Upcoming Privacy Laws And Enforcement In 2025
As we approach 2025, the landscape of digital governance is set to undergo significant transformations. New regulations and enforcement measures are coming, so businesses and individuals will have to adapt. This article explores the key changes expected in the compliance sector and what they mean for tech companies.
Key Takeaways
US Privacy Laws Surge: 2025 will see six new U.S. states (Delaware, Iowa, Nebraska, New Hampshire, Minnesota, and Maryland) implementing comprehensive privacy laws, demonstrating a significant shift toward stronger consumer data protection at the state level.
EU’s Major Digital Reforms: The European Union is rolling out new frameworks and guidelines – creating a more robust framework for data governance, security, and user rights.
Business Compliance Evolution: Companies will need to adapt to multiple new requirements across jurisdictions, with a particular focus on consumer data rights, children’s privacy protection, and cybersecurity measures.
Table of Contents
Upcoming Privacy Laws and Enforcement – United States
Several state-level privacy laws will come into effect in 2025:
Delaware Personal Data Privacy Act (DPDPA)
Effective date: January 1, 2025
The Delaware Personal Data Privacy Act will introduce stronger privacy rights for consumers, including:Enhanced protections for children’s data.
Clear consent requirements for data processing.
Consumers have the right to access and delete their data.
Iowa SF262
Effective date: January 1, 2025
Iowa Governor Kim Reynolds signed Senate File 262 (“Iowa Data Privacy Law”) into law on March 28, 2023, which will take effect on January 1, 2025.
By passing this law, Iowa joins California, Utah, Colorado, Connecticut and Virginia as states with their own consumer privacy laws.
The Iowa Data Privacy Law is similar to (though somewhat more limited than) the Virginia Consumer Data Protection Act (“VCDPA”) and Colorado Privacy Act (“CPA”)
Businesses that are already compliant with other state privacy laws should have little difficulty adapting to the Iowa Data Privacy Law.
Nebraska Data Privacy Act
Effective date: January 1, 2025
Nebraska became the seventeenth state in the United States to pass a consumer privacy bill
Governor Pillen signed the Nebraska Data Privacy Act (NDPA) into law in April 17, 2024.
New Hampshire SB 255
Effective date: January 1, 2025
On March 6, 2024, New Hampshire Governor Chris Sununu signed Senate Bill 255 (SB255) into law.
The Act introduces a range of privacy rights for consumers as well as significant requirements for organizations to comply with including purpose limitations, consent for sensitive data, and data security.
Minnesota Consumer Data Privacy Act
Effective date: July 31, 2025
On May 24, 2024, Minnesota Governor Tim Walz signed into law the nation’s 19th comprehensive data privacy law
This law is similar to other US state data privacy laws such as Washington, New Hampshire, and Maryland laws.
The Minnesota Act has several unique features, including an exemption for small businesses, and providing consumers with the right to question profiling decisions.
Maryland Online Data Privacy Act
Effective date: October 1, 2025
On May 9, 2024, Maryland Governor Wes Moore signed into law Senate Bill 541 (the “Maryland Online Data Privacy Act”) making Maryland the eighteenth state to adopt comprehensive data privacy legislation in the United States.
The Maryland Office of the Attorney General (Consumer Protection Division) will have exclusive enforcement authority.
There is no private right of action available under this Act.
Upcoming Privacy Laws and Enforcement – The European Union
- EU Data Act Implementation
The EU Data Act, adopted in January 2024, has staggered effects: Some provisions take effect in September 2024, while others take effect in September 2025.The Data Act is a comprehensive initiative to address the challenges and unleash the opportunities presented by data in the European Union, emphasising fair access and user rights, while ensuring the protection of personal data. The Data Act clarifies who can create value from data and under which conditions.
- NIS2 (Network and Information Systems) Directive Implementation:
The European Union’s NIS2 Directive, which aims to enhance cybersecurity across the EU, is expected to be fully implemented by member states in early 2025. Specifically:
Germany’s NIS2 Implementation Act is anticipated to enter into force during Q1 2025.
The Act will extend obligations to implement cybersecurity measures and report cyber-attacks to a broader range of companies across various sectors.
Approximately 29,500 companies in Germany are expected to be in scope of these new requirements.
4. Digital Services Act (DSA) Guidelines:The Digital Services Act is an EU regulation adopted in 2022 that addresses illegal content, transparent advertising and disinformation.
The European Commission is currently drafting guidelines on Art. 28(1) of the Digital Services Act (DSA) to ensure robust implementation and enforcement of the DSA for children’s rights as well as clear and concrete guidelines for companies and regulators on maintaining a high level of privacy, safety, and security for children.
The timeline is as follows:
A draft of the guidelines is expected to be submitted for public consultation in early 2025.
The guidelines are anticipated to become effective in Q2 2025.
Conclusion
The year 2025 will mark a significant expansion in privacy law implementation across the United States and European Union. In the U.S., several states including Delaware, Iowa, Nebraska, New Hampshire, Minnesota, and Maryland will enact comprehensive consumer data privacy laws, each with its own requirements for data protection, consumer rights, and business compliance. Meanwhile, the EU will continue implementing major digital regulations, including the full rollout of the EU Data Act, the NIS2 Directive for enhanced cybersecurity, and new Digital Services Act (DSA) guidelines focused on children’s rights. These regulations collectively strengthen consumer privacy rights, enhance data protection requirements for businesses, and establish clear frameworks for data governance and cybersecurity across jurisdictions.
