What’s New in Data Privacy: Tennessee and Minnesota Consumer Data Privacy Laws go into Effect

In July 2025, two new U.S. state consumer privacy laws went live: Tennessee’s Information Protection Act (TIPA) on July 1, 2025, and Minnesota’s Consumer Data Privacy Act (MCDPA) on July 31, 2025. Both establish consumer rights and impose obligations on businesses processing personal data, especially sensitive categories. This article reviews who is covered, what rights and duties apply, how TIPA and MCDPA differ, and what your compliance plan should include.

Tennessee Information Protection Act (TIPA) 

Effective July 1, 2025

TIPA applies to businesses that conduct business in Tennessee or target Tennessee residents AND either: (1) process personal data of at least 175,000 Tennessee residents, or (2) process data of 25,000+ Tennessee residents and earn over 50% of gross revenue by selling personal data. There are some exemptions to this standard, so be sure to check if you fall into one of the exempted categories of institutions.

Aligning largely with other states’ data privacy laws, TIPA provides data subjects rights to: access, deletion, correction, data portability, and opt‑out of targeted ads, sales, and profiling. Notably, TIPA requires opt‑in consent only before processing sensitive personal data or personal information that is beyond what is reasonably necessary.

A stark difference from any other currently effective consumer data privacy law, TIPA supplies an affirmative defense against causes of action for violations of the law for businesses that have (1) a written privacy program that reasonably conforms with the National Institute of Standards and Technology (“NIST”) privacy framework, or (2) documented policies, standards, and procedures that are designed to safeguard consumer privacy.

TIPA is generally considered more business‑friendly with its higher applicability threshold, lengthy cure period of 60 days, and NIST safe harbor.

Minnesota Consumer Data Privacy Act (MCDPA)

Effective July 31, 2025

MCDPA applies to businesses that conduct business in Minnesota or target Minnesota residents AND either: (1) in a calendar year process or control data (excluding data collected solely for payment transactions) of at least 100,000 Minnesota residents, or (2) process or control data of 25,000+ Minnesota residents and make more than 25% revenue from selling personal data. There are some exemptions to this standard, so be sure to check if you fall into one of the exempted categories of institutions.

Similarly to TIPA and other state privacy laws, consumers have the rights to: access, delete, or correct their information, as well as receive their data in a portable format and opt‑out of the sale of their data, profiling, and targeted ads.

In contrast to other state laws, if a consumer’s data was profiled, the consumer has certain contest and questioning rights to see data used, correct inaccuracies, and learn how to achieve different outcomes. Minnesota also gives the consumer the right to obtain a list of specific third-parties to which their personal information has been disclosed.

MCDPA also requires opt‑in consent only before processing sensitive personal data or personal information that is beyond what is reasonably necessary.

Key TIPA and MCDPA Features

Compliance Steps: Where to Start Now

1. Determine applicability: review July 2024–June 2025 data volumes and revenue from data sales.
2. Map data flows: focus on sensitive data and profiling systems.
3. Update privacy policies: include consumer rights, third‑party disclosures, and eligibility.
4. Implement universal opt‑out signals: standardize across systems for profiling and sales opt‑outs.
5. Consent mechanisms: ensure opt‑in workflows for sensitive data and parental consent where applicable.
6. Training and incident protocols aligned to risk categories and consumer rights timelines.

How Legal Counsel Can Support Data Privacy Law Compliance

Maintaining compliance with current and emerging privacy laws can be tricky. At Founders Legal, our Corporate Law team craft enforceable policies, defensible programs, and important disclosures to help clients ensure their data privacy policies and procedures are legally sound and audit ready.

Conclusion

With TIPA effective July 1 and MCDPA effective July 31, July 2025 marks a turning point: two more states joining the patchwork of U.S. privacy regimes. While they share the familiar structure (rights of access, correction, deletion, portability, opt‑outs, and sensitive data consent) Minnesota introduces enhanced profiling controls and Tennessee introduces a safe harbor for compliance. Learn more about data privacy and your business’ relationship with it by exploring our resources or contacting us.

FAQ – July 2025 Privacy Laws

Q1: Do these laws apply to businesses outside Tennessee and Minnesota?

A: Yes, if you target consumers in those states or process data about them and meet thresholds, compliance obligations apply, regardless of your physical location.

Q2: How is “sensitive personal data” defined?

A: Typical categories include precise geolocation, race, ethnicity, health and biometric data, genetic or financial account numbers. Sensitive data always requires explicit opt‑in consent.

Q3: Can consumers invoke rights across states?

A: Only consumers located in Tennessee or Minnesota as of July 2025 can exercise rights under TIPA or MCDPA respectively.

Q4: Are cure periods available for violations?

A: Yes, most state laws include notice and right‑to‑cure windows. For Minnesota and Tennessee, cure periods are 30 and 60 days, respectively, but other state cure periods vary.