The landscape of online privacy laws in the United States underwent significant transformation in 2025, with eight additional states’ comprehensive privacy laws coming into effect, bringing approximately 150 million Americans—43% of the U.S. population—under comprehensive state-level privacy regulations. This represents the most substantial expansion of digital rights protection in U.S. history, fundamentally changing how businesses collect, use, and protect personal information online.
Understanding these changes isn’t just important for businesses—it directly affects every American who uses the internet, shops online, or shares personal information digitally. These new online privacy laws give you more control over your data than ever before, but they also create a complex patchwork of regulations that varies significantly from state to state.
Whether you’re trying to understand your new digital rights, running a business that needs to comply with these regulations, or simply curious about how your personal information is protected online, this guide will help you navigate the evolving world of U.S. privacy regulations.
The 2025 Privacy Law Expansion
The year 2025 marked a watershed moment for online privacy laws in America. Delaware, Iowa, Nebraska, and New Hampshire’s laws went into effect on January 1, 2025, while New Jersey’s law followed on January 15, 2025. Additional states joined throughout the year, with Tennessee’s Information Protection Act and Minnesota’s Consumer Data Privacy Act taking effect on July 1 and July 31, 2025, respectively.
This expansion represents more than just new regulations—it signals a fundamental shift in how Americans think about digital rights. Before 2025, comprehensive online privacy laws were limited to a handful of states, primarily California with its pioneering California Consumer Privacy Act (CCPA). Now, nearly half the country enjoys similar protections.
The timing wasn’t coincidental. Years of high-profile data breaches, concerns about big tech companies’ data practices, and growing awareness of how personal information is collected and used online created public pressure for stronger privacy protections. State legislators responded by crafting comprehensive laws that give consumers unprecedented control over their digital footprint.
Understanding Your New Digital Rights
The 2025 privacy laws established several fundamental digital rights that apply regardless of which specific state law covers you. These rights represent a significant departure from the previous “notice and consent” model, where companies could collect virtually any data as long as they disclosed it somewhere in their privacy policy.
The Right to Know: You now have the legal right to request detailed information about what personal data companies collect about you, how they use it, and who they share it with. This isn’t limited to obvious information like your name and email address—it includes data you might not even realize companies are collecting, such as your browsing habits, location data, and inferences about your preferences or characteristics.
The Right to Access: Companies must provide you with a copy of your personal data in a portable format, allowing you to see exactly what information they have about you. This right extends beyond basic account information to include data collected through cookies, tracking pixels, and other monitoring technologies.
The Right to Correct: If companies have inaccurate information about you, you can demand they fix it. This is particularly important given how automated systems make decisions about everything from loan approvals to job opportunities based on data that might be wrong.
The Right to Delete: Perhaps the most powerful new right, you can request that companies delete your personal information entirely. There are some exceptions—companies can keep data required by law or necessary for legitimate business purposes—but the default presumption is now that you control whether your data remains in company databases.
The Right to Opt-Out: You can say no to the sale of your personal data and targeted advertising. This means companies can’t automatically include you in data broker sales or use your information for personalized ads without your explicit permission.
The Right to Non-Discrimination: Companies cannot treat you differently—by charging higher prices, providing lower service quality, or denying services entirely—simply because you exercise your privacy rights.
How Online Privacy Laws Work in Practice
Understanding your rights is one thing, but knowing how to exercise them is another. The 2025 privacy laws established specific procedures that companies must follow when you make requests about your data.
When you want to access, correct, or delete your personal information, you submit what’s called a “consumer request” to the company. They’re required to respond within specific timeframes—typically 45 days, though some states allow extensions for complex requests. Companies must verify your identity before fulfilling requests, but they cannot make this process unnecessarily burdensome.
For opt-out rights, companies must provide clear, easy-to-find mechanisms. Many now include “Do Not Sell My Personal Information” links on their websites, and some offer universal opt-out mechanisms that work across multiple services. The days of having to hunt through complicated privacy settings or contact customer service to protect your privacy are largely over.
Businesses subject to these online privacy laws must also be transparent about their data practices. They’re required to maintain updated privacy notices that clearly explain what data they collect, how they use it, and what rights you have. These notices must be written in plain language that ordinary consumers can understand—no more hiding behind legal jargon.
State-by-State Variations
While the 2025 privacy laws share common principles, each state crafted its regulations to address specific concerns and priorities. Understanding these differences is crucial because the law that applies to you depends on where you live, not where the company is located.
Delaware’s Personal Data Privacy Act applies to businesses that control or process personal data of at least 35,000 Delaware consumers annually, or derive revenue from selling personal data of at least 10,000 consumers. Delaware expanded the categories of sensitive information to include national origin, reflecting the state’s diverse population and concerns about discrimination.
Iowa’s Consumer Data Protection Act sets thresholds of 100,000 consumers or 25,000 consumers with revenue from data sales. Iowa’s law includes specific protections for agricultural data, recognizing the importance of farming in the state’s economy.
Nebraska’s Data Privacy Act took an interesting approach by giving consumers the right to know what data a company collects and opt out of certain uses, such as targeted advertising, with the law taking effect January 1, 2025.
New Hampshire’s Privacy Act focuses heavily on children’s privacy protections, going beyond federal requirements to protect minors’ data online.
New Jersey’s privacy law includes some of the strongest data broker regulations in the country, requiring these often-invisible companies to register with the state and allow consumers to opt out of their databases.
Tennessee’s Information Protection Act and Minnesota’s Consumer Data Privacy Act both emphasize transparency and consumer control, but with different enforcement mechanisms and penalty structures.
Maryland’s Online Data Privacy Act includes unique provisions about algorithmic decision-making, requiring companies to provide information about how automated systems use personal data to make decisions that affect consumers.
What These Changes Mean for Businesses
The 2025 expansion of online privacy laws created significant compliance challenges for businesses of all sizes. Companies now must navigate a complex patchwork of state regulations, each with its own requirements, thresholds, and enforcement mechanisms.
Compliance Thresholds: Each state sets different criteria for which businesses must comply with their privacy laws. Some focus on the number of consumers whose data you process, others look at revenue from data sales, and many use a combination of factors. A business might be subject to some state laws but not others, depending on their customer base and business model.
Data Mapping and Inventory: Companies must now maintain detailed records of what personal data they collect, how they use it, where it’s stored, and who has access to it. This requires comprehensive data mapping exercises that many businesses had never undertaken before 2025.
Privacy Impact Assessments: Some laws require businesses to conduct privacy impact assessments on a regular basis for each data activity that presents a heightened risk of harm to a consumer. These assessments must evaluate not just data collection practices but also algorithmic decision-making systems.
Vendor Management: Since many businesses share data with third-party service providers, they must ensure their vendors also comply with relevant privacy laws. This often requires updating contracts, conducting audits, and implementing new oversight procedures.
Response Infrastructure: Companies must establish systems to handle consumer requests for access, correction, deletion, and opt-out within legally required timeframes. This often involves new staff, technology systems, and operational procedures.
Children’s Privacy: All new state privacy laws impose additional restrictions on minors’ (individuals between the ages of 13 and 17 years) data, going beyond existing federal protections for children under 13.
The Role of Sensitive Information
One of the most significant aspects of the 2025 privacy laws is how they treat sensitive information differently from regular personal data. All state privacy laws impose heightened restrictions on businesses that collect or process sensitive information, with the new laws expanding the categories of sensitive information.
Sensitive information typically includes:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Health information
- Biometric identifiers
- Precise geolocation data
- Financial account information
- Social Security numbers
The 2025 laws expanded these categories in various ways. Some states added national origin, citizenship status, or union membership to their definitions of sensitive information. Others included inferences about sensitive characteristics, recognizing that companies can derive sensitive information even when consumers don’t directly provide it.
For sensitive information, companies generally need explicit consent before collection and use, rather than the opt-out model that applies to regular personal data. They also face stricter limits on sharing sensitive data with third parties and must implement enhanced security measures to protect it.
Enforcement and Penalties
The 2025 privacy laws vary significantly in their enforcement mechanisms and penalty structures. Some states rely primarily on attorney general enforcement, while others allow private lawsuits in certain circumstances.
Government Enforcement: Most states give their attorneys general primary responsibility for enforcing privacy laws. These officials can investigate complaints, conduct audits, and impose significant financial penalties for violations. Some states, like Maryland, provide cure periods where businesses can fix violations before facing penalties, with Maryland offering a 60-day cure period available until April 1, 2027, at the discretion of the Maryland Attorney General.
Private Rights of Action: Several states allow consumers to sue companies directly for certain types of violations, particularly data breaches or failures to honor deletion requests. However, most require consumers to give companies notice and an opportunity to cure violations before filing lawsuits.
Penalty Structures: Financial penalties vary widely between states. Some impose per-violation fines that can add up quickly for companies with large customer bases, while others set maximum penalty amounts. The variation means that a violation affecting customers in multiple states can result in dramatically different penalty exposure depending on which states are involved.
Civil and Criminal Penalties: While most privacy law violations result in civil penalties, some states have criminal provisions for particularly egregious violations, such as knowingly selling children’s data or deliberately ignoring consumer deletion requests.
Impact on Different Industries
The 2025 online privacy laws affected different industries in varying ways, depending on their data practices and customer relationships.
Technology Companies: Large tech platforms faced the most comprehensive compliance challenges, given their extensive data collection and processing operations. Many had to redesign core product features to accommodate new privacy rights and restrictions on data use.
Retail and E-commerce: Online retailers had to revamp their marketing and customer relationship management practices, particularly around targeted advertising and customer profiling. Many implemented new systems to track and honor opt-out preferences across their various marketing channels.
Healthcare: Healthcare organizations already subject to HIPAA found themselves navigating additional state privacy requirements, particularly around patient data sharing and digital health applications.
Financial Services: Banks and financial institutions had to reconcile new state privacy requirements with existing federal financial privacy laws, creating complex compliance matrices.
Data Brokers: Companies that collect and sell personal information faced some of the most stringent new requirements, with several states requiring registration and providing consumers with easy opt-out mechanisms.
Small Businesses: Many small businesses discovered they were subject to privacy laws for the first time, requiring them to implement compliance programs despite limited resources.
Consumer Rights in Action
Understanding how to exercise your new digital rights under the 2025 privacy laws can help you take control of your online privacy. Here’s how these rights work in practice:
Making Requests: Most companies now provide online forms or dedicated email addresses for privacy requests. You’ll need to verify your identity, but companies cannot make this process unreasonably difficult. Be specific about what you’re requesting—access to all your data, deletion of specific categories, or correction of particular information.
Opt-Out Mechanisms: Look for “Do Not Sell My Personal Information” or similar links on company websites. Many companies also honor browser-based opt-out signals or participate in industry-wide opt-out programs that work across multiple websites and services.
Monitoring Company Responses: Companies must respond to your requests within specified timeframes and explain their reasoning if they deny requests. If you’re unsatisfied with a company’s response, you can file complaints with state attorneys general or, in some cases, pursue private legal action.
Understanding Limitations: Not all requests must be honored. Companies can retain data required by law, necessary for legitimate business purposes, or needed to complete transactions you initiated. They can also charge reasonable fees for excessive or repetitive requests.
Technical Implementation Challenges
The 2025 privacy laws created significant technical challenges for businesses trying to implement compliance systems. Unlike previous regulations that focused primarily on disclosure, these laws require companies to build operational capabilities to honor consumer rights requests.
Data Discovery and Classification: Companies must identify and categorize all personal data in their systems, including data stored in backup systems, archived databases, and third-party services. This often reveals data collection practices that businesses weren’t fully aware of.
Identity Verification: Companies must verify requesters’ identities without creating excessive barriers to exercising privacy rights. This balance requires sophisticated systems that can confirm identity while remaining user-friendly.
Automated Decision-Making: Some 2025 laws require companies to provide information about automated decision-making systems that affect consumers. This includes explaining how algorithms work and allowing consumers to challenge automated decisions.
Cross-Border Data Transfers: Personal data sales or other personal data transactions outside the United States became subject to additional restrictions and requirements in 2025, requiring companies to implement new controls for international data transfers.
Privacy by Design: The new laws encourage or require “privacy by design” approaches, where privacy protections are built into systems from the ground up rather than added as an afterthought.
International Implications
While the 2025 U.S. privacy laws are state-level regulations, they have significant international implications. Companies operating globally must now consider U.S. state privacy requirements alongside European GDPR requirements, Canadian privacy laws, and other international regulations.
Convergence with Global Standards: Many provisions in the 2025 U.S. laws mirror rights established in the European Union’s General Data Protection Regulation (GDPR), creating some harmonization in global privacy standards. However, important differences remain in areas like enforcement mechanisms and definitions of personal data.
Cross-Border Business Impact: International companies selling to U.S. consumers must comply with applicable state privacy laws regardless of where the company is headquartered. This extends U.S. privacy protections globally, similar to how the GDPR created worldwide compliance requirements.
Data Localization: Some of the 2025 laws include provisions about data storage and processing locations, potentially affecting how multinational companies structure their data operations.
Looking Ahead: Future Developments
The 2025 expansion of online privacy laws represents just the beginning of ongoing privacy law development in the United States. Several trends are likely to shape future regulations:
Federal Legislation: The patchwork of state laws has renewed calls for comprehensive federal privacy legislation that would provide uniform protections across all states. However, political disagreements about enforcement mechanisms and preemption of state laws continue to stall federal action.
Artificial Intelligence Regulation: As AI systems become more prevalent, privacy laws are likely to include more specific requirements about algorithmic decision-making, automated profiling, and AI-generated inferences about consumers.
Biometric Privacy: Several states are considering standalone biometric privacy laws or expanding existing privacy laws to include more specific protections for biometric identifiers like fingerprints, facial recognition data, and voice prints.
Internet of Things (IoT): As connected devices become ubiquitous, privacy laws will likely address the unique challenges of regulating data collection by smart home devices, connected cars, and wearable technology.
Children’s Privacy: Expect continued expansion of protections for minors’ data, potentially including age verification requirements and stricter limits on behavioral advertising to teenagers.
Practical Compliance Strategies
For businesses navigating the new privacy landscape, several practical strategies can help manage compliance across multiple state laws:
Risk-Based Approach: Focus compliance efforts on the highest-risk data processing activities and the states with the largest portions of your customer base or the strictest enforcement mechanisms.
Harmonized Policies: Where possible, implement privacy practices that meet the requirements of the strictest applicable law, rather than trying to maintain separate compliance programs for each state.
Technology Solutions: Invest in privacy management platforms that can automate consumer request processing, track data flows, and maintain compliance documentation across multiple jurisdictions.
Regular Audits: Conduct periodic privacy audits to ensure compliance systems are working effectively and to identify new compliance requirements as laws evolve.
Staff Training: Ensure employees understand privacy law requirements and their roles in maintaining compliance, particularly staff who handle consumer requests or make decisions about data use.
Frequently Asked Questions
Which privacy law applies to me as a consumer?
The privacy law that applies to you depends on which state you live in, not where the company is located. If you live in a state with a comprehensive privacy law (like California, Virginia, Colorado, or any of the eight states that enacted laws in 2025), you have rights under that state’s law regardless of where the companies you interact with are headquartered.
Do these privacy laws apply to small businesses?
It depends on the specific law and the size of the business. Most state privacy laws have thresholds based on the number of consumers whose data you process or revenue from data sales. For example, some laws apply to businesses that process data from 100,000 consumers annually, while others set the threshold at 25,000 or 35,000 consumers. Very small businesses that only serve local customers may not be covered.
Can I request my data from any company, even if they’re not based in my state?
Yes, if you’re a resident of a state with a privacy law, you can request your data from any company that meets that law’s applicability thresholds, regardless of where the company is located. Companies that serve customers in privacy law states must comply with those laws even if they’re headquartered elsewhere.
What happens if a company ignores my privacy request?
Companies that fail to respond to valid privacy requests can face enforcement action from state attorneys general, including significant financial penalties. In some states, you may also be able to file a private lawsuit. Before taking legal action, document your request and the company’s failure to respond, and consider filing a complaint with your state’s attorney general.
Are there any types of data that companies never have to delete?
Yes, companies can retain data in several circumstances: when required by law, when necessary to complete a transaction you initiated, for security purposes, to exercise free speech rights, or for certain legitimate business purposes. However, the burden is on companies to justify why they need to keep data after you request deletion.
How do I know if a company is selling my personal information?
Companies subject to privacy laws must disclose in their privacy notices whether they sell personal information and provide opt-out mechanisms if they do. Look for sections titled “Do Not Sell My Personal Information” or similar language on company websites. Remember that “sale” under these laws includes sharing data for valuable consideration, not just traditional cash transactions.
Can companies charge me different prices if I opt out of data sales?
No, privacy laws include anti-discrimination provisions that prevent companies from charging you more, providing worse service, or denying services entirely just because you exercise your privacy rights. However, companies can offer loyalty programs or discounts in exchange for data, as long as the choice is truly voluntary.
Do these laws protect my data on social media platforms?
Yes, if you live in a state with a privacy law and the social media platform meets the law’s applicability thresholds, you have rights regarding your data on those platforms. This includes the right to access, correct, delete, and opt out of data sales. However, some data may be exempt if it’s necessary for the platform’s core functionality or protected under free speech provisions.
What’s the difference between “personal information” and “sensitive information” under these laws?
Personal information is broadly defined to include any data that identifies or could reasonably be linked to you. Sensitive information is a subset that includes particularly private data like health information, biometric identifiers, precise location data, or information about race, religion, or sexual orientation. Sensitive information typically requires explicit consent before collection and has stricter sharing restrictions.
How long do companies have to respond to my privacy requests?
Most state privacy laws require companies to respond within 45 days of receiving a valid request, though some allow extensions for complex requests. Companies must acknowledge receipt of your request and provide updates if they need additional time. If a company doesn’t respond within the required timeframe, they may be in violation of the law.