New Privacy Laws in Tennessee and Minnesota: What Businesses Need to Know

Next month ushers in two new US state comprehensive consumer privacy laws in Tennessee and Minnesota, which become effective on July 1 and July 31, respectively. While these laws track the current plethora of US state comprehensive consumer privacy laws in many respects (e.g., requiring businesses to provide clear and conspicuous privacy notices and providing certain data subject rights), there are certain differences worth noting, including but not limited to those outlined below.

Tennessee

• Second state to require both a revenue threshold and a processing volume threshold to trigger applicability.
• Provides a 60-day cure period to address violations with no sunset date.
• Provides companies with an affirmative defense for violations if the business creates, maintains and complies with a written privacy policy that is compliant with the National Institute of Standards and Technology (NIST) Privacy Framework or other documented policies, standards and procedures designed to safeguard consumer privacy.
• No private right of action.

Minnesota

• Includes more prescriptive requirements for opt-out rights than many other US state comprehensive consumer privacy laws, such as providing access to a clear and conspicuous method outside the privacy notice for consumers to opt out of:
• The sale or processing of their personal data for targeted advertising.
• The use of their personal data for profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.
• Requires privacy notices to include a description of retention policies for personal data.
• Requires privacy notices to be made available to the public in each language in which a product or service is provided.
• No private right of action.

A business’s privacy notice and privacy compliance program that are designed to comply with other US state comprehensive consumer privacy laws may likely satisfy many of Tennessee’s and Minnesota’s requirements, although Minnesota’s requirement for opt-outs beyond the privacy notice may necessitate additional operational elements to comply. That said, penalties for noncompliance can be significant – in particular, Tennessee’s goes up to $22,500 per intentional violation – so companies should undertake a review of their existing notices and practices to ensure compliance. For an in-depth look at how certain other states are currently taking action against companies for noncompliance, see our May 30 client alert analyzing the California Privacy Protection Agency’s recent settlement with Honda.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction, and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may have been generated with the assistance of artificial intelligence (AI) in accordance with our AI Principles, may be considered Attorney Advertising and is subject to our legal notices.