Blog

    2025 U.S. state privacy law tracker

    Last updated: December 4, 2024

    With a new year comes new state-level privacy regulations — and it’s on you to stay on top of every new change. Keep these upcoming privacy bill “effective” dates on your calendar. For more information, consult the International Association of Privacy Professionals

    Jan. 1, 2025

    • Connecticut, Texas: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.
    • Delaware, Iowa, Nebraska and New Hampshire: State-level data privacy regulations go into effect.
    • Montana, New Hampshire: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

    Jan. 15, 2025

    Upgrade your privacy game: Watch the webinar with our VP who shares crucial security insights:

    • New Jersey: State-level data privacy law goes into effect.

    July 1, 2025

    • Colorado: Obligations regarding the collection and processing of biometric data go into effect.
    • Delaware: Data protection assessment requirements apply to processing activities created or generated after this date.
    • Oregon: State-level data privacy regulation goes into effect date for 501(c)3 tax exempt organizations.
    • Tennessee: State-level data privacy regulation goes into effect.

    July 31, 2025

    • Minnesota: State-level data privacy regulation goes into effect.

    October 1, 2025

    • Colorado: Obligations for data controllers that provide online services, products, or features to minors go into effect.
    • Maryland: State-level data privacy regulation goes into effect.
    • Maryland: Data protection assessment requirements apply to processing activities created or generated after this date.
    • Maryland: Requirement to allow consumers to opt out of processing for purposes of targeted advertising or any sale through opt-out preference signals goes into effect.

    December 31, 2025

    • Delaware, New Hampshire: Mandatory right to cure period expires. Attorneys general have discretion to grant cure period.
    • Indiana: Data protection assessment requirements apply to processing activities created or generated after this date.

    All of state-level bills give consumers a Right of Access, Deletion, Portability and Right to Opt-out of Sales, as well as to dictate business obligations around Notices & Transparency.

    Most also require covered businesses to conduct risk assessments, limit processing based on purpose, and ensure that they do not discriminate against customers who exercise their privacy rights. 

    Subscribe to our newsletter

    Sign up to get our latest articles sent directly to your inbox.

    What you should do now

    1. Schedule a Demo to see how Omeda can help your team.
    2. Read more Marketing Technology articles in our blog.
    3. If you know someone who’d enjoy this article, share it with them via Facebook, Twitter, LinkedIn, or email.