Eight New U.S. State Privacy Laws in 2025: Compliance Challenges and Strategic Shifts

Compliance Hub

Compliance Hub

8 min read
Eight New U.S. State Privacy Laws in 2025: Compliance Challenges and Strategic Shifts
Photo by Marjan Blan / Unsplash

The U.S. privacy landscape will undergo seismic changes in 2025 as Maryland, New Jersey, Tennessee, and five other states enact stringent privacy laws. These regulations introduce GDPR-inspired requirements like data minimization, algorithmic risk assessments, and enhanced protections for minors and sensitive data. Below, we analyze the three most impactful laws—Maryland’s MODPA, New Jersey’s NJDPA, and Tennessee’s TIPA—and outline actionable strategies for multi-state compliance.

1. Maryland Online Data Protection Act (MODPA)

Effective Date: October 1, 2025 (enforcement begins April 1, 2026)

Key Requirements

  1. Data Minimization:
    • Collect only data “reasonably necessary” to provide the specific product/service requested by the consumer.
    • Prohibits processing sensitive data (e.g., health, biometrics) beyond what’s strictly required.
  2. Youth Protections:
    • Bans targeted ads and data sales for users under 18 if the controller “knew or should have known” their age.
    • Requires age assurance mechanisms for platforms likely to attract minors.
  3. Risk Assessments:
    • Mandates annual evaluations for algorithms used in employment, healthcare, and financial decisions.
  4. Penalties: Up to $10,000 per violation ($25,000 for repeat offenses).

Scope:

  • Applies to businesses processing data of 35,000+ Maryland residents (excluding payment data) or 10,000+ residents if deriving 20%+ revenue from data sales.

2. New Jersey Data Privacy Act (NJDPA)

Effective Date: January 15, 2025 (enforcement grace period until July 2026)

Key Requirements

  1. Expanded Sensitive Data:
    • Includes immigration status, union membership, and citizenship.
    • Requires explicit opt-in consent for processing.
  2. Opt-Out Rights:
    • Consumers can reject targeted ads, data sales, and profiling via Global Privacy Control (GPC).
  3. Transparency:
    • Privacy notices must disclose third-party data sharing with “sufficient detail to understand business models.”

Scope:

  • Targets businesses handling data of 100,000+ residents (or 25,000+ if 50%+ revenue from data sales).

Penalties: $7,500 per intentional violation, with no private right of action.

3. Tennessee Information Protection Act (TIPA)

Effective Date: July 1, 2025

Key Requirements

  1. Revenue Threshold:
    • Applies only to businesses with $25M+ annual revenue.
  2. Affirmative Defense:
    • Avoid penalties by implementing NIST-aligned privacy programs.
  3. Cure Period:
    • 60 days to fix violations before fines (up to $7,500 per violation).

Scope:

  • Processes data of 175,000+ residents or 25,000+ if deriving 50%+ revenue from data sales.

Comparative Analysis

Aspect Maryland (MODPA) New Jersey (NJDPA) Tennessee (TIPA)
Threshold 35K residents 100K residents $25M revenue + 175K residents
Sensitive Data Health, biometrics, genetics Immigration status, citizenship Aligns with CCPA/CPRA
Youth Protections Under 18 No explicit minor safeguards None
Penalties $10K/violation $7.5K/violation $7.5K/violation
Cure Period 60 days 30 days 60 days (non-sunsetting)

Compliance Strategies for Multi-State Operations

  1. Unified Data Mapping:
    • Use tools like OneTrust to track data flows across Maryland’s “reasonably necessary” standard and New Jersey’s expanded sensitive categories.
  2. Algorithmic Governance:
    • Conduct bias audits for AI/ML models impacting hiring, credit, or healthcare (mandated in Maryland and New Jersey).
  3. Consent Management Platforms (CMPs):
    • Deploy CMPs supporting GPC for NJDPA opt-outs and MODPA’s minor ad restrictions.
  4. Vendor Contracts:
    • Require third parties to comply with state-specific rules (e.g., Maryland’s data sovereignty clauses).
  1. GDPR Convergence:
    • 63% of 2025 laws mandate data minimization, mirroring GDPR’s Article 5(1)(c).
  2. Sensitive Data Expansion:
    • States now protect immigration status (NJ), genetic data (MD), and non-traditional categories.
  3. Enforcement Surge:
    • State AGs plan joint task forces, with Maryland allocating $2M for privacy enforcement in 2026.

Comparing U.S. State Privacy Laws (MODPA, NJDPA, TIPA) to GDPR: Enforcement and PenaltiesThe surge in U.S. state privacy laws reflects growing alignment with GDPR principles like data minimization and transparency, but enforcement mechanisms and penalties vary significantly. Below, we compare Maryland’s MODPA, New Jersey’s NJDPA, Tennessee’s TIPA, and the EU’s GDPR across key dimensions.

1. Enforcement Authorities

U.S. State Laws

  • Maryland (MODPA): Enforced by the Attorney General’s Consumer Protection Division522.
  • New Jersey (NJDPA): Overseen by the Attorney General and Division of Consumer Affairs223.
  • Tennessee (TIPA): Solely enforced by the Tennessee Attorney General312.

GDPR: Enforced by independent Data Protection Authorities (DPAs) across 27 EU member states433.

2. Penalty Structures

LawMaximum PenaltyKey Criteria
$10,000 per violation; $25,000 repeatsBased on violation severity, entity size, and public harm risk51028.
$10,000 (first); $20,000 (subsequent)Tied to New Jersey Consumer Fraud Act2629.
$7,500 per violationCivil penalties for uncured violations; treble damages for willful misconduct31236.
€20M or 4% global revenueWhichever is higher; applies to breaches like inadequate security or unlawful transfers42533.

Example: Meta’s 2023 GDPR fine for unlawful data transfers totaled €1.2B2533, while the largest state penalty under MODPA could reach $25K per repeat violation10.

3. Cure Periods

  • MODPA: 60-day cure period (mandatory until April 2027; discretionary afterward)522.
  • NJDPA: 30-day cure period, expiring July 20262623.
  • TIPA: 60-day cure period with no sunset clause31236.
  • GDPR: No statutory cure period, though remediation efforts may mitigate fines433.

4. Private Right of Action

  • U.S. States: None. All enforcement is state-led523.
  • GDPR: No private right, but individuals can file complaints with DPAs, triggering investigations433.

5. Scope and Extraterritorial Reach

  • State Laws: Apply to businesses operating in/targeting residents of each state (e.g., MODPA: 35K+ residents; TIPA: $25M+ revenue)51216.
  • GDPR: Applies globally to any entity processing EU residents’ data, regardless of location4933.
  1. GDPR Influence: MODPA’s data minimization and NJDPA’s broad sensitive data definitions mirror GDPR principles5214.
  2. Lower Penalties: State penalties (max $25K) pale compared to GDPR’s revenue-based fines (e.g., Meta’s €1.2B fine)2533.
  3. Cure Periods: U.S. states offer structured remediation windows; GDPR leaves discretion to DPAs234.

Conclusion

While MODPA, NJDPA, and TIPA adopt GDPR-like accountability frameworks, their enforcement is less punitive and more localized. GDPR’s global reach and steep penalties (up to 4% of revenue) create higher stakes for multinational firms. Businesses must prioritize:

  • State Compliance: Implement consent management tools (e.g., OneTrust) for opt-outs and DSARs25.
  • GDPR Alignment: Conduct cross-border transfer audits and update SCCs for EU data sovereignty933.


Maryland’s strict minimization, New Jersey’s broad sensitive data rules, and Tennessee’s revenue thresholds create a fragmented but GDPR-aligned landscape. Businesses must prioritize centralized compliance frameworks, automate DSAR responses, and preempt algorithmic risks. With penalties exceeding $10K per violation and multi-state audits rising, proactive adaptation is critical to avoiding regulatory blowback.

Key Takeaways:

  1. Update data inventories to meet Maryland’s “reasonably necessary” standard.
  2. Implement GPC for NJDPA opt-outs by January 2025.
  3. Leverage TIPA’s affirmative defense by aligning with NIST CSF 2.0.

(Citations: Maryland MODPA[7][16], New Jersey NJDPA[5][26], Tennessee TIPA[33][36])

Citations:
[1] https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/748221/dbb70fd2-5ebe-4275-8603-20f5848f655f/paste.txt
[2] https://www.willkie.com/publications/2024/05/maryland-enacts-one-of-the-strictest-privacy-laws-in-the-nation
[3] https://www.koleyjessen.com/insights/publications/minnesota-maryland-and-rhode-island-pass-data-privacy-laws-nineteen-states-will-soon-have-comprehensive-privacy-legislation
[4] https://www.bakerdonelson.com/maryland-enacts-comprehensive-consumer-privacy-legislation-what-you-need-to-know
[5] https://termly.io/resources/articles/new-jersey-data-privacy-act/
[6] https://ogletree.com/insights-resources/blog-posts/frequently-asked-questions-about-the-new-jersey-data-protection-act-effective-january-15-2025/
[7] https://www.dlapiper.com/en/insights/publications/2024/07/us-maryland-online-data-privacy-act-summary-and-comparative-analysis
[8] https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240521-maryland-and-nebraska-adopt-comprehensive-privacy-laws
[9] https://termly.io/resources/articles/maryland-online-data-protection-act/
[10] https://www.dwt.com/blogs/privacy--security-law-blog/2024/05/maryland-online-data-privacy-act-signed
[11] https://www.cyberlawmonitor.com/2024/08/26/marylands-new-approach-to-data-minimization-creates-unique-compliance-issues/
[12] https://www.mwe.com/insights/maryland-joins-growing-ranks-and-passes-its-own-consumer-data-privacy-law/
[13] https://www.ketch.com/regulatory-compliance/maryland-online-data-privacy-act-modpa
[14] https://www.thompsonhine.com/insights/maryland-poised-to-enact-privacy-law-sets-new-standard-for-targeted-advertising/
[15] https://transcend.io/blog/maryland-data-privacy-law
[16] https://www.hunton.com/privacy-and-information-security-law/maryland-legislature-passes-state-privacy-bill-with-robust-requirements-and-broad-threshold-for-application
[17] https://usercentrics.com/knowledge-hub/maryland-online-data-privacy-act-modpa/
[18] https://www.fisherphillips.com/en/news-insights/maryland-rigid-data-privacy-law-october-2025-effective-date.html
[19] https://www.cookieyes.com/blog/maryland-online-data-privacy-act-modpa/
[20] https://www.osano.com/articles/maryland-online-data-privacy-act-modpa
[21] https://bigid.com/blog/maryland-online-data-privacy-act-modpa/
[22] https://www.osano.com/articles/new-jersey-data-privacy-act-njdpa
[23] https://www.gtlaw.com/en/insights/2025/1/2025-new-jersey-employment-law-updates
[24] https://clym.io/regulations/the-new-jersey-data-privacy-act-njdpa
[25] https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-Law-FAQ.aspx
[26] https://www.akingump.com/en/insights/alerts/new-jersey-data-protection-act-what-businesses-need-to-know
[27] https://www.dataguidance.com/opinion/new-jersey-data-protection-act-heres-what-you-need
[28] https://www.jdsupra.com/legalnews/garden-state-are-you-ready-for-the-nj-3919125/
[29] https://www.dataguidance.com/news/new-jersey-new-jersey-data-protection-act-enters-force
[30] https://redcloveradvisors.com/by-regulation/new-jersey-data-privacy-act-njdpa/
[31] https://ktslaw.com/en/insights/alert/2024/12/five new state privacy laws effective january 2025
[32] https://www.vensure.com/employment-law-updates/tennessee/reminder-the-tennessee-information-protection-act-tipa-effective-july-1-2025/
[33] https://www.dataguidance.com/jurisdictions/tennessee
[34] https://secureprivacy.ai/blog/tennessee-information-protection-act-compliance-checklist
[35] https://www.ketch.com/blog/posts/us-privacy-laws-2025
[36] https://bigid.com/blog/8-state-privacy-laws-going-into-effect-in-2025/
[37] https://www.didomi.io/blog/tennessee-data-privacy-law
[38] https://www.osano.com/articles/tennessee-information-protection-act-tipa
[39] https://www.forbes.com/sites/alonzomartinez/2024/12/19/is-your-business-ready-for-2025-state-privacy-regulations/
[40] https://transcend.io/blog/tennessee-information-protection-act
[41] https://natlawreview.com/article/wait-theres-more
[42] https://www.sheppardmullin.com/media/publication/2259_Law360_-_5_Privacy_Law_Trends_That_Will_Continue_In_2025.pdf
[43] https://www.dataguidance.com/opinion/usa-state-privacy-laws-entering-effect-2025
[44] https://www.osano.com/us-data-privacy-laws
[45] https://www.multistate.us/insider/2025/2/4/major-legislative-trends-in-the-technology-and-privacy-space
[46] https://pandectes.io/blog/key-us-data-privacy-laws-to-watch-in-2025/
[47] https://cmitsolutions.com/westchester-ny-1180/blog/data-privacy-laws-2025-smb-compliance/
[48] https://www.mofo.com/resources/insights/250107-privacy-data-security-predictions
[49] https://www.dlapiperdataprotection.com/?t=law&c=US
[50] https://usercentrics.com/knowledge-hub/american-data-privacy-and-protection-act-adppa/
[51] https://pro.bloomberglaw.com/insights/privacy/consumer-data-privacy-laws/
[52] https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2024/02/the-new-jersey-data-privacy-law-an-overview.html
[53] https://www.datagrail.io/blog/data-privacy/what-you-need-to-know-about-new-jerseys-new-data-privacy-law/
[54] https://www.bsk.com/news-events-videos/employment-and-data-privacy-law-updates-for-2025-in-new-jersey
[55] https://www.cookieyes.com/blog/new-jersey-data-privacy-act-njdpa/
[56] https://usercentrics.com/knowledge-hub/new-jersey-data-privacy-act-njdpa/
[57] https://ogletree.com/insights-resources/blog-posts/new-jersey-joins-data-privacy-party-new-jersey-data-protection-act-becomes-effective-in-january-2025/
[58] https://www.cookieyes.com/blog/tennessee-information-protection-act-tipa/
[59] https://termly.io/resources/articles/tennessee-information-protection-act/
[60] https://cookie-script.com/privacy-laws/tennessee-information-protection-act
[61] https://www.upguard.com/blog/what-is-tipa
[62] https://www.onetrust.com/blog/tennessee-passes-information-protection-act/
[63] https://www.akingump.com/en/insights/blogs/ag-data-dive/tennessee-information-protection-act-what-businesses-need-to-know
[64] https://www.dwt.com/blogs/privacy--security-law-blog/2023/05/tennessee-information-protection-data-privacy
[65] https://usercentrics.com/knowledge-hub/tennessee-information-protection-act-tipa/
[66] https://www.csis.org/analysis/modernizing-us-commercial-privacy-standards-digital-economy
[67] https://www.fieldfisher.com/en/insights/gdpr-vs-u-s-state-privacy-laws-how-do-they-measure
[68] https://www.globalprivacywatch.com/2025/01/a-new-year-and-new-compliance-requirements-additional-state-privacy-laws-take-effect-in-2025/
[69] https://www.wiley.law/alert-10-Key-Privacy-Developments-and-Trends-to-Watch-in-2025
[70] https://www.osano.com/articles/data-privacy-laws
[71] https://www.jacksonlewis.com/insights/year-ahead-2025-tech-talk-ai-regulations-data-privacy
[72] https://www.whitecase.com/insight-alert/2025-state-privacy-laws-what-businesses-need-know-compliance

Read more

Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP

Comparative Analysis of Cybersecurity Frameworks: MOSAICS, CMMC, and FedRAMP

In an era where critical infrastructure systems—such as power grids, water treatment facilities, and transportation networks—are increasingly interconnected, the vulnerability to cyber threats has escalated. Recognizing this pressing issue, the Naval Information Warfare Center (NIWC) Atlantic has developed the More Situational Awareness for Industrial Control Systems (MOSAICS) framework.

By Compliance Hub