First, the obvious question: do five new state privacy laws make the compliance problem five times worse?
Not exactly. They make it five times more annoying, which is worse in the way that matters.
The January 2025 privacy wave is now here. Delaware, Iowa, Nebraska, New Hampshire, and New Jersey all belong in the same sentence now, which is a polite way of saying the patchwork is becoming a quilt. Not a tasteful quilt, either. The kind your aunt makes when she has strong opinions and a lot of leftover fabric.
The laws are not identical. They never are. But they do share a family resemblance: notice obligations, consumer rights, opt-outs, consent for sensitive data, processor contracts, security controls, and a growing intolerance for companies that say, “We’ll just handle that later.”
Later is now.
What Actually Changed
If you are already running a GDPR or CCPA program, that is a head start. It is not a finish line.
These January laws generally require some combination of the following:
- A clear and meaningful privacy notice
- A process for access, correction, deletion, and portability
- An opt-out for targeted advertising and sale of personal data
- Extra handling for sensitive data
- Data protection assessments for higher-risk processing
- Processor terms that actually say something useful
- Reasonable security controls, not the compliance equivalent of a shrug
The details differ enough to matter. For example, Delaware’s statute applies to businesses that process data of at least 35,000 consumers, or 10,000 consumers if they derive more than 20% of gross revenue from the sale of personal data. Iowa’s law uses a different applicability test: 100,000 consumers, or 25,000 consumers if more than half of revenue comes from selling personal data. New Hampshire and New Jersey each bring their own threshold logic and their own flavor of consumer rights.
That is the point. A single “state privacy” program is usually not enough. You need a program that can actually tell the difference between states. Novel concept, I know.
The Compliance Checklist
If you have to choose where to spend time this week, start here.
1. Map your applicability by state, not by vibe
The first mistake is assuming the law only matters if you are “big.”
That is how companies end up discovering, too late, that the threshold was not the threshold they thought it was. Delaware is a good example: it is not only for giant national platforms. Iowa is not either. Nebraska is broad in a different way, because it applies to businesses operating in the state or producing products or services targeted to Nebraska residents, subject to exemptions. New Hampshire has its own consumer-count threshold. New Jersey is not a place to wing it.
If you sell into multiple states, build a simple matrix:
- Where do we have residents’ data?
- Which state laws apply?
- Which rights are in scope?
- Which exemptions actually fit?
- Which controls are already live, and which are wishful thinking?
That last question is usually the one people forget to ask.
2. Separate sale, targeted advertising, and profiling
This is where programs get sloppy.
The laws are not using those words as decorative synonyms. They are distinct concepts, and the differences drive the control requirements. Delaware, Nebraska, New Hampshire, and New Jersey all treat profiling as a live issue in some form. Iowa is narrower. If your internal workflow collapses all three into one generic “marketing opt-out,” you are building a future incident report.
The practical move is to tag data uses into three buckets:
- Targeted advertising
- Sale of personal data
- Profiling / automated decision-making
Then build one routing path per bucket. It is boring. Boring is good. Boring is cheaper than a regulator’s letter.
3. Make your privacy notice match reality
A privacy notice is not a marketing brochure. It is a public statement of your data practices, and public statements have this irritating habit of being used against you.
Your notice should actually reflect:
- Categories of data collected
- Purposes of processing
- Categories of third parties
- How consumers can exercise rights
- How appeals work
- How to contact the company
- Whether data is sold or used for targeted advertising
If your notice says one thing and your product does another, the notice is not the problem. The product is.
4. Fix the DSAR workflow before it breaks under pressure
Requests will come in. A lot of them. Some will be valid. Some will be garbage. Some will be from people who hit “reply all” to the wrong email chain and now want their data deleted because the universe is chaotic.
You need a workflow that can handle:
- Intake and identity verification
- Jurisdiction checks
- Deadline tracking
- Appeal handling
- Escalation for edge cases
- Logging and evidence retention
If you already have GDPR and CCPA request handling, reuse the machinery. Do not rebuild it from scratch because one state uses a slightly different response period. That way lies despair and a very expensive spreadsheet.
5. Treat sensitive data like it is actually sensitive
A lot of organizations still behave as though “sensitive data” means “credit card numbers and maybe Social Security numbers if we are feeling traditional.”
These laws are broader. Health information, precise geolocation, child data, biometric data, sexual orientation, citizenship or immigration status, and other categories can all trigger additional obligations.
That means your technical controls need to keep up:
- Data classification
- Consent capture where required
- Access restrictions
- Retention limits
- Deletion logic
- Vendor restrictions
Privacy, security, and compliance stop being three separate meetings here and start being one operating model.
6. Review vendor contracts now
Processors do not get to freeload on your compliance program.
Your vendor agreements should cover:
- Documented instructions
- Confidentiality
- Security measures
- Subprocessor controls
- Assistance with consumer rights requests
- Deletion or return of data
- Audit or compliance support where appropriate
If your contracts still read like they were assembled during a caffeinated Friday in 2017, that needs attention. The laws are moving. Your paper needs to move too.
The Ugly Truth
Most companies do not have a privacy problem. They have a governance problem.
The data map is incomplete. The marketing team bought a tool without telling legal. The product team added a new profiling feature. The security team wrote a policy. The privacy team wrote another one. Nobody agreed on what “sale” means, and now everyone is staring at the same request queue wondering why compliance suddenly feels like air traffic control.
This is exactly why multi-state privacy compliance cannot be a one-off legal memo. It needs operating discipline.
For most teams, that means getting the basics in order:
- Multi-state privacy compliance program
- GDPR / CCPA alignment
- Data flow and vendor mapping
- Assessment templates for higher-risk processing
- Board-ready governance language
- Practical training for the people actually touching the data
That is also where firms with deep privacy, security, and compliance experience earn their keep. The work is not glamorous. It is not supposed to be. The goal is to make sure your program survives contact with the real world.
Bottom Line
Five new state privacy laws are not the end of the patchwork. They are the patchwork.
The companies that do well in 2025 will not be the ones with the prettiest policy page. They will be the ones that can answer, quickly and accurately:
- What data do we have?
- Why do we have it?
- Who gets it?
- What rights apply?
- What happens when a consumer exercises them?
- And can we prove it?
If the answer is “sort of,” you are not compliant. You are just optimistic.
Related posts
Delve and the 494 Fake SOC 2 Reports: What the Compliance Industry Should Learn
A Y Combinator-backed compliance startup allegedly fabricated 494 SOC 2 reports with auditor conclusions pre-written before clients submitted any evidence.
Read moreFive Supply Chain Attacks in Twelve Days: March 2026 Broke Open Source Trust
In twelve days, attackers compromised Trivy, Checkmarx, LiteLLM, Telnyx, and Axios — and the supply chain security model most organizations rely on did not survive.
Read moreThree More States, Three More Privacy Laws: 2026 Compliance Starts Now
Indiana, Kentucky, and Rhode Island all went live on January 1, 2026, which means privacy compliance just got a little less optional.
Read more