A new year means new effective dates for state privacy legislation.  On January 1, 2025, four states witnessed consumer privacy protection laws take effect:  Delaware, Iowa, Nebraska, and New Hampshire. 

These four states join another 16 that have comprehensive data privacy laws in place. Although there are similarities in the approaches of these 20 states, each law carries unique provisions that companies must navigate in building a data governance program. This blog is intended to give a high-level overview of 2025’s newest consumer privacy laws.

Delaware Personal Data Privacy Act

Delaware’s privacy law, the Delaware Personal Data Privacy Act (DPDPA) is similar in many respects to the California Consumer Privacy Act (CCPA) and other state-level privacy laws. Key features of the DPDPA include:

  • Consumer Rights: Delaware residents will gain the right to access, correct, delete, and opt-out of the sale of their personal data. The law also includes provisions for data portability and restrictions on the use of sensitive data without consumer consent. The DPDPA also allows consumers to obtain a list of the categories of third parties to which the controller disclosed the specific consumer’s personal data.
  • Scope and Applicability: The DPDPA applies to persons who conduct business in Delaware or produce products or services targeted to Delaware residents, and who during the preceding calendar year, either (a) controlled or processed the personal data of at least 35,000 Delaware residents (excluding personal data used solely for the purpose of completing a payment transaction); or (b) controlled or processed the personal data of at least 10,000 Delaware residents and derived more than 20 percent of gross revenue from personal data sales. Organizations should note that DPDPA applies largely to most nonprofit organizations, and no HIPAA entity-level exemptions exist.  Instead, the DPDPA contains limited exemptions for specific types of health data, including protected health information (PHI).
  • Data Minimization and Security: Businesses will be required to minimize the data they collect and ensure reasonable data security practices. The law also mandates that businesses notify consumers of any data breaches affecting their personal information.
  • Enforcement and Penalties: The law will be enforced exclusively by the Delaware Department of Justice, with penalties for non-compliance. However, businesses will be given a 60-day cure period to address violations before enforcement actions are initiated. No private right of action is afforded under the DPDPA, but any violation of the DPDPA is a per se violation of Delaware’s Consumer Fraud Act.

Iowa Act Relating to Consumer Data Protection

Iowa’s Act Relating to Consumer Data Protection (ICDP) largely modeled after the Virginia Consumer Data Protection Act (VCDPA) and the Utah Consumer Privacy Act (UCPA), affords several privacy rights and responsibilities for businesses. Key features of Iowa’s law include:

  • Consumer Rights: Iowa residents will have the right to access, delete, and opt-out of the sale of their personal data. Additionally, consumers will be able to opt-out of targeted advertising, the sale of data, and the use of their information for automated decision-making. However, unlike the VCDPA, consumers do not have a right to opt out of profiling. Unlike some state privacy laws, the ICDP does not require that consumers must opt-in for the processing of sensitive data, and does not provide any right to correct inaccurate information.
  • Scope and Applicability: ICDP applies to persons conducting business in Iowa or providing products or services targeted to Iowa consumers that either (a) control or process personal data of at least 100,000 Iowan consumers, or (b) derive over 50% of revenue from selling the personal data of at least 25,000 Iowan consumers. Unlike many state consumer privacy laws, ICDP does not include a minimum annual revenue threshold.  Accordingly, some small businesses that would otherwise not be regulated in many states, should evaluate data collection practices to determine whether the ICDP is applicable. Notably, the ICDP has an employee and job applicant exemption. Nonprofits, higher education institutions, financial institutions, and covered entities under HIPAA are exempt.
  • Service Provider Agreements:  Businesses are required to establish contracts with service providers that establish the instructions and obligations for each party around data processing.  Businesses may request that service providers delete or return personal data.
  • Enforcement and Penalties: Enforcement will be handled solely by the Iowa Attorney General’s office. The Iowa AG is able to issue fines of up to $7,500 per violation, and does not distinguish between unintentional or intentional violations. Before the Iowa AG can initiate an action against a business for violations of ICDP, it must first provide the business with written notice of the purported violation, and 90 days to cure.

Nebraska Data Privacy Act

Nebraska’s Data Privacy Act (NDPA) is one of the more wide-sweeping consumer privacy statutes in that it will be applicable to most organizations doing business in Nebraska. Key features include:

  • Consumer Rights: Nebraska residents will be granted rights to confirm whether an organization is processing personal data and access that personal data, correct inaccuracies, delete personal data, obtain a copy of their personal data, and opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
  • Scope and Applicability: Much like the Texas Data Privacy and Security Act, NDPA does not contain a revenue threshold or a minimum number of consumers whose personal data is processed or sold.  Instead, NDPA applies to any organization that (a) conducts business in Nebraska or produces a product or service consumed by residents of Nebraska; (b) processes personal data or sales personal data; and (c) is not a small business as determined under the US Small Business Act (unless the organization engages in the sale of sensitive data without receiving prior consent from the consumer). Although NDPA has a wide scope, it does exempt state and city government agencies, financial institutions, nonprofit organizations, and covered entities and business associates under HIPAA.
  • Service Provider Agreements: Like ICDP, NDPA requires businesses to enter into contracts with service providers that will be responsible for handling Nebraska consumer personal data. Such contracts must identify clear instructions for processing personal data, the nature and purpose of processing, the type of data subject whose personal data will be processed, the duration of processing, and each party’s rights and obligations with respect to that personal data.
  • Enforcement: The Nebraska Office of the Attorney General has exclusive authority to enforce violations, but businesses are afforded a 30 day cure period before an action may commence.  If the Nebraska AG brings a civil action for violations, courts may impose civil penalties of up to $7,500 per violation.

New Hampshire Privacy Act

New Hampshire will also join the ranks of states introducing comprehensive privacy laws with the New Hampshire Privacy Act (NHPA). Key features of the NHPA include:

  • Consumer Rights: Like the other states, New Hampshire residents will have rights to access, delete, and correct their personal data. The law also provides a right to opt-out of the sale of personal data and the use of data for targeted advertising.
  • Scope and Applicability: The law applies to businesses who either conduct business in New Hampshire, or provide products or services targeted to residents of New Hampshire and who also, within a one-year period, either (a) control or process the personal data of at least 35,000 unique New Hampshire consumers, or (b) control or process personal data of 10,000 unique New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data. Like many states, NHPA exempts state and municipal government agencies, financial institutions, nonprofit organizations, higher education institutions, and HIPAA covered entities and business associates.
  • Data Protection Impact Assessments: NHPA requires companies to conduct a data protection impact assessment (DPIA) on the processing of personal data created or generated on or after July 1, 2024 that presents a heightened risk of harm to consumers, such a targeted advertising, processing sensitive data, selling personal data, or processing for profiling if such profiling creates a reasonably foreseeable risk of harm. Although DPIAs are not required to be submitted prior to processing, the New Hampshire Attorney General has the right to review any DPIA for compliance with NHPA.
  • Enforcement: The law will be enforced by the New Hampshire Attorney General’s office. For 2025, businesses will have a 60-day period to cure alleged violations before an enforcement action may proceed; however, beginning January 1, 2026, businesses will only be permitted to cure at the discretion of the New Hampshire AG.  Violations of NHPA constitute violations of New Hampshire’s Regulation of Business Practices for Consumer Protection, for which civil fines can amount to $10,000 per violation.

Key Takeaways for Businesses

The passage of these state privacy laws reflects the ongoing trend toward stronger consumer data protections across the U.S. Organizations conducting business in Delaware, Iowa, Nebraska, and New Hampshire need to understand the specific requirements of each law, as non-compliance could result in costly penalties and adverse impacts on reputation.

Businesses should consider the following action items to strengthen data governance practices in any states with an enacted consumer privacy law:

  • Update Privacy Policies: Ensure that privacy policies reflect the new rights granted to consumers, including data access, deletion, and opt-out rights.
  • Implement Consumer Request Mechanisms: Establish processes for handling consumer requests related to data access, deletion, correction, and opt-out.
  • Conduct Data Protection Assessments: Prepare for mandatory assessments by evaluating high-risk data processing activities and ensuring compliance with the law’s transparency and security requirements.
  • Data Security and Minimization: Adopt reasonable security practices to safeguard consumer data and minimize the amount of data collected to what is strictly necessary for business purposes.

Taft will continue to monitor developments in this area and will provide updates here and on all our Taft platforms. As always, seek qualified legal counsel whenever making determinations about your company’s legal or compliance obligations. Taft’s Privacy and Data Security Practice (PDS) stands ready to assist you with a risk-based, common-sense approach to your data governance needs. Stay tuned to Privacy and Data Security Insights for more content and updates like this one.