New 2025 Privacy Laws for E-Commerce

If you thought keeping up with California's CCPA, CALOPPA, and other privacy laws was challenging enough, brace yourself. Eight more states are rolling out comprehensive privacy laws in 2025, creating a minefield for e-commerce businesses..

These new laws layer on top of an increasingly complex web of existing state privacy laws. California have been setting the standard since 2020. Virginia, Colorado, Connecticut, and Utah, among others, have had their own requirements over the past few years. With eight more states joining the fray in 2025, e-commerce companies face a patchwork of overlapping, sometimes conflicting requirements that can turn routine business operations into compliance nightmares.

The question for e-commerce companies is how quickly you can get compliant before enforcement kicks in. With effective dates ranging from January 1 to October 1, 2025, the clock is already ticking.

The New Privacy Law Landscape: Eight States, Eight Headaches

Combined with existing state privacy laws, e-commerce companies now face potential compliance obligations in over a dozen states, each with unique thresholds, consumer rights, and enforcement approaches. What started as a California-centric compliance challenge has evolved into a nationwide regulatory maze that requires careful navigation.

If you have customers in any of these eight states, these privacy laws likely apply to your business regardless of where you're headquartered. While each state sets different thresholds based on revenue, data volume, or both. They range from no minimum requirements in Nebraska to processing data for 175,000+ consumers in Tennessee. Even so, compliance is always recommended just in case. Many companies discover they meet threshold requirements during audits or legal reviews, often after it's too late to avoid potential penalties. State privacy law thresholds vary dramatically, with some requiring no minimum consumer counts, others demanding specific revenue percentages from data sales, and most falling somewhere between processing data for 10,000 to 175,000 state residents annually. Rather than trying to calculate precise compliance obligations for each jurisdiction, most e-commerce companies find it more efficient to implement comprehensive privacy practices that satisfy the most stringent requirements across all applicable states.

What Every E-Commerce Company Must Address

Despite their differences, these state privacy laws share core requirements that create consistent compliance challenges:

Privacy Notice Overhauls

Your current privacy policy may be insufficient. These new laws require clear explanations of what data you collect, how it's used, who it's shared with, and how customers can opt out. Opt-out links must be easily accessible and tailored to each state's standards. Better yet, we recommend simply being compliant with the most exacting state's requirements to avoid managing multiple versions.

Respecting Consumer Choices

Many laws require businesses to honor browser-based privacy signals that communicate opt-out preferences. This affects data sales, targeted advertising, and profiling activities. Many e-commerce platforms and tools may need to be adjusted.

Response Systems for Consumer Rights

Each law establishes rights to access, correct, delete, and transfer personal data. E-commerce companies must develop reliable systems processing these requests within 30 to 60 days, depending on the state. Most require 30-45 days, with some like New Hampshire allowing 60 days for appeals.

State-by-State Breakdown

Maryland Online Data Privacy Act (MODPA) - Effective October 1, 2025

Maryland takes the prize for strictest requirements. The law applies to businesses controlling or processing personal data for 35,000+ Maryland residents, or 100,000+ residents while deriving 20%+ of revenue from data sales. Notably, MODPA has no monetary threshold, making it applicable to smaller e-commerce operations.

Here, data collection must be "reasonably necessary and proportionate" for providing specific products or services. And, explicit consumer consent required for processing beyond this narrow scope. It also requires universal opt-out mechanisms (like Global Privacy Controls) mandatory by the effective date along with data protection assessments required for high-risk processing activities. Finally, vendor contracts must ensure processors meet strict confidentiality and security requirements

Minnesota Consumer Data Privacy Act (MCDPA) - Effective July 31, 2025

Minnesota follows the consumer rights model but includes specific small business protections. It applies to businesses controlling or processing personal data for 100,000+ Minnesota consumers annually, or deriving 25%+ of gross revenue from data sales while processing data for 25,000+ consumers.

Like Maryland, universal opt-out mechanisms are mandatory and businesses must honor Global Privacy Controls and similar browser settings. Privacy policies required in all operating languages with accessibility compliance for individuals with disabilities. Additionally, clear, specific consent is required for sensitive data processing, including data from known children. There is, thankfully, a 30-day response times for consumer requests. But a cure period sunsets January 31, 2026. Finally, even exempt small businesses cannot sell sensitive personal data without consent.

Tennessee Information Protection Act (TIPA) - Effective July 1, 2025

Tennessee offers a unique compliance approach with its NIST Privacy Framework affirmative defense. The law applies to businesses with $25+ million annual revenue that control or process personal data for 175,000+ Tennessee consumers annually, or 25,000+ consumers while deriving 50%+ of revenue from data sales.

In Tennessee, a NIST Privacy Framework implementation provides potential affirmative defense protection. A set time-frame for requests is set forth: 45-day response times for opt-out requests; 60-day consumer appeal periods for denied requests. There is a 60-day cure period for Tennessee Attorney General enforcement. 

New Jersey Data Privacy Act (NJDPA) - Effective January 15, 2025

New Jersey expands beyond consumer data to include workforce data, affecting businesses with employees or job seekers. It applies to businesses processing personal data for 100,000+ New Jersey residents, or 25,000+ residents while deriving revenue from selling personal data.

This law has a relatively short cure period. So, quick compliance is called for when potential violations are identified. And, the application of the Consumer Fraud Act penalties add enforcement teeth. Finally, it should be noted that the revenue threshold includes discounts received from data sales, not just direct revenue.

New Hampshire Data Privacy Law (NHDPA) - Effective January 1, 2025

New Hampshire provides strong consumer protections with a two-step process for data requests and appeals. It applies to businesses processing personal data for 35,000+ New Hampshire residents, or 10,000+ residents while earning 25%+ of revenue from selling personal data.

Here, the substantial per-violation penalty of $10,000 calls for compliance. Luckily there is a two-step appeals process with 60-day business response requirements. And, during 2025, there is a grace period with a 60-day cure period. Like other states, universal opt-out requirements for browser-based privacy signals is in place. 

Nebraska Data Privacy Act (NDPA) - Effective January 1, 2025

Nebraska's approach puts consumers in control without revenue thresholds or minimum consumer counts. It applies to any business operating in Nebraska or serving its residents, unless classified as a small business under federal law. This new law has the broadest applicability. Most e-commerce businesses serving Nebraska customers must comply

That said, it has a permanent 30-day cure period provides ongoing violation fix opportunities. Here, browser-based opt-out controls mandatory for data sales and targeted advertising. And, federal small business classification provides the only exemption.

Iowa Consumer Data Protection Act (ICDPA) - Effective January 1, 2025

Iowa's ICDPA is lighter on regulations but still enforces key compliance rules. It applies to businesses processing data for 100,000+ Iowa residents, or 25,000+ residents while earning 50%+ of revenue from data sales.

$7,500 per violation penalty. And opt-out is less about complexity and more focused on accessibility. There is emphasis on clear privacy notices. And, third-party processor contract review is called for. 

Delaware Personal Data Privacy Act (DPDPA) - Effective January 1, 2025

Delaware enforces strict compliance with significant penalties. The law applies to companies processing personal data for 35,000+ residents, or deriving 20%+ of annual revenue from selling data of at least 10,000 consumers.

Again, heavy penalties: $10,000 per violation. But, there is a 45-day response period. Like others, a global privacy control is necessary. 

Navigating the Multi-State Compliance Challenge

The complexity of managing compliance across multiple state privacy laws cannot be overstated. Each jurisdiction brings different effective dates, enforcement approaches, penalty structures, and consumer rights frameworks. What works for California's CPRA may not satisfy Maryland's MODPA requirements. Virginia's approach to sensitive data differs from Minnesota's standards.

It is unenviable to either develop state-specific compliance programs or implement a “lowest common denominator” approach where the most strict of each state is applied. The latter is likely more cost effective, but less business friendly otherwise. 

What you should do

E-commerce companies should immediately audit their current data practices, update privacy policies to meet the most stringent state requirements, implement universal opt-out mechanisms, and establish consumer request workflows. Most importantly, businesses need reliable legal and compliance partners who understand the evolving regulatory landscape and can help navigate the practical implementation challenges of multi-state privacy law compliance.

For assistance with privacy law compliance planning and implementation, contact e-commerce attorney Jonathan Phillips at Phillips & Bathke, P.C. at jlap@pb-iplaw.com or 309-834-2296. We e-commerce companies navigate complex regulatory requirements.