The U.S. privacy landscape will undergo seismic changes in 2025 as Maryland, New Jersey, Tennessee, and five other states enact stringent privacy laws. These regulations introduce GDPR-inspired requirements like data minimization, algorithmic risk assessments, and enhanced protections for minors and sensitive data. Below, we analyze the three most impactful lawsโ€”Marylandโ€™s MODPA, New Jerseyโ€™s NJDPA, and Tennesseeโ€™s TIPAโ€”and outline actionable strategies for multi-state compliance.

1. Maryland Online Data Protection Act (MODPA)

Effective Date: October 1, 2025 (enforcement begins April 1, 2026)

Key Requirements

  1. Data Minimization:
  • Collect only data โ€œreasonably necessaryโ€ to provide the specific product/service requested by the consumer.- Prohibits processing sensitive data (e.g., health, biometrics) beyond whatโ€™s strictly required.2. Youth Protections:
  • Bans targeted ads and data sales for users under 18 if the controller โ€œknew or should have knownโ€ their age.- Requires age assurance mechanisms for platforms likely to attract minors.3. Risk Assessments:
  • Mandates annual evaluations for algorithms used in employment, healthcare, and financial decisions.4. Penalties: Up to $10,000 per violation ($25,000 for repeat offenses).

Scope:

  • Applies to businesses processing data of 35,000+ Maryland residents (excluding payment data) or 10,000+ residents if deriving 20%+ revenue from data sales.

2. New Jersey Data Privacy Act (NJDPA)

Effective Date: January 15, 2025 (enforcement grace period until July 2026)

Key Requirements

  1. Expanded Sensitive Data:
  • Includes immigration status, union membership, and citizenship.- Requires explicit opt-in consent for processing.2. Opt-Out Rights:
  • Consumers can reject targeted ads, data sales, and profiling via Global Privacy Control (GPC).3. Transparency:
  • Privacy notices must disclose third-party data sharing with โ€œsufficient detail to understand business models.โ€

Scope:

  • Targets businesses handling data of 100,000+ residents (or 25,000+ if 50%+ revenue from data sales).

Penalties: $7,500 per intentional violation, with no private right of action.

3. Tennessee Information Protection Act (TIPA)

Effective Date: July 1, 2025

Key Requirements

  1. Revenue Threshold:
  • Applies only to businesses with $25M+ annual revenue.2. Affirmative Defense:
  • Avoid penalties by implementing NIST-aligned privacy programs.3. Cure Period:
  • 60 days to fix violations before fines (up to $7,500 per violation).

Scope:

  • Processes data of 175,000+ residents or 25,000+ if deriving 50%+ revenue from data sales.

Comparative Analysis

Aspect Maryland (MODPA) New Jersey (NJDPA) Tennessee (TIPA)

Threshold 35K residents 100K residents $25M revenue + 175K residents

Sensitive Data Health, biometrics, genetics Immigration status, citizenship Aligns with CCPA/CPRA

Youth Protections Under 18 No explicit minor safeguards None

Penalties $10K/violation $7.5K/violation $7.5K/violation

Cure Period 60 days 30 days 60 days (non-sunsetting)

Compliance Strategies for Multi-State Operations

  1. Unified Data Mapping:
  • Use tools like OneTrust to track data flows across Marylandโ€™s โ€œreasonably necessaryโ€ standard and New Jerseyโ€™s expanded sensitive categories.2. Algorithmic Governance:
  • Conduct bias audits for AI/ML models impacting hiring, credit, or healthcare (mandated in Maryland and New Jersey).3. Consent Management Platforms (CMPs):
  • Deploy CMPs supporting GPC for NJDPA opt-outs and MODPAโ€™s minor ad restrictions.4. Vendor Contracts:
  • Require third parties to comply with state-specific rules (e.g., Marylandโ€™s data sovereignty clauses).
  1. GDPR Convergence:
  • 63% of 2025 laws mandate data minimization, mirroring GDPRโ€™s Article 5(1)(c).2. Sensitive Data Expansion:
  • States now protect immigration status (NJ), genetic data (MD), and non-traditional categories.3. Enforcement Surge:
  • State AGs plan joint task forces, with Maryland allocating $2M for privacy enforcement in 2026.

Comparing U.S. State Privacy Laws (MODPA, NJDPA, TIPA) to GDPR: Enforcement and PenaltiesThe surge in U.S. state privacy laws reflects growing alignment with GDPR principles like data minimization and transparency, but enforcement mechanisms and penalties vary significantly. Below, we compare Marylandโ€™s MODPA, New Jerseyโ€™s NJDPA, Tennesseeโ€™s TIPA, and the EUโ€™s GDPR across key dimensions.

1. Enforcement Authorities

U.S. State Laws

  • Maryland (MODPA): Enforced by the Attorney Generalโ€™s Consumer Protection Division522.- New Jersey (NJDPA): Overseen by the Attorney General and Division of Consumer Affairs223.- Tennessee (TIPA): Solely enforced by the Tennessee Attorney General312.

GDPR: Enforced by independent Data Protection Authorities (DPAs) across 27 EU member states433.

2. Penalty Structures

LawMaximum PenaltyKey CriteriaMODPA$10,000 per violation; $25,000 repeatsBased on violation severity, entity size, and public harm risk51028.NJDPA$10,000 (first); $20,000 (subsequent)Tied to New Jersey Consumer Fraud Act2629.TIPA$7,500 per violationCivil penalties for uncured violations; treble damages for willful misconduct31236.GDPRโ‚ฌ20M or 4% global revenueWhichever is higher; applies to breaches like inadequate security or unlawful transfers42533.

Example: Metaโ€™s 2023 GDPR fine for unlawful data transfers totaled โ‚ฌ1.2B2533, while the largest state penalty under MODPA could reach $25K per repeat violation10.

3. Cure Periods

  • MODPA: 60-day cure period (mandatory until April 2027; discretionary afterward)522.- NJDPA: 30-day cure period, expiring July 20262623.- TIPA: 60-day cure period with no sunset clause31236.- GDPR: No statutory cure period, though remediation efforts may mitigate fines433.

4. Private Right of Action

  • U.S. States: None. All enforcement is state-led523.- GDPR: No private right, but individuals can file complaints with DPAs, triggering investigations433.

5. Scope and Extraterritorial Reach

  • State Laws: Apply to businesses operating in/targeting residents of each state (e.g., MODPA: 35K+ residents; TIPA: $25M+ revenue)51216.- GDPR: Applies globally to any entity processing EU residentsโ€™ data, regardless of location4933.
  1. GDPR Influence: MODPAโ€™s data minimization and NJDPAโ€™s broad sensitive data definitions mirror GDPR principles5214.2. Lower Penalties: State penalties (max $25K) pale compared to GDPRโ€™s revenue-based fines (e.g., Metaโ€™s โ‚ฌ1.2B fine)2533.3. Cure Periods: U.S. states offer structured remediation windows; GDPR leaves discretion to DPAs234.

Conclusion

While MODPA, NJDPA, and TIPA adopt GDPR-like accountability frameworks, their enforcement is less punitive and more localized. GDPRโ€™s global reach and steep penalties (up to 4% of revenue) create higher stakes for multinational firms. Businesses must prioritize:

  • State Compliance: Implement consent management tools (e.g., OneTrust) for opt-outs and DSARs25.- GDPR Alignment: Conduct cross-border transfer audits and update SCCs for EU data sovereignty933.

Marylandโ€™s strict minimization, New Jerseyโ€™s broad sensitive data rules, and Tennesseeโ€™s revenue thresholds create a fragmented but GDPR-aligned landscape. Businesses must prioritize centralized compliance frameworks, automate DSAR responses, and preempt algorithmic risks. With penalties exceeding $10K per violation and multi-state audits rising, proactive adaptation is critical to avoiding regulatory blowback.

Key Takeaways:

  1. Update data inventories to meet Marylandโ€™s โ€œreasonably necessaryโ€ standard.2. Implement GPC for NJDPA opt-outs by January 2025.3. Leverage TIPAโ€™s affirmative defense by aligning with NIST CSF 2.0.

(Citations: Maryland MODPA[7][16], New Jersey NJDPA[5][26], Tennessee TIPA[33][36])

Citations: [1] https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/748221/dbb70fd2-5ebe-4275-8603-20f5848f655f/paste.txt [2] https://www.willkie.com/publications/2024/05/maryland-enacts-one-of-the-strictest-privacy-laws-in-the-nation [3] https://www.koleyjessen.com/insights/publications/minnesota-maryland-and-rhode-island-pass-data-privacy-laws-nineteen-states-will-soon-have-comprehensive-privacy-legislation [4] https://www.bakerdonelson.com/maryland-enacts-comprehensive-consumer-privacy-legislation-what-you-need-to-know [5] https://termly.io/resources/articles/new-jersey-data-privacy-act/ [6] https://ogletree.com/insights-resources/blog-posts/frequently-asked-questions-about-the-new-jersey-data-protection-act-effective-january-15-2025/ [7] https://www.dlapiper.com/en/insights/publications/2024/07/us-maryland-online-data-privacy-act-summary-and-comparative-analysis [8] https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240521-maryland-and-nebraska-adopt-comprehensive-privacy-laws [9] https://termly.io/resources/articles/maryland-online-data-protection-act/ [10] https://www.dwt.com/blogs/privacyโ€”security-law-blog/2024/05/maryland-online-data-privacy-act-signed [11] https://www.cyberlawmonitor.com/2024/08/26/marylands-new-approach-to-data-minimization-creates-unique-compliance-issues/ [12] https://www.mwe.com/insights/maryland-joins-growing-ranks-and-passes-its-own-consumer-data-privacy-law/ [13] https://www.ketch.com/regulatory-compliance/maryland-online-data-privacy-act-modpa [14] https://www.thompsonhine.com/insights/maryland-poised-to-enact-privacy-law-sets-new-standard-for-targeted-advertising/ [15] https://transcend.io/blog/maryland-data-privacy-law [16] https://www.hunton.com/privacy-and-information-security-law/maryland-legislature-passes-state-privacy-bill-with-robust-requirements-and-broad-threshold-for-application [17] https://usercentrics.com/knowledge-hub/maryland-online-data-privacy-act-modpa/ [18] https://www.fisherphillips.com/en/news-insights/maryland-rigid-data-privacy-law-october-2025-effective-date.html [19] https://www.cookieyes.com/blog/maryland-online-data-privacy-act-modpa/ [20] https://www.osano.com/articles/maryland-online-data-privacy-act-modpa [21] https://bigid.com/blog/maryland-online-data-privacy-act-modpa/ [22] https://www.osano.com/articles/new-jersey-data-privacy-act-njdpa [23] https://www.gtlaw.com/en/insights/2025/1/2025-new-jersey-employment-law-updates [24] https://clym.io/regulations/the-new-jersey-data-privacy-act-njdpa [25] https://www.njconsumeraffairs.gov/ocp/Pages/NJ-Data-Privacy-Law-FAQ.aspx [26] https://www.akingump.com/en/insights/alerts/new-jersey-data-protection-act-what-businesses-need-to-know [27] https://www.dataguidance.com/opinion/new-jersey-data-protection-act-heres-what-you-need [28] https://www.jdsupra.com/legalnews/garden-state-are-you-ready-for-the-nj-3919125/ [29] https://www.dataguidance.com/news/new-jersey-new-jersey-data-protection-act-enters-force [30] https://redcloveradvisors.com/by-regulation/new-jersey-data-privacy-act-njdpa/ [31] https://ktslaw.com/en/insights/alert/2024/12/five new state privacy laws effective january 2025 [32] https://www.vensure.com/employment-law-updates/tennessee/reminder-the-tennessee-information-protection-act-tipa-effective-july-1-2025/ [33] https://www.dataguidance.com/jurisdictions/tennessee [34] https://secureprivacy.ai/blog/tennessee-information-protection-act-compliance-checklist [35] https://www.ketch.com/blog/posts/us-privacy-laws-2025 [36] https://bigid.com/blog/8-state-privacy-laws-going-into-effect-in-2025/ [37] https://www.didomi.io/blog/tennessee-data-privacy-law [38] https://www.osano.com/articles/tennessee-information-protection-act-tipa [39] https://www.forbes.com/sites/alonzomartinez/2024/12/19/is-your-business-ready-for-2025-state-privacy-regulations/ [40] https://transcend.io/blog/tennessee-information-protection-act [41] https://natlawreview.com/article/wait-theres-more [42] https://www.sheppardmullin.com/media/publication/2259_Law360_-_5_Privacy_Law_Trends_That_Will_Continue_In_2025.pdf [43] https://www.dataguidance.com/opinion/usa-state-privacy-laws-entering-effect-2025 [44] https://www.osano.com/us-data-privacy-laws [45] https://www.multistate.us/insider/2025/2/4/major-legislative-trends-in-the-technology-and-privacy-space [46] https://pandectes.io/blog/key-us-data-privacy-laws-to-watch-in-2025/ [47] https://cmitsolutions.com/westchester-ny-1180/blog/data-privacy-laws-2025-smb-compliance/ [48] https://www.mofo.com/resources/insights/250107-privacy-data-security-predictions [49] https://www.dlapiperdataprotection.com/?t=law&c=US [50] https://usercentrics.com/knowledge-hub/american-data-privacy-and-protection-act-adppa/ [51] https://pro.bloomberglaw.com/insights/privacy/consumer-data-privacy-laws/ [52] https://www.cliffordchance.com/insights/resources/blogs/talking-tech/en/articles/2024/02/the-new-jersey-data-privacy-law-an-overview.html [53] https://www.datagrail.io/blog/data-privacy/what-you-need-to-know-about-new-jerseys-new-data-privacy-law/ [54] https://www.bsk.com/news-events-videos/employment-and-data-privacy-law-updates-for-2025-in-new-jersey [55] https://www.cookieyes.com/blog/new-jersey-data-privacy-act-njdpa/ [56] https://usercentrics.com/knowledge-hub/new-jersey-data-privacy-act-njdpa/ [57] https://ogletree.com/insights-resources/blog-posts/new-jersey-joins-data-privacy-party-new-jersey-data-protection-act-becomes-effective-in-january-2025/ [58] https://www.cookieyes.com/blog/tennessee-information-protection-act-tipa/ [59] https://termly.io/resources/articles/tennessee-information-protection-act/ [60] https://cookie-script.com/privacy-laws/tennessee-information-protection-act [61] https://www.upguard.com/blog/what-is-tipa [62] https://www.onetrust.com/blog/tennessee-passes-information-protection-act/ [63] https://www.akingump.com/en/insights/blogs/ag-data-dive/tennessee-information-protection-act-what-businesses-need-to-know [64] https://www.dwt.com/blogs/privacyโ€”security-law-blog/2023/05/tennessee-information-protection-data-privacy [65] https://usercentrics.com/knowledge-hub/tennessee-information-protection-act-tipa/ [66] https://www.csis.org/analysis/modernizing-us-commercial-privacy-standards-digital-economy [67] https://www.fieldfisher.com/en/insights/gdpr-vs-u-s-state-privacy-laws-how-do-they-measure [68] https://www.globalprivacywatch.com/2025/01/a-new-year-and-new-compliance-requirements-additional-state-privacy-laws-take-effect-in-2025/ [69] https://www.wiley.law/alert-10-Key-Privacy-Developments-and-Trends-to-Watch-in-2025 [70] https://www.osano.com/articles/data-privacy-laws [71] https://www.jacksonlewis.com/insights/year-ahead-2025-tech-talk-ai-regulations-data-privacy [72] https://www.whitecase.com/insight-alert/2025-state-privacy-laws-what-businesses-need-know-compliance