a 90-day cure period remains indefinitely available.

Nebraska Data Privacy Act (NDPA)

Effective January 1, 2025, the Nebraska Data Privacy Act (NDPA) establishes broad privacy obligations for businesses operating in Nebraska or offering products and services to its residents. Unlike many state laws, the NDPA applies regardless of revenue or data processing volume, provided the organisation is not classified as a small business under the Small Business Administration (SBA) guidelines.

Nebraska’s privacy law grants residents rights to:

1. Access, delete, correct, or obtain a copy of personal data.
2. Opt out of data sales, targeted ads, or profiling.

Businesses must adopt practices such as:

1. Securing explicit consent before processing sensitive data (e.g., health, race, biometrics).
2. Limiting data collection to necessary purposes and retaining it only as long as required.
3. Honouring universal opt-out signals (e.g., Global Privacy Control).

Note: Violations risk fines of up to $7,500 per incident, with a 30-day cure period. This grace period does not expire. The Nebraska Attorney General enforces compliance and investigates violations.

New Hampshire Data Privacy Act (NHDPA)

Effective January 1, 2025, the New Hampshire Data Privacy Act (NHDPA) applies to businesses operating in New Hampshire or offering services to its residents that meet one of the following criteria within one year:

1. Process personal data of 35,000+ residents (excluding payment transactions).
2. Process data of 10,000+ residents and derive 25%+ revenue from data sales.

The NHDPA grants residents control over their data, including the right to:

1. Access, correct, or delete personal information.
2. Opt out of data sales, targeted ads, or profiling.
3. Obtain a portable copy of their data.

The NHDPA is expected to impact small and mid-sized businesses more than other state privacy laws. So businesses must adopt measures such as:

1. Conducting privacy impact assessments for high-risk activities.
2. Providing clear privacy notices detailing data practices.
3. Honouring universal opt-out signals (e.g., Global Privacy Control).

Penalties: Violations can result in fines up to $10,000 per incident, and a 60-day cure period is available until January 1, 2026. The New Hampshire Attorney General oversees enforcement.

New Jersey Data Privacy Act (NJDPA)

Effective January 15, 2025, the New Jersey Data Privacy Act (NJDPA) sets clear privacy standards for businesses operating in New Jersey. The law applies to entities that meet one of the following criteria within a calendar year:

1. Process personal data of 100,000+ residents (excluding payment transactions).
2. Process data of 25,000+ residents and earn revenue/discounts from data sales.

Residents gain control over their data, including the right to:

1. Access, delete, or correct personal information.
2. Opt out of data sales, targeted ads, or profiling.
3. Obtain a portable copy of their data.

New Jersey’s privacy law mandates practices such as:

Securing opt-in consent for sensitive data (e.g., financial, health, biometrics).

Providing transparent privacy notices detailing data use and sharing.

Honouring universal opt-out mechanisms (e.g., Global Privacy Control).

Exemptions: The NJDPA does not exempt nonprofits, but it doesn’t apply to:

1. Data processed solely for payment transactions.
2. Government agencies, entities covered by HIPAA or GLBA.

Penalties: Fines reach up to $10,000 per first violation and $20,000 for repeat offences, with a 30-day cure period ending July 15, 2026.

Tennessee Information Protection Act (TIPA)

Tennessee’s TIPA, with an effective date of July 1, 2025, introduces a business-friendly framework with stricter revenue thresholds than most state laws. It applies to companies earning over $25 million annually that:

1. Process personal data of 175,000+ residents.
2. Process data of 25,000+ residents while deriving 50%+ revenue from data sales.

Under TIPA, residents can:

1. Access, correct, or delete their data.
2. Opt out of data sales, targeted ads, or profiling.
3. Obtain a portable copy of their information.

TIPA uniquely allows businesses to build an affirmative defence by adopting privacy programs aligned with NIST standards. Organisations must:

1. Conduct data protection assessments for high-risk processing.
2. Honour universal opt-out signals (e.g., Global Privacy Control).
3. Limit data collection to what’s necessary and relevant.

Penalties: Violations risk fines up to $7,500 per occurrence, with triple damages for intentional breaches. Businesses receive a 60-day cure period to resolve issues.

Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act (MCDPA), set to take effect on July 31, 2025, sets privacy obligations on businesses operating in Minnesota or targeting its residents. Companies must comply if they meet one of the following thresholds:

1. Process personal data of 100,000+ Minnesota residents.
2. Process data of 25,000+ residents while earning 25%+ revenue from data sales.

Minnesotans gain complete control over their data, including the right to:

1. Access, correct, or delete personal information.
2. Opt out of personal data sales, targeted ads, or profiling.
3. Contest profiling results (e.g., credit/employment decisions) and request re-evaluation using corrected data.

The MCDPA stands out for its enhanced consumer rights to challenge automated profiling outcomes. Therefore, businesses should take measures such as

1. Maintaining data inventories to track personal information storage and usage.
2. Conducting privacy risk assessments for high-risk activities.
3. Honouring universal opt-out signals (e.g., Global Privacy Control).

Note: The Minnesota Attorney General oversees compliance. Each non-compliance incident can result in fines of up to $7,500. A 30-day cure period is available until January 31, 2026, after which violations will be penalised without prior warning.

Maryland Online Data Protection Act (MODPA)

The Maryland Online Data Protection Act (MODPA), taking effect on October 1, 2025, introduces one of the most stringent consumer data protection laws in the U.S. It applies to organisations conducting business in Maryland or targeting its residents and meets one of the following conditions:

1. Process personal data of 35,000+ Maryland residents (excluding payment transactions).
2. Process data of 10,000+ residents while earning 20%+ revenue from data sales.

Maryland residents gain rights to:

1. Access, correct, delete, or obtain a portable copy of their data.
2. Opt out of targeted ads, profiling, or data sales.
3. Request a list of third parties holding their data.

Maryland’s privacy law stands out for its blanket ban on data sales and strict focus on algorithmic transparency. Therefore, businesses operating in this region must heed the following:

1. Prohibition on selling personal data, even with consumer consent.
2. Strict necessity for collecting or sharing sensitive data (e.g., health information, biometrics).
3. Privacy impact assessments for high-risk activities, including algorithmic processing.

Penalties: Violations risk fines of up to $10,000 per incident (or $25,000 for repeat offences). Businesses may receive a 60-day cure period until April 1, 2027, at the Attorney General’s discretion.

Indiana Consumer Data Protection Act (ICDPA)

Indiana Consumer Data Protection Act (ICDPA), which will be effective from January 1, 2026, introduces strict privacy regulations for businesses operating in or targeting Indiana residents. It applies to for-profit entities meeting one of the following criteria:

1. Processing personal data of 100,000 or more consumers.
2. Processing data of 25,000 or more consumers while deriving 50% or more of revenue from data sales.

Key consumer rights under ICDPA include:

• Access, remove, correct, or obtain a copy of personal data.
• Opt-out of targeted advertising, data sales, and profiling.
• Protecting sensitive data, including health, biometric, and geolocation data, requires explicit consent.

Businesses must ensure data minimisation, implement security measures in place, and provide a clear privacy notice.

Note: Non-compliance with the ICDPA can result in $7,500 per incident penalties. The Indiana Attorney General will enforce the fines. Businesses receive a 30-day cure period to address violations before penalties apply.

New EU Privacy Regulations to Watch Out

The European Union is advancing new privacy regulations to reshape data governance in 2025. With a focus on AI oversight, data portability, and cybersecurity, frameworks like the Data Act and DORA aim to fortify consumer rights in an increasingly trying time. Let’s get into what these upcoming EU privacy laws mean for businesses.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA), effective January 17, 2025, establishes a unified regulatory framework for managing cybersecurity risks in the EU financial sector. DORA applies to financial institutions and their third-party ICT service providers, including:

1. Banks, insurance companies, and investment firms.
2. Payment processors and crypto-asset service providers.
3. Cloud computing, software, and data analytics firms supporting financial services.

DORA enforces robust operational stability through key obligations, including:

1. Firms must integrate cybersecurity measures into their broader risk management strategies.
2. Financial entities must report major cyber incidents to national regulators within specific timeframes.
3. Regular penetration testing and security assessments are required to mitigate vulnerabilities.
4. Companies must ensure service providers meet DORA compliance standards, with some requiring an EU-based subsidiary for oversight.
5. Senior management must oversee cybersecurity policies and ensure staff is trained in compliance obligations.

Violations of DORA carry significant penalties:

1. Financial entities may face fines of up to 2% of their annual global turnover.
2. Critical third-party ICT providers can incur fines of up to €5 million.
3. Additional sanctions include suspension orders, public notices, or regulatory restrictions.

European Accessibility Act (EAA)

European Accessibility Act (EAA), which will be fully effective from June 28, 2025, requires that essential digital services across the EU meet accessibility standards for people with disabilities. The EAA applies to businesses that sell products or services in the EU, including:

1. E-commerce platforms and digital service providers.
2. Banks and financial institutions (e.g., online banking, ATMs).
3. Transport services, including ticket machines and booking systems.
4. Tech manufacturers (e.g., smartphones, operating systems, TV services).

Note: Small businesses (<10 employees or <€2M annual turnover) may receive limited exemptions but must still provide essential accessibility.

Businesses must integrate inclusive design and ensure digital services follow Web Content Accessibility Guidelines (WCAG 2.1) and broader accessibility principles:

1. Websites, mobile apps, and digital platforms must be navigable by assistive technologies (e.g., screen readers, voice commands).
2. ATMs, online banking, and payment terminals must offer audio guidance, contrast adjustments, and alternative input methods.
3. Ticketing machines, check-in kiosks, and transit websites must support visual and audio accessibility.
4. Devices and apps must integrate built-in accessibility features (e.g., voice control, subtitles, text magnification).

Violations of the EAA may result in:

1. Fines of up to €1,000,000, depending on the severity and impact of the non-compliance.
2. Product/service bans prevent companies from selling inaccessible goods in the EU.
3. Mandatory corrective actions require businesses to address accessibility failures immediately.

EU Data Act

EU Data Act, which will be effective from September 12, 2025, introduces a regulatory framework to ensure fair access, use, and sharing of data generated by connected devices and digital services. The Data Act applies to:

1. Connected devices (IoT) manufacturers and providers of related services.
2. Data holders that control or store user-generated data.
3. Cloud computing and data processing providers offering services in the EU.
4. Public sector bodies requesting access to privately held data in specific cases.

Businesses operating in the EU must align with several core obligations, including:

1. Users of IoT devices must have the right to access and share their data with third parties.
2. Data holders must provide fair, reasonable, and non-discriminatory access to data upon request.
3. Cloud providers must ensure easy migration and interoperability between platforms.
4. Intensified protections prevent third-country governments from accessing EU data without legal protections.
5. Larger corporations can not impose unfavourable data-sharing terms on SMEs.

Failure to comply with the EU Data Act may result in:

1. Fines reaching €20 million or 4% of global annual revenue, whichever is higher.
2. Legal challenges and contractual penalties.
3. Restrictions on market access for non-compliant businesses.

Key Privacy Developments in 2025

As data privacy laws continues to change, 2025 brings not only new regulations but also essential updates to existing laws and shifts in industry practices. Governments are increasing enforcement actions, and tech platforms are limiting data access. So, businesses must improve transparency and user control. Below, we break down the most notable updates to watch this year.

GA4 + Firebase Policy Change

Starting February 16, 2025, Google is updating its Google Analytics 4 and Firebase policies. The new policy explicitly prohibits device fingerprinting and locally shared objects, reinforcing Google’s privacy commitments.

Here are the gist of this update that businesses need to know:

1. Websites and apps using GA4 and Firebase must comply with Google’s Platform Program Privacy Disclosures.
2. Device fingerprinting, Flash cookies, HTML5 local storage, and other non-HTTP cookie tracking methods are banned.
3. Developers must ensure compliance by inspecting their tracking implementations and updating privacy policies.

Regulators like the UK ICO emphasise that fingerprinting still requires user consent under laws like GDPR, as users can’t block it as quickly as cookies. Privacy advocates criticise the move for conflicting with Google’s earlier Privacy Sandbox goals, which aimed to reduce covert tracking.

Latest Developments with Digital Markets Act (DMA)

The Digital Markets Act (DMA) will intensify its impact on tech giants in 2025 as EU regulators are ramping up enforcement efforts than last year. Major companies like Google, Apple, and Meta now face active investigations over alleged breaches, including self-preferencing (favouring their own services in search rankings) and restricting third-party app store access.

This year’s key focus is interoperability: Meta must enable cross-platform messaging (e.g., WhatsApp with Signal) by March 2025. Meanwhile, Apple’s App Store policies and Google’s Play Store fees are scrutinised for limiting consumer choice.

2025 serves as a litmus test for the DMA’s effectiveness, with penalties for violations reaching up to 10% of global revenue. The results of these cases will shape how digital markets balance competition and innovation in the EU.

Shopify’s Checkout.liquid Deprecation

Shopify is officially deprecating checkout.liquid in favour of Checkout Extensibility, an app-based solution designed to provide checkout customisations. This transition is occurring in two phases, including:

1. August 13, 2024 – Checkout.liquid customisations for Information, Shipping, and Payment pages will no longer function. Merchants must migrate their checkout modifications to Checkout Extensibility before this deadline.
2. August 28, 2025 – Checkout.liquid will be fully deprecated, including Thank You and Order Status pages. Additionally, script tags and additional scripts used on these pages will be disabled.

Shopify is deprecating checkout.liquid to enhance security and provide long-term compatibility. The new Checkout Extensibility framework operates in a sandboxed environment, fighting security risks while optimising speed and user experience.

Unlike checkout.liquid, merchants can maintain customisations during Shopify updates. Additionally, the update aligns with global compliance standards like PCI DSS v4.0, making it easier for businesses to meet regulatory requirements.

Conclusion

It is very important for businesses to stay updated and act on data privacy laws. These laws are changing all the time. New technology and changing global rules about data protection require businesses to adapt quickly. For example, the United Kingdom’s data privacy rules are changing, and we expect new laws in the US, EU, and Asia-Pacific regions in the coming days. Businesses need to be alert and proactive to protect data. Stay informed and ready for future changes to keep data privacy standards high.

FAQs

What are the data privacy laws in the UK?

The UK’s privacy framework includes the UK GDPR, Data Protection Act 2018, and the Data (Use and Access) Bill, which updates rules for AI-driven processing and international transfers. These laws align with core GDPR principles while introducing sector-specific codes of conduct for industries like healthcare and finance.

What are the 7 principles of GDPR?

GDPR’s foundation rests on seven principles: lawfulness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, and accountability. Controllers must align with the Privacy Protection Act ethos of balancing innovation and individual rights.

What are the 8 privacy rights of GDPR?

Data subjects can access, rectify, erase, restrict processing, port data, object to automated decisions, and be informed about data usage. These apply regardless of the price of any goods or services involved.

What is a Cure Period?

A cure period is a set timeframe granted by regulators to correct data privacy violations before penalties apply. It allows businesses to address non-compliance with personal data handling or security standards, avoiding fines if resolved promptly.

• About
• Latest Posts

Follow me

Phil Pearce

Director of Analytics & Founder at MeasureMinds

Phil is an analytics expert, author, and web analyst. He's also the Analytics Director & Founder of Google Analytics, Google Tag Manager, Google Ads and CRO agency, MeasureMinds Group. Over the past 20+ years, Phil has helped clients improve their analytics and search engine marketing through the introduction of new tools and disruptive techniques.

Follow me

Latest posts by Phil Pearce (see all)

• How to Run a Google Tag Manager (GTM) Audit - 26/11/2025
• How to Run a Web Analytics Audit: Examples & Tools - 30/10/2025
• How to Run a Cookie Audit: Examples and Tools - 23/10/2025