We kicked off 2025 with five state-level data privacy laws going into effect. Last month, we covered new data privacy policies in Nebraska and Iowa. This article covers the other three new data privacy laws that took effect this January. These laws introduce new consumer rights and requirements for companies handling consumer data in Delaware, New Jersey, and New Hampshire. Below is a high-level overview of each and a few notable differences between them.
Delaware Personal Data Privacy Act (DPDPA)
The Delaware Personal Data Privacy Act (DPDPA) was signed into law by Governor John Carney on September 11, 2023, and became effective on January 1, 2025.
Employer obligations
The DPDPA applies to entities that:
- Conduct business in Delaware or offer products or services targeted to Delaware residents; and
- During the preceding calendar year, either:
- Controlled or processed the personal data of at least 35,000 consumers, excluding data processed solely for payment transactions; or
- Controlled or processed the personal data of at least 10,000 consumers, if deriving more than 20% of gross revenue from the sale of personal data.
Consumer rights
Under the DPDPA, consumers have the right to:
- Confirm whether a controller is processing their personal data and accessing their data;
- Correct inaccurate personal data;
- Delete personal data about themselves;
- Obtain a copy of their personal data; and
- Opt out of the processing of personal data for purposes of any of the following:
- Targeted advertising.
- The sale of personal data (except as provided in § 12D-106(b))
- Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Unique aspects of DPDPA
Nonprofit organizations and educational institutions: Unlike most other state privacy laws, Delaware’s law also applies to nonprofit organizations and educational institutions.
Enforcement: The DPDPA does not provide a private right of action. Enforcement authority is also given to the Delaware Department of Justice (as opposed to the Attorney General of the respective state in many state-level data privacy laws).
- Until December 31, 2025, the Department must issue a violation and allow controllers 60 days to cure the violation if it determines that such violation is eligible.
- Beginning January 1, 2026, the Department may choose, but is not required, to provide an opportunity to cure an alleged violation.
To read more details about the DPDA, the full text of the law can be found here.
New Hampshire Data Privacy Act (NHPA)
Governor Chris Sununu signed the New Hampshire Data Privacy Act (NHPA) into law on March 6, 2024, and it became effective on January 1, 2025.
Employer obligations
The NHPA applies to entities that:
- Conduct business in New Hampshire or offer products or services targeted at New Hampshire residents; and
- During a calendar year, either:
- Control or process the personal data of at least 35,000 unique New Hampshire consumers; or
- Control or process the personal data of at least 10,000 unique New Hampshire consumers and derive more than 25% of gross revenue from the sale of personal data.
- For the first year after the law becomes effective, controllers have a 60-day period to cure alleged violations before enforcement actions proceed.
Consumer rights
Under the NHPA, consumers have the right to:
- Opt out of targeted advertising, the sale of personal data, and certain profiling activities.
Unique aspects of NHPA
New Hampshire’s law has notably specific privacy notice guidelines, requiring controllers to provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that includes the following information:
- The purpose of processing.
- How consumers may exercise their consumer rights.
- How a consumer may appeal a decision regarding a request.
- Categories of data shared with third parties.
- Categories of third parties with whom data is shared.
- An online mechanism to contact the controller.
- Date the privacy notice was last updated.
“Controllers must also clearly and conspicuously disclose the following:”
- All personal data sales and targeted advertising. RSA 507-H:6, IV.
- How a consumer may opt out of data sales and targeted advertising. RSA 507-H:6, IV.
- A link on the controller’s website to targeted advertising.
More details about employer obligations and consumer rights under NHPA can be found here.
New Jersey Data Protection Act (NJDPA)
The New Jersey Data Protection Act (NJDPA) was signed into law in early 2024 and went into effect on January 15, 2025. The NJDPA includes exemptions in line with most other state data privacy laws, such as for government agencies and information or data covered by other laws, including the federal Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA).
Employer obligations
The NJDPA applies to businesses that:
- Conduct business in New Jersey or offer products or services to New Jersey residents; and
- During a calendar year, either:
- Control or process the personal data of at least 100,000 consumers, excluding data processed solely for payment transactions; or
- Derive over 50% of gross revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
Consumer rights
Under the NJDPA, consumers are granted the right to:
- Confirm whether a controller is processing their personal data and accessing that data
- Correct inaccuracies in their personal data
- Obtain a copy of personal data held by the controller in a "portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance"
- Opt out of processing personal data for the purpose of targeted advertising, sale, or profiling.
Unique aspects of NJDPA
Obligations for controllers: NJDPA outlines controller obligations that are more specific and strenuous than some other state-level data privacy laws:
- Limit the collection of personal data to what is “adequate, relevant, and reasonably necessary;”
- Establish, implement, and maintain administrative, technical, and physical data security practices;
- Not process sensitive data, including the data of a known child, without consent.
Highest applicability threshold of the three states, affecting businesses that process data for at least 100,000 consumers or derive over 50% of revenue from data sales.
Enforcement: The law provides a 30-day cure period during which the Attorney General will notify controllers and grant an opportunity to cure (if a cure is deemed possible) prior to bringing an enforcement action. However, this cure period is not permanent and will sunset 18 months after the law takes effect.
For more detailed information about the NJDPA, the full text of the law can be found here.
How consumer data privacy laws relate to employment practices
Seeing five new data privacy laws at the start of the year reinforces a growing trend in consumer data protections and regulations. These laws not only relate to customer data but can also influence how organizations manage candidate information during screening and onboarding processes.
Certain candidate information may be masked, such as returning only the birth year instead of the full date of birth or limiting Social Security Numbers to the last four digits. This could lead to broader searches and delays in screening results, impacting the states with new laws and affecting screening processes for candidates who have lived in the states implementing new data privacy laws.
Staying ahead of evolving privacy laws and regulating how personal data is managed internally helps protect and build trust with employees, candidates, and consumers. Employers should meet with their legal counsel to ensure compliance before acting.
This article is for informational purposes only and does not constitute legal advice. Hiring professionals, HR professionals, and administrators should consult their legal counsel to ensure all actions comply with the law.
