Are You Prepared for the New Wave of State Data Privacy Laws?
Here’s a scenario you never want to experience: Your thriving small business suffers a data breach, exposing hundreds of customer records. Suddenly, you’re fielding inquiries from multiple state attorneys, each with unique regulations.
Unfortunately for small and medium businesses (SMBs), the U.S. lacks a comprehensive federal privacy law, so states like California, Delaware, Iowa, and others have introduced legislation unique to their state. Even if your business doesn’t operate a brick-and-mortar location in these states, you may still be subject to their rules if you serve state residents remotely. This complex situation can leave businesses scrambling to comply.
In short, the rules for data privacy have become much more complicated. If you experience a breach and are found not to have adequately protected your data during a breach investigation, the fines and penalties can be significantly higher compared to a business that took reasonable measures but was still breached.
Disclaimer: This article was not written by attorneys and should not be considered legal advice. Please consult appropriate legal counsel for a complete and accurate assessment of your obligations and risks relative to your own business.
Why SMBs Should Take Notice
Data privacy might not be the top priority for many entrepreneurs and smaller organizations, especially when juggling tight budgets, hiring, and day-to-day operations. Yet, overlooking these new state data privacy laws can be costly. Non-compliance can disrupt business activities and erode consumer trust, especially when data breaches make headline news and carry substantial financial consequences in the range of $7,500 to $10,000 per incident. A recent Forbes article lists the amounts for each state.
SMBs that once considered themselves too small or niche to be noticed by regulators can now face significant risks if they remain noncompliant with the rules governing their data practices when they do business with one of these state’s residents.
Which State Privacy Laws Do You Need To Comply With?
Unfortunately, you risk exposure to each state’s regulations if you have customers in any of these states. The good news is that the states use thresholds that define when an SMB must comply. The following table lists all eight new 2025 laws and two existing, CA and NV.
| State | Effective Date | Jurisdiction | Thresholds |
| Delaware (DPDPA) | 01/01/2025 | Businesses operating in Delaware or targeting Delaware consumers | 35,000 DE residents or 10,000 DE residents if sales exceed 20% of revenue |
| Iowa (ICDPA) | 01/01/2025 | Businesses operating in Iowa or targeting Iowa consumers | 100,000 IA residents or 25,000 IA residents if sales exceed 50% of revenue |
| Nebraska (NDPA) | 01/01/2025 | Businesses operating in Nebraska or targeting Nebraska consumers | All businesses, excluding small businesses |
| New Hampshire (NHDPA) | 01/01/2025 | Businesses operating in New Hampshire or targeting NH consumers | 35,000 NH residents or 10,000 NH residents if sales exceed 25% of revenue |
| New Jersey (NJDPA) | 01/15/2025 | Businesses operating in New Jersey or targeting NJ consumers | 100,000 NJ residents or 25,000 NJ residents if sales include data sales |
| Tennessee (TIPA) | 07/01/2025 | Businesses operating in Tennessee or targeting TN consumers | $25M annual revenue, 175,000 TN residents, or if sales exceed 50% of revenue |
| Minnesota (MCDPA) | 07/31/2025 | Businesses operating in Minnesota or targeting MN consumers | 100,000 MN residents or 25,000 MN residents if sales exceed 25% of revenue |
| Maryland (MODPA) | 10/01/2025 | Businesses operating in Maryland or targeting MD residents online | 35,000 MD residents or 10,000 MD residents if sales exceed 25% of revenue |
| California (CPRA/CCPA) | In effect | Businesses operating in California or targeting CA consumers | Annual gross revenue equals or exceeds $25 million, buys/sells/shares personal data of 100,000+ California residents, households, or devices, or derives 50% of annual revenue from selling CA residents’ data. |
| Nevada (SB 220) | In effect | Businesses operating in Nevada or targeting NV consumers | Requires operators of commercial websites or online services to allow consumers to opt out of data sales. There is no specific volume/revenue threshold akin to CCPA, but it must post a privacy notice and provide a method for consumers to request the sale of their data be halted. |
Identifying the Data You Handle
One of the first steps to clarifying your compliance obligations is understanding which types of data you collect. Although definitions vary by state, regulators commonly include:
- Personally Identifiable Information (PII): Names, email addresses, phone numbers, mailing addresses and other information related to identifying an individual.
- Financial and Account Information: Credit card details, bank account numbers, billing records, and related information.
- Online Identifiers: IP addresses, cookie data, browsing history, and device or advertising IDs.
- Health Data: Medical, biometric or health-related records and information.
Even if you believe your data collection is minimal, any information that can be tied back to a specific individual is potentially subject to these new regulations. Taking a moment to map out your data inventory, including where it comes from, how you store it, and when you delete it, can reveal surprising insights into how broad your collection practices actually are.
Key Obligations Under New State Data Privacy Laws
Each state’s data privacy law prescribes slightly different obligations, but there are common themes that apply to most businesses handling personal information:
- Consumer Rights: Plan to provide easy-to-use processes for customers to view, correct, or delete their personal information.
- Consent and Disclosure: Ensure customers consent to the collection of sensitive data and clearly state how you handle and share their information.
- Security Requirements: Expect to implement reasonable safeguards like encryption and multi-factor authentication to protect personal data against breaches.
- Opt-Out Mechanisms: Many states mandate that businesses provide customers with an easy way to opt out of data sales or targeted advertising.
Failing to comply with these obligations can lead to enforcement actions by state attorneys general or private lawsuits, which can damage SMBs with limited resources.
Practical Steps to Mitigate Risks
An organized approach to data privacy can help your business avoid pitfalls presented by these new state data privacy laws. Such an approach must include these steps:
- Conduct an inventory of data collected and how they are stored
- Review and update data security policies
- Train your employees in data management best practices
- Monitor regulatory changes
- Update your website so as not to collect private data without consent
- Post your privacy notices on your website
Building Consumer Trust and Protecting Your Reputation
Ultimately, investing in data privacy isn’t just about avoiding penalties. It’s also an opportunity to demonstrate your commitment to safeguarding customer information. Consumers increasingly favor businesses that take privacy seriously, and a strong compliance track record can set you apart from competitors.
Staying informed, documenting your data flows, implementing robust security measures, and consulting with the right experts can help you meet (and exceed) emerging regulatory standards. By taking these steps, your organization will be better positioned to handle state-specific data privacy laws while showcasing a genuine respect for consumer privacy.
Add the WebCompliancePro Professionals to Your Team
Even for larger SMBs, navigating these state-specific requirements can be tricky. Each law comes with its own nuances and potential pitfalls. If you’re uncertain about the thresholds for compliance or struggling with internal resources to meet data handling obligations, consider partnering with a dedicated privacy expert.
That’s where WebCompliancePro comes in. We specialize in helping SMBs like yours comply with new state data privacy laws. We offer tailored solutions that address your current risks and future compliance needs. By taking a proactive stance, you’ll reduce the likelihood of fines and lawsuits while maintaining the trust of your client base. In other words, Let Someone Else Be The TargetTM.
Complete our online contact form and start today because most of these new state data privacy laws are already in effect.
