The comprehensive consumer privacy laws of Minnesota and Tennessee have recently taken effect, with the Minnesota Consumer Data Privacy Act (MCDPA) operative as of July 31, 2025, and the Tennessee Information Protection Act (TIPA) effective July 1, 2025.
While both laws establish familiar consumer rights and business obligations, each differs significantly from the other and introduces distinctive features in the landscape of state comprehensive consumer privacy laws. Notably, the MCDPA imposes prescriptive profiling-related requirements along with a number of other requirements that exceed those in most other states. TIPA, by contrast, is similar to the Virginia Consumer Data Protection Act and the more "business-friendly" set of state privacy laws, such as those of Utah and Iowa, while authorizing especially high potential damages. Below is an overview of the laws' key distinctive features.
Minnesota
The MCDPA imposes heightened requirements, beyond most other states, such as in the following areas (see our prior post for more detail):
- Profiling. Consumers have the right to question and obtain the basis for profiling decisions with legal or similarly significant effects--a novel provision, recently mirrored in the Connecticut amendments.
- Access. Consumers may request the "specificthird parties" to whom their personal data was disclosed by a controller, or, if not available, a list of third parties to whom the controller disclosed "any" personal data of a consumer.
- Privacy policies. Privacy policies must be "reasonably accessible, clear, and meaningful," posted on the controller's homepage using a hyperlink that contains the word "privacy," include a description of the controller's data retention policies and the date of last update. Controllers must electronically notify consumers of material changes to their privacy notice or practices and provide an opportunity to withdraw consent (mirrored in recent Montana and Connecticut amendments).
- Teens. Controllers must obtain consent for targeted advertising or the sale of personal data when the controller knows that the consumer is between 13 and 16 years old.
- Data security, including data inventory, and retention. The law requires controllers to provide reasonable security for personal data, and expressly requires that they create and maintain a data inventory (i.e., data map). It prohibits controllers from retaining personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless required by law or an exception applies.
- Documentation. Controllers must document and maintain a description of their policies and procedures they have adopted to comply with the MCDPA, including the name and contact information for the company's chief privacy officer or other individual with primary responsibility for ensuring compliance with the law. Controllers must also keep records of appeals and responses to consumer rights requests for 24 months.
- Small businesses. While generally exempt, small businesses are prohibited from selling sensitive personal data without consent--a carve-out similar to the ones in the Texas and Nebraska comprehensive consumer privacy laws.
- Nonprofits. Unlike most state comprehensive privacy laws, the MCDPA applies to nonprofit organizations that otherwise meet the law's applicability triggers, with a narrow exception for those involved in detecting and preventing insurance fraud (similar to Delaware and Oregon's nonprofit exemption).
- Cure period. The state attorney general, which has exclusive enforcement authority, can seek civil penalties up to $7,500 per violation. The MCDPA's 30-day cure period sunsets on January 31, 2026.
Tennessee
As noted above, TIPA is similar to the Virginia comprehensive consumer privacy law and the other more business-friendly laws despite its potential for hefty damages. The summary below features its more notable features:
- Applicability. TIPA is among the few comprehensive state privacy laws to require a revenue threshold in addition to processing thresholds for the law to apply. In order for a business to be subject to the law it must exceed $25 million in revenue and control or process the personal information of at least 175,000 consumers (or 25,000 consumers if deriving more than 50 percent of gross revenue from the sale of personal information).
- Exemption for pseudonymous data. TIPA provides a broader exemption for pseudonymous data than most states by exempting such data from all consumer rights if the controller can demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing that information.
- Safe harbor. TIPA provides an affirmative defense for controllers or processors that implement and maintain a privacy program that "reasonably conforms" to the National Institute of Standards and Technology privacy framework, among other requirements.
- Treble damages. The state attorney general, which has exclusive enforcement authority, may seek civil penalties up to $7,500 per violation. In addition, courts can award treble damages for knowing or willful violations, making potential exposure particularly high. TIPA provides a 60-day cure period that does not sunset.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
