States across the U.S. are rapidly rolling out their own data privacy laws, creating a complex patchwork of requirements that now affect more than 43% of the population.

In this week’s feature of the VENZA Echo, we’re exploring the new U.S. data privacy laws set to take effect in 2025, highlighting their applicability and scope for hoteliers.

Overview

In the past decade, the United States has seen significant movement on data privacy law at the state level. Typically, each law contains a “grace period”—a time between when the law is enacted and when it enters into force (also known as becoming “effective” or “binding”).

In 2025, eight U.S. state laws that have previously been enacted will enter into force. In light of this change, now is an important time to review their scope and mandates and prepare for compliance.

Commonalities & Differences

Each of the eight privacy laws introduces distinct compliance requirements and challenges for hoteliers managing personal data.

Despite their differences, these laws uniformly emphasize the necessity for clear privacy notices, user-friendly opt-out mechanisms, and robust security measures to safeguard guest information.

Additionally, each contains size thresholds that determine the law’s scope, such as the number of consumers whose data is processed or the proportion of a business’s revenue derived from data sales.

Penalties for non-compliance are substantial, ranging from $7,500 to $25,000 per violation, which underscores the critical importance for hoteliers to implement comprehensive data privacy strategies to mitigate risks.

Laws to Watch

1. Delaware Personal Data Privacy Act (DPDPA)

Effective Date: 1 January 2025

About: Grants consumers rights to access, delete, and correct personal data. Imposes obligations on businesses to obtain consent for processing sensitive data and mandates transparency in data practices.

Scope: Applies to entities conducting business in Delaware or targeting Delaware residents. Covers businesses processing data of at least 35,000 consumers, or 10,000 consumers if deriving over 20% of gross revenue from selling personal data.

2. Iowa Consumer Data Protection Act

Effective Date: 1 January 2025

About: Provides consumers with rights to access, obtain copies of, and delete personal data. Requires businesses to implement data security measures and offer clear privacy notices.

Scope: Applicable to businesses operating in Iowa or targeting Iowa residents. Pertains to entities processing data of at least 100,000 consumers, or 25,000 consumers if 50% or more of revenue is from selling personal data.

3. Nebraska Data Privacy Act (NDPA)

Effective Date: 1 January 2025

About: Establishes consumer rights including universal opt-out mechanisms, and rights to know, access, and delete data. Imposes obligations on businesses to provide privacy notices and conduct data protection assessments.

Scope: Applies to businesses operating in Nebraska or processing data of Nebraska residents. Notably, there are no minimum revenue thresholds, but the law exempts small businesses as defined under the Small Business Act.

4. New Hampshire Consumer Data Privacy Act (NHCDPA)

Effective Date: 1 January 2025

About: Grants consumers rights to access, correct, delete, and transfer personal data. Requires businesses to allow opt-outs from data collection, conduct data protection assessments, and provide privacy notices.

Scope: Targets businesses operating in New Hampshire or processing data of New Hampshire residents. Applies to entities processing data of at least 35,000 residents, or 10,000 residents if deriving over 25% of gross revenue from selling personal data.

5. New Jersey Data Privacy Law (NJDPL)

Effective Date: 15 January 2025

About: Provides consumers with rights to opt out, correct, and delete personal data. Mandates businesses to offer clear privacy notices and maintain security practices.

Scope: Applicable to businesses operating in New Jersey or processing data of New Jersey residents. Covers entities processing data of at least 100,000 residents, or 25,000 residents if deriving revenue from selling personal data. Notably, there is no minimum revenue requirement.

6. Tennessee Information Protection Act (TIPA)

Effective Date: 1 July 2025

About: Grants consumers rights to confirm data collection, access, correct, and delete personal data. Imposes obligations on businesses to implement purpose limitations, data security standards, and obtain express consumer consent for processing personal data.

Scope: Applies to businesses operating in Tennessee or targeting Tennessee consumers. Pertains to entities with revenue above $25 million and processing data of at least 175,000 Tennessee consumers, or 25,000 consumers if deriving over 50% of revenue from selling personal data.

7. Minnesota Consumer Data Privacy Act (MCDPA)

Effective Date: 31 July 2025

About: Provides consumers with rights to know, access, delete, and correct personal data. Requires businesses to offer privacy notices, opt-out mechanisms, and conduct data protection assessments.

Scope: Targets businesses operating in Minnesota or processing data of Minnesota residents. Applies to entities processing data of at least 100,000 customers, or 25,000 customers if deriving over 25% of revenue from selling personal data. Exempts small businesses as defined under the Small Business Act.

8. Maryland Online Data Privacy Act (MODPA)

Effective Date: 1 October 2025

About: Establishes consumer rights including universal opt-out mechanisms, and rights to know, access, and delete data. Imposes data minimization requirements and prohibits the sale of sensitive data, data activities targeted at minors, and discrimination.

Scope: Applies to businesses operating in Maryland or processing data of Maryland residents. Covers entities processing data of at least 35,000 consumers, or 10,000 consumers if deriving over 20% of gross revenue from selling personal data.

Moving Forward

As data privacy laws expand, hoteliers must stay informed and adapt.

The eight U.S. state laws taking effect in 2025 reinforce consumer protections, transparency, and security. Compliance may be complex, but understanding these regulations and implementing strong data privacy measures is key to reducing legal risks and maintaining guest trust.

Feeling overwhelmed? Don’t be. As a leader in hospitality data protection, VENZA provides vendor security assessments and privacy management solutions to help hoteliers navigate the evolving global regulatory landscape.

Ready to get started? Contact Sales to discuss signing up for our programs or adding new solutions to your contract.

***

Take VENZA’s free Phishing Test to assess gaps in your human firewall today!

Training your personnel to recognize and report phishing attempts is essential to protecting your guests and their data. Get started by determining your risk and readiness level using this free tool.

***

Want to stay informed? Subscribe to the free VENZA Echo now. You’ll receive a monthly digest with the highlights of our weekly article series and important product updates and news from VENZA.