Eight states have enacted new data privacy laws this year with more going into effect in early 2026. While most of these laws are framed as protecting consumers, many definitions of personal data are broad enough to include employee and job applicant information.
Most of the laws have a similar framework that applies to for-profit entities meeting specific thresholds related to revenue or volume of personal data processed. These requirements can vary, and some state laws include additional regulations or exemptions HR departments will need to consider.
Here is a deeper look at each state’s data privacy laws that went into effect in 2025 and some notable provisions that make them unique.
- Delaware – The Delaware Personal Data Privacy Act took effect on January 1, 2025, and stands out for its low applicability threshold and inclusion of small and mid-size organizations that would be exempt in other states. The law also imposes heightened protections for sensitive data categories such as health, biometric, and children’s information.
- Iowa – The Iowa Consumer Data Protection Act also became effective on January 1, 2025. Its framework is less restrictive than most others, omitting data-protection assessment requirements and allowing broad exemptions for nonprofits and institutions of higher education. However, it still requires companies to provide transparency around data processing and to maintain reasonable security safeguards. The law also introduces a 90-day cure period for businesses to correct potential violations before enforcement actions begin.
- Nebraska – The Nebraska Data Privacy Act went into effect on January 1, 2025. It’s considered the broadest of these laws since it applies to nearly all businesses operating within the state, regardless of revenue or data-volume thresholds. Unlike other states, Nebraska also aligns its enforcement with the Federal Trade Commission’s deceptive practices standard.
- New Hampshire – The last law that took effect on January 1 this year was the New Hampshire Consumer Data Privacy Act. It closely mirrors other states’ frameworks but adds more stringent definitions for sensitive data. Another key difference from other states is that enforcement rests solely with the state attorney general, with no private right of action, providing businesses with more predictability in enforcement.
- New Jersey – The New Jersey Data Privacy Act became law on January 15, 2025. It introduced additional restrictions on processing sensitive data and required data-protection assessments for higher-risk activities.
- Tennessee – The Tennessee Information Protection Act took effect on July 1, 2025. It introduces an “affirmative defense” provision, allowing companies to demonstrate compliance through documented privacy programs aligned with the National Institute of Standards and Technology (NIST) framework.
- Minnesota – The Minnesota Consumer Data Privacy Act became effective on July 15, 2025, and places a strong emphasis on consumer transparency and informed consent. It requires data holders to disclose retention periods for personal data and to delete information once its purpose has been fulfilled. The state law also expands protections to prohibit discrimination against individuals who exercise their privacy rights.
- Maryland – The Maryland Online Data Privacy Act recently took effect on October 1, 2025, with enforcement scheduled to begin on April 1, 2026. It is ranked among the strictest new laws, requiring algorithmic-impact assessments and imposing limits on data retention and targeted advertising. It also introduces heightened requirements for data minimization, obligating organizations to collect only the information necessary for their stated purposes.
Three additional states — Indiana, Kentucky, and Rhode Island — have enacted privacy laws recently that will go into effect on January 1, 2026.
- Indiana — The Indiana Consumer Data Protection Act (ICDPA) imposes relatively high applicability thresholds and is one of the few laws that excludes employee-context data from its definition of consumer. It also provides a 30-day cure period for violations to be fixed and places strong emphasis on transparency in privacy notices.
- Kentucky — The Kentucky Consumer Data Protection Act (KCDPA) emphasizes consumer consent and data-minimization principles and requires controllers to perform data-protection assessments for high-risk processing. The law includes strong exemptions for government entities, financial institutions under GLBA, and healthcare organizations governed by HIPAA, reducing overlapping regulatory burdens.
- Rhode Island — Rhode Island’s Data Transparency and Privacy Protection Act distinguishes itself from similar laws by having broader data-access and correction rights, as well as a lower applicability threshold to include small and mid-sized organizations. Something else that makes it unique is that it requires disclosure of third parties to whom personal data may be sold or shared. Unlike other states, Rhode Island’s law does not include a universal opt-out mechanism or a broad data-minimization requirement.
Moving Forward
As data becomes increasingly intertwined with every stage of the employee lifecycle, HR’s role in shaping ethical data practices will only expand. The next phase for HR teams involves embedding privacy considerations into the everyday workforce strategy.
A practical starting point is to map where and how workforce data is collected, stored, and shared across platforms. Then you can align those practices with both current and anticipated regulations. Since many of these laws consider HR software platforms and apps to be third-party vendors, it’s also important to evaluate your organization’s programs to ensure they align with new regulations.
Establishing clear frameworks for privacy governance now will help your teams streamline compliance across multiple states and ensure continuity as more regulations emerge.
Sources: Compliance Hub, White Case
