Mine's Regulation Station: Your Guide to Keeping Up With Privacy Regulations
Mine's Regulation Station:
Your Guide to Keeping Up With Privacy Regulations
Data privacy regulation is so dynamic, it’s easy for compliance teams to become overwhelmed and discouraged. But staying informed is crucial for businesses looking to proactively adjust their privacy strategies and avoid penalties. To help you stay on top of it all, Mine is introducing Regulation Station, our quarterly update highlighting important changes in data privacy regulations. Some of these laws have already taken effect, while others are scheduled to do so later this year.
Here’s what you need to know:
FTC Children's Online Privacy Protection Rule (COPPA)
Effective: January 2025
These new COPPA amendments enhance protections for children’s personal data online, particularly for those under the age of 13. The new rules from the FTC include opt-in consent for targeted ads, limited data retention, a broader definition of the term “Personal Information,” to cover biometric data, and more.
FCC Robocalls & Robotexts TCPA Rules
Effective: Since January 2025
The Federal Communications Commission is tightening its rules with the introduction of the Telephone Consumer Protection Act (TCPA), which focuses on robocalls and robotexts. Under these new requirements, businesses must obtain individual written consent before contacting consumers using these channels.
Delaware Personal Data Privacy Act (DPDPA)
Effective: Since January 2025
Delaware welcomed 2025 by joining the privacy protection movement. DPDPA asserts and protects consumers' rights to access, monitor, correct, and delete their personal data. Consumers also have a right to a list of third parties with access to their data. Additional interesting points include a universal opt-out mechanism starting January 2026, no HIPAA or nonprofit exemptions, and more.
Iowa Consumer Data Protection Act (ICDPA)
Effective: Since January 2025
Iowa's ICDPA gives consumers enhanced control over their information by demanding that companies be more transparent in their data practices. The new law grants users rights for data access, deletion, portability (obtaining copies), and opting out of data sales. There is no right to correct the data, which is interesting. Additionally, consumers do not have the right to opt out of profiling. This is a relatively business-friendly state law.
Nebraska Data Privacy Act (NDPA)
Effective: Since January 2025
Under NDPA, Nebraska residents can access their data, request corrections and copies, and opt out. Businesses are not allowed to require consumers to create new accounts to exercise these data rights. The law also demands clear contracts between controllers and processors to outline each party’s data protection responsibilities.
New Hampshire Data Privacy Act (NHDPA)
Effective: Since January 2025
NHDPA has a relatively low threshold, as it applies to businesses processing data of at least 35,000 consumers at any revenue level. If more than 25% of the company’s revenue stems from the sale of consumers’ personal data, the threshold is even lower, making the law applicable for those with only 10,000 New Hampshire consumers. These companies must allow consumers to view, correct, or delete their data and clearly disclose how the information is being used.
New Jersey Data Privacy Act (NJDPA)
Effective: Since January 2025
NJDPA expands consumer rights in New Jersey, requiring clear data processing disclosures that also include a universal opt-out mechanism. The law offers specific protection for children, and their data cannot be used for targeted advertising or sale without opt-in consent. Another issue that makes this law unique is that the NJDPA considers all financial information to be sensitive personal information, also requiring opt-in consent.
Tennessee Information Protection Act (TIPA)
Effective: July 1, 2025
The TIPA is another business-friendly state law, based on its relatively high threshold of 175,000 local residents, a two-year period given to businesses to prepare, and a unique affirmative defense it offers to businesses that establish a privacy program in accordance with the standards of the National Institute of Standards and Technology (NIST). Consumers have the right to learn whether their data is processed, correct inaccuracies, delete personal data, obtain a copy of their personal data, and opt out of data processing for sale purposes.
Minnesota Consumer Data Privacy Act (MCDPA)
Effective: July 31, 2025
Minnesota’s MCDPA establishes several unique practices. First, it requires companies to maintain a data inventory presenting a detailed account of how data is processed. Consumers can review this information, including third-party involvement. The new state law also allowed consumers to question the conclusion of the data profiling process. They can learn how certain results were achieved and demand that it be corrected. This is another example of the importance of data mapping capabilities.
Maryland Online Data Privacy Act (MODPA)
Effective: October 1, 2025
MODPA is another strict state law. It bans the sale of any sensitive information and offers enhanced protection for minors, including those that companies “should have known” were under 18. The law’s data minimization requirement demands that companies only use the information essential to provide their service or product. Once again, we see the importance of data audits, as the law requires regular privacy impact assessments. MODPA fines are much higher compared to other states, reaching $25,000 for repetition of a violation.
EU Data Act
Effective: September 12, 2025
The EU Data Act entered into force in 2024 but will become fully applicable this September, primarily addressing industrial data practices. It covers specific technologies, including IoT, virtual assistants, cloud computing, and edge computing. The law also addresses three types of relationships: business-to-consumer, business-to-business, and business-to-government. It gives users more control over how their information is shared and determines that, upon users’ decision, businesses must make this data available to third parties. The data must also be available to public authorities in emergencies.
EU AI Act
Effective: August 2, 2025
The groundbreaking EU AI Act addresses one of the most transformative technologies by imposing specific regulations on artificial intelligence applications and their associated risks. Minimal risk systems, such as chatbots, should practice transparency and notify users that they are communicating with AI technology, not human representatives. High-risk systems should have mitigation and security mechanisms in place, and unacceptable risks that pose a clear threat are simply banned.
What We Can Learn from Recent Regulation
- Children’s data protection: Multiple laws specifically address this issue, demonstrating an understanding that minors require extra consideration.
- The importance of data mapping: A data inventory becomes a separate obligation, not just a byproduct of fulfilling data requests. The need for ongoing documentation capabilities has never been clearer. To understand how Mine’s technology addresses this need, visit our <let’s find a relevant link>
- AI and other technological advancements: AI and new technologies are at the center of some regulations, underscoring the importance of ethical use, transparency, and robust consumer protections. Regulators are relatively quick to address these advancements.
- Various approaches to consider: Each state introduces its own approach, reminding businesses of the dynamic nature of data regulation and turning strict laws into the new standard.
Following regulation updates is crucial, but this aspect of the data privacy movement isn’t the only consideration when shaping your privacy strategy. To understand why, read our latest article, “Why Regulation Shouldn’t Dictate Your Privacy Strategy.”