Your Website Isn’t Safe Yet… Maybe: 4 Privacy Law Changes Still To Come In 2025

We’re coming up on the second half of 2025, which means two things: 

1. I’ve gained 3 pounds since making my 2025 New Year’s Resolution To Lose 10 Pounds
2. A second batch of privacy-law changes is coming that will impact website policies (if applicable)

I’ll spare you the details of my weight-loss journey being upended by the opening of a new donut place down the road. I can sum that up in one photo:

I’m still convinced that one bite of the “Fancy Nancy Donut” (Bottom middle in the above photo… but you already knew that) will cause your children’s children to have cavities. ANYWAY, you didn’t come here for the donuts. You came here today because you crave something equally as sweet and addictive: 🧁🌈website policy updates🍥✨.

It’s true that three new privacy laws and one privacy law change will go into effect during the second half of 2025. Each of these could impact your website policies if applicable to your business/website.

Before I dive into these changes, I do want to be clear that this isn’t a blog designed to scare you, our loyal reader (singular, probably). I know I work for a company called TERMAGEDDON, but we don’t like to pretend things are scarier than they actually are. We got that out of our system in the name. Most of the changes are for larger businesses (generating over $25 million per year or processing a significant amount of data).

AT LEAST FOR NOW!

Sorry, it slipped.

Shenanigans aside, changes to privacy laws do happen. This year, we’ve had a few examples of privacy laws reducing the amount of data a business needs to collect for it to be eligible to comply with that law. In other words, a business may not have needed to comply when the law was first announced, but might need to comply with it later this year now that the data-collection requirements have been expanded to include more businesses.

That’s why tools like Termageddon, Termageddon, and Termageddon (I was told we need more backlinks) can be helpful to use to keep track of any changes/new laws that may impact your website. We also take it one step further by automatically updating all your policies for you, so you just get notified and can sit back and relax while we make all the changes for you.

Without further ado, here are three new laws, one change to an existing law, and an honorable mention coming soon.

Three New Laws Going Into Effect

Let’s first take a look at the three noobies:

• Tennessee Information Privacy Act (July 1, 2025)
• Minnesota Consumer Data Privacy Act (July 31, 2025)
• Maryland Online Data Privacy Act (October 1, 2025)

Tennessee Information Protection Act (TIPA)

Effective date: July 1, 2025

Penalties: Up to $15,000 per violation

TIPA (HB1181) was passed to protect the privacy of residents of Tennessee by providing them with privacy rights and imposing certain requirements, such as having a Privacy Policy upon businesses.

TIPA applies to persons who conduct business in Tennessee or who produce products or services that are targeted to residents of the state and that meet the following:

• Exceeds $25 million per year in revenue AND meets one of the following criteria:
  • During a calendar year, control or process the personal information of at least 100,000 residents of Tennessee; or 
  • Control or process the personal information of at least 25,000 Tennessee residents and derive more than 50% of gross revenue from the sale of personal information.

It is important to note that TIPA applies to businesses that are located in Tennessee, as well as businesses that are not, so businesses in other states must still pay attention to and comply with this law if it applies to them.

In other words Tennessee buisnesses are just the TIPA the iceberg when it comes to who TIPA applies to (I’ve been waiting for TIPA puns since it was announced… let me have this).

Minnesota Consumer Data Privacy Act (MCDPA)

Effective date: July 31, 2025

Penalties: Up to $7,500 per violation

MCDPA (MN HF 4757) is a comprehensive state privacy law. This new law will ensure the privacy of residents of the Minnesota by providing them with privacy rights and by requiring businesses that need to comply with this law to meet certain requirements, such as providing a comprehensive and up-to-date Privacy Policy, maintaining a data inventory, practicing data minimization and more.

The MCDPA applies to legal entities that do business in the Minnesota or that produce products or services that are targeted to residents of Minnesota and that meet one or more of the following thresholds: 

1. During a calendar year, controls or processes the personal data of 100,000 Minnesota residents or more; 
2. Derives over 25% of gross revenue from the sale of personal data and processes or controls the personal data of 25,000 Minnesota residents or more.

MCDPA does not apply to nonprofit organizations that are established to detect and prevent fraudulent acts in connection with insurance, but it will apply to nonprofits that meet the criteria above if they perform their work in other fields.

It also exempts small businesses as defined by the United States Small Business Administration (less than $2.25 million per year in revenue and less than 100 employees).

Maryland Online Data Privacy Act

Effective date: October 1, 2025

Penalties: Up to $10,000 per violation

The Maryland Online Data Privacy Act of 2024 (MD SB541) will provide privacy rights to residents of the State and will impose various compliance obligations on businesses such as the requirement to have a comprehensive Privacy Policy that includes all of the disclosures enumerated in this privacy law.

Maryland’s new privacy law has a broad application in the sense that your business does not have to be located in Maryland for this privacy law to apply to you. The Maryland Online Data Privacy Act applies to persons that conduct business in the State or that provide services or products that are targeted to residents of the State and that during the immediately preceding calendar year: 

1. Controlled or processed the personal data of at least 35,000 residents of Maryland; or
2. Controlled or processed the personal data of at least 10,000 residents of Maryland and derived more than 25% of its gross revenue from the sale of personal data. 

It does specifically exempt nonprofits that process personal data to assist law enforcement agencies in investigating criminal or fraudulent acts relating to insurance or first responders in responding to catastrophic events. However, the law does not exempt nonprofits working in other causes.

Changes for 2025

Montana Consumer Data Privacy Act (MCDPA)

Effective date: October 1, 2024

Effective date for changes: October 1, 2025

First, if MCDPA looks familiar, you’re not crazy. Well, at least for someone who has made it this far into a privacy-law-updates blog. Minnesota also starts with an M and calls their law, “Minnesota Consumer Data Privacy Act (MCDPA)”. That shouldn’t make things confusing at all.

Google: “How many states start with the letter ‘M’… EIGHT?!

Anyway, Montana made quite a few updates that we covered in more detail on our Compliance Guide. For the sake of this blog, let’s use bullet points. The changes that go into effect will impact:

• Increases the number of businesses that need to comply with it
• Adds additional information businesses must not disclose in response to a privacy rights request
• Changes to a consumer’s opt-out rights
• Privacy Policy changes
• Enforcement changes

Honorable Mention: Australia Privacy Act 1988

Australia announced this year that it will be making some changes to its long-established privacy law. However, while some of the changes will go into effect in 2025, most Privacy Policy related changes won’t go into effect until 2026.

I hate to leave everyone on a cliffhanger, but we will just have to address that in a future “New laws & updates coming in 2026” blog.

Conclusion

2025 has been a busy year for privacy laws. Eight new ones went/will go into effect this year. More changes are scheduled for 2026 as well.

The main points of this blog is to:

1. Let you know about these updates
2. Remind you that getting compliant is just the first step; staying compliant is the main goal
3. See if anyone wants to go on a donut run with me

Not necessarily in that order.

Need help keeping your policies in line with all the privacy law changes going on? Termageddon can auto-update your website policies BEFORE changes go into effect. We also update our generator each time there is a change to ensure the questions within our Privacy Policy Generator reflect all the latest privacy law requirements.

Thanks for reading!