8 new data privacy laws in 2025

Navigating Changes in Compliance and Data Privacy Regulation: New Policies in 2025

The end of January marks Data Privacy Week. Each year, The National Cybersecurity Alliance takes this week to spread awareness about online privacy for both individuals and organizations. At Bluesource, we understand the need for awareness about consumers’ rights to their data, businesses’ responsibilities when handling personal data, and data privacy regulations.  

The European Union’s General Data Protection Regulation (GDPR) is generally viewed as the most comprehensive data privacy regulation. Despite the majority of Americans being in favor of more government regulation when it comes to personal data, there is no comprehensive federal regulation related to consumer data. America’s version of the GDPR, the American Data Privacy and Protection Act (ADPPA) failed to advance beyond the House Committee.  

While there is no American Data and Privacy Protection Act, some federal laws including the Federal Trade Commission Act, Health Insurance Portability and Accounting Act (HIPAA), and the Children’s Online Privacy Protection Act (COPPA) regulate specific types of data or specific audiences. As consumers’ concerns about their data privacy continually increase, many states have passed specific data privacy regulations to fill the gap.   

In 2018, California was the first state to propose and enact a comprehensive consumer data privacy act. Many states have followed suit, enacting new laws or updating previous privacy acts to be more comprehensive. Over half of the states have either enacted, passed, or proposed some version of a data privacy act. This year, eight new laws go into effect. Half a dozen other proposed laws are in various stages of the legislative process. For organizations, remaining compliant with relevant laws is increasingly challenging. Businesses and organizations, especially those in regulated industries, need to be constantly aware of the changing laws and regulations surrounding consumer data.  

New State Regulations

Eight states have new data privacy regulations going into effect this year.  

  • Delaware (January 1) 
  • Iowa (January 1) 
  • Nebraska (January 1) 
  • New Hampshire (January 1) 
  • New Jersey (January 15)  
  • Tennessee (July 2025)  
  • Minnesota (July 2025)  
  • Maryland (October 2025)  

State Privacy Legislation Tracker

Map from Bloomberg Law

These states join eight others in enacting specific data privacy acts. Three more states: Indiana, Kentucky, and Rhode Island are set to join the list in 2026. Meanwhile, other states have new acts in various stages of legislation. Data privacy regulations often build on existing privacy laws or other regulations.

In New York, the proposed NY Privacy Act expands on rules already in place under the SHIELD Act, which focuses on data breaches. In Washington, the current My Health, My Data Act is limited to electronic health information, and a more inclusive Washington Privacy Act is proposed.  Michigan has specific identity theft protection laws in place, but the proposed Personal Data Privacy Act includes more regulations for businesses and more rights for consumers.  

The Scope of Data Privacy Laws 

One of the main concepts of the Internet is the lack of physical borders and the ability to connect across the globe. This makes determining jurisdiction and the extent of rules and regulations an international challenge.  Many data privacy regulations base jurisdiction on the residency or citizenship of consumers, regardless of their physical location.  

Data privacy jurisdictions also range in size and scope. Some acts are designed to focus more on “big tech” companies. For example, Florida’s Digital Bill of Rights has a limited scope – an annual global revenue of over $1 billion, plus other criteria.  

Organizations based around the globe are subject to GDPR compliance if they deal with the personal data of European Union (EU) citizens. California’s CCPA is modeled after the GDPR and grants rights to California residents, even if a business is based elsewhere. However, CCPA only applies to for-profit businesses with an annual gross revenue of over $25 million or that meet specific thresholds for the amount of data processed. Even the GDPR has some exemptions for organizations with fewer than 250 employees.  

Industry Specifics

Certain industries may be exempt from some general data privacy laws. Highly-regulated industries such as healthcare and finance are already subject to HIPAA, the Gramm-Leach-Bliley Act, and The Security and Exchange Commission’s rule 17a-4. Colorado specifies additional entities exempt from their privacy act including airlines, higher education, and public utilities.  

Who Enforces Data Privacy Regulations?  

State-specific regulations are often overseen and enforced by the state Attorney General. National Data Protection Authorities oversee GDPR enforcement for each member state of the EU. Some agencies, or watchdog organizations actively look for compliance violations. However, many compliance violation investigations start with a consumer complaint. Consumers’ awareness of their rights is the foundation for any data privacy regulation.  

The Cost of Non-Compliance 

Data handling compliance violations result in civil penalties and fines. In the United States, the maximum fine per violation generally ranges between $5,000 and $10,000, with additional fines for secondary violations.  Violations of the Colorado Privacy Act can cost organizations anywhere from $2,000 all the way to $20,000.  These fines are minimal compared to the maximum fines for GDPR violations – €10 million (nearly $10.3 million), or 2% of the company’s worldwide annual revenue for lesser infractions, and up to €20 million ($20.5 million) or 4% annual revenue for major violations.  

Failure to comply with any applicable regulations leaves organizations at risk for major fines. A $1.2 billion fine issued by the Irish Data Protection Commission to Meta is the highest GDPR fine to date.  California handed Sephora a $1.2 million fine for violations of the California Consumer Privacy Act. During the first six months of Connecticut’s Consumer Data Privacy Act, the Office of the Attorney General received 30 complaints and issued six violations.  

Navigating Compliance  

Navigating the patchwork of data regulations in the United States and around the globe is challenging for any organization. Figuring out what applies to your business requires knowledge of comprehensive regulations, industry-specific regulations, and any overlapping of various consumer privacy, protection, and data regulations.  New data processing regulations in various stages of legislation,  and new or amended regulations taking effect each year make organizations at a greater risk for failing to comply.  

Bluesource recognizes the complexities of managing data and information while meeting regulatory demands and compliance.  The Bluesource team of compliance experts offers compliance assessments to ensure organizations are ready to meet regulatory deadlines and maintain the necessary levels of compliance. Having on-demand compliance experts gives your team more time to focus on business growth rather than the challenge of maintaining compliance and navigating regulations. 

Compliance Assessments
ComplianceAssist