FREE CONSULTATION

The TIPA and MCDPA are now in force: what U.S. organizations must know

Introduction

As of July 2025, two new state privacy laws have entered into force in the United States: the Tennessee Information Protection Act (TIPA) and the Minnesota Consumer Data Privacy Act (MCDPA). These enactments reflect a broader trend of state-level legislative efforts to establish comprehensive personal data protection frameworks in the absence of a federal privacy law.

TIPA became effective on July 1, 2025, and MCDPA on July 31, 2025. Both laws impose obligations on businesses that collect and process personal data from residents of Tennessee and Minnesota, respectively. Although they share foundational elements with other U.S. state privacy statutes, they also introduce new compliance requirements that differ from the well-known California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

This article outlines the scope, applicability, key requirements, and differences of these two new laws, particularly in relation to the CCPA and CPRA, providing clarity for privacy professionals, legal counsel, and data governance teams.

Applicability Criteria

 

Tennessee Information Protection Act (TIPA)

The Tennessee Information Protection Act applies to for-profit businesses that conduct business in Tennessee or target Tennessee residents, and that meet all of the following thresholds:

  • Have annual gross revenues exceeding $25 million, and
  • Either control or process the personal data of 175,000 or more Tennessee consumers, or
  • Control or process the personal data of 25,000 or more Tennessee consumers and derive more than 50 percent of gross revenue from the sale of personal data.

TIPA does not apply to government entities, nonprofits, higher education institutions, or entities already regulated under sectoral laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). Notably, Tennessee is the first state to explicitly exempt licensed insurance companies at the entity level.

Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota Consumer Data Privacy Act applies to entities that:

  • Process personal data of 100,000 or more Minnesota consumers annually, or
  • Process personal data of 25,000 or more consumers and derive more than 25 percent of gross revenue from the sale of personal data.

Similar to TIPA, MCDPA excludes state and local governments, GLBA- and HIPAA-regulated entities, and nonprofit organizations. It also exempts small businesses as defined by the U.S. Small Business Administration, although those businesses are prohibited from selling sensitive data without prior consumer consent.

Consumer Rights

Both laws grant consumers a familiar set of rights found in most modern privacy statutes, including:

  • Right of access to personal data being processed
  • Right to correct inaccurate personal data
  • Right to delete personal data
  • Right to data portability
  • Right to opt out of the sale of personal data, targeted advertising, and certain forms of profiling

The Minnesota Consumer Data Privacy Act introduces two notable enhancements:

  1. Consumers have the right to obtain a list of third parties with whom their personal data has been shared.
  2. Consumers may challenge decisions made solely on the basis of automated processing, including profiling, and request explanations and re-evaluations of such decisions.

While TIPA also addresses profiling, MCDPA provides a more detailed and enforceable framework around automated decision-making, expanding the scope of accountability for businesses that rely on artificial intelligence or algorithmic systems for consumer interactions.

Business Obligations

TIPA Requirements

Controllers subject to TIPA must:

  • Collect only data that is adequate, relevant, and reasonably necessary for disclosed purposes.
  • Provide clear and accessible privacy notices describing data collection practices, consumer rights, and opt-out mechanisms.
  • Implement reasonable administrative, technical, and physical safeguards for personal data protection.
  • Obtain opt-in consent before processing sensitive personal data.
  • Perform data protection assessments for high-risk processing activities, such as targeted advertising, sale of data, and processing of sensitive data.
  • Execute contracts with processors that impose confidentiality, data security, cooperation with audits, and deletion obligations.

A unique feature of TIPA is the safe harbor provision, which allows organizations to assert an affirmative defense against enforcement if they can demonstrate that their privacy program conforms to the NIST Privacy Framework or a comparable recognized standard.

MCDPA Requirements

MCDPA imposes a broader range of governance and accountability obligations. Controllers must:

  • Maintain a personal data inventory detailing data categories, purposes, and retention schedules.
  • Designate and disclose the identity of a privacy officer responsible for compliance.
  • Conduct data protection assessments for processing activities involving sensitive data, targeted advertising, or profiling.
  • Provide privacy notices with clear explanations of consumer rights and data handling practices.
  • Honor universal opt-out mechanisms, including browser or device-level signals compliant with Global Privacy Control (GPC) specifications.
  • Enable consumers to revoke consent in a manner as simple as giving it.
  • Respond to data subject requests within 45 days, with one optional 45-day extension.

The MCDPA’s focus on internal governance and transparency aligns more closely with the European Union’s General Data Protection Regulation (GDPR) than many other U.S. state laws.

Enforcement Provisions

Both laws grant exclusive enforcement authority to their respective state Attorneys General. Neither TIPA nor MCDPA provides for a private right of action by consumers.

TIPA Enforcement

  • Violations are subject to civil penalties of up to $7,500 per violation.
  • The law establishes a mandatory 60-day cure period for businesses to remediate violations before the Attorney General initiates enforcement. This cure period does not expire, offering long-term protection for companies making good-faith compliance efforts.

MCDPA Enforcement

  • Violations may result in civil penalties of up to $7,500 per violation, along with the recovery of attorney’s fees and injunctive relief.
  • The law allows a 30-day cure period, which expires on January 31, 2026. After that date, enforcement actions may proceed without prior notice or opportunity to cure.

Comparison with CCPA and CPRA

While inspired by California’s Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), both the Tennessee Information Protection Act (TIPA) and the Minnesota Consumer Data Privacy Act (MCDPA) introduce material differences in scope and obligations.

Applicability Thresholds TIPA uses cumulative applicability thresholds. It applies only to businesses that exceed $25 million in annual gross revenue and meet one of the following data-processing criteria: (1) processing the personal data of at least 175,000 Tennessee residents, or (2) processing the personal data of at least 25,000 Tennessee residents and deriving more than 50% of gross revenue from the sale of such data. In contrast, the CPRA applies if any single threshold is met—such as $25 million in annual revenue, processing data of at least 100,000 California residents or households, or deriving at least 50% of revenue from selling or sharing personal data. The MCDPA sets a lower bar for data-sale revenue: it applies to companies that process data from at least 25,000 Minnesota residents and derive more than 25% of gross revenue from the sale of personal data.

Profiling and Automated Decision-Making The MCDPA provides robust consumer rights regarding automated decision-making and profiling. Minnesota residents may opt out of profiling that produces legal or similarly significant effects, and they are entitled to contest or review such decisions. This includes the right to receive an explanation of the decision, understand the factors that led to it, and correct data used in the profiling process. In contrast, the CPRA does not currently grant comparable rights regarding automated decision-making. Although the California Privacy Protection Agency is developing regulations in this area, the statute itself lacks explicit provisions granting such rights.

Governance Requirements The MCDPA mandates a governance-focused approach. It requires organizations to appoint a privacy officer responsible for ensuring compliance and to maintain a personal data inventory as part of their data security and privacy program. Businesses must also document their privacy policies and procedures, including the contact information of the designated privacy officer. The CPRA does not impose similar internal governance requirements—there is no statutory obligation to maintain a data inventory or designate a privacy officer.

Global Opt-Out Signals Both the MCDPA and CPRA recognize universal opt-out mechanisms, such as browser-based “Do Not Sell” signals. Under the MCDPA, honoring such signals is explicitly mandatory. While the CPRA permits businesses to treat these signals as valid opt-out requests in lieu of offering separate opt-out links, California’s regulatory framework effectively requires recognition of these signals. In contrast, the TIPA does not mention or require recognition of global opt-out signals at all, reflecting a more lenient stance toward business obligations.

Risk Assessments The CPRA calls for risk assessments to be mandated through future regulations by the California Privacy Protection Agency. These assessments will apply to businesses engaged in high-risk data processing activities, but the specific requirements are still subject to regulatory development. Conversely, both the TIPA and MCDPA explicitly codify the obligation to conduct data protection assessments in their statutory texts. These assessments must precede activities such as targeted advertising, selling personal data, processing sensitive data, and certain forms of profiling that pose heightened risks to individuals.

Safe Harbor Provision TIPA uniquely includes a statutory safe harbor. Businesses can assert an affirmative defense against alleged violations if they implement and maintain a written privacy program that reasonably conforms to the NIST Privacy Framework or an equivalent standard. This safe harbor is designed to encourage proactive compliance and reduce legal exposure. Neither the CPRA nor the MCDPA offers a similar provision based on adherence to external privacy frameworks.

Overall, the Minnesota law adopts a more comprehensive and strict model, placing significant emphasis on internal compliance structures and enhanced consumer rights—features that align it with a “GDPR-lite” philosophy. In contrast, the Tennessee law takes a more business-friendly approach, characterized by narrower applicability and mechanisms that mitigate legal and compliance risks, such as the NIST-based safe harbor and extended cure periods. Both laws illustrate evolving models of privacy regulation in the United States, diverging meaningfully from California’s CPRA baseline.

Conclusion

The Tennessee Information Protection Act and the Minnesota Consumer Data Privacy Act reflect the maturing landscape of data privacy regulation in the United States. As more states enact tailored privacy frameworks, organizations must reassess their compliance posture, operationalize consistent governance, and maintain adaptability across jurisdictions.

Organizations already subject to CCPA or CPRA will recognize many of the principles in TIPA and MCDPA, but differences in scope, rights, and obligations necessitate a fresh compliance analysis. Legal teams, data protection officers, and privacy consultants should prioritize mapping obligations by state, updating internal policies, and ensuring systems and vendors align with the expanding web of U.S. privacy requirements.

A state-by-state approach to privacy is now a business reality. Operationalizing privacy compliance across these frameworks is no longer optional – it is essential for legal certainty, brand trust, and long-term resilience in the digital economy.

In this fragmented and rapidly evolving regulatory environment, relying on generalist compliance consultancies is no longer sufficient. Privacy today is not merely a legal requirement – it is a strategic imperative that directly affects consumer trust, reputational integrity, and business continuity. Particularly for organizations handling sensitive data or operating across multiple jurisdictions, a specialized privacy consultancy offers the depth of legal, technical, and governance expertise needed to design tailored, future-proof programs.

Privacy Evolved tands out as the premier consultancy in this field, bringing together global regulatory insight, specialist teams, and proven implementation frameworks. By partnering with Privacy Evolved, businesses gain more than compliance – they secure resilience, operational continuity, and sustainable market trust in an economy increasingly defined by data-driven relationships.

Privacy Evolved LLC

Privacy Redefined: Expert Guidance for Global Compliance

BOOK A CONSULTATION
Data Privacy Compliance
Adilson Braga Junior

AI Under Scrutiny: Europe Demands Training Data Disclosure, U.S. Moves to Ban Surveillance Pricing, and Trump Orders Ideological Neutrality in AI

In late July 2025, several major steps were taken in Europe and the United States to regulate privacy, data protection, and artificial intelligence (AI). These updates reflect a growing global focus on balancing technological innovation with the protection of individual rights. We’ll explore three key developments: a new European Commission template for AI training data disclosure, a proposed U.S. law to ban “surveillance pricing”, and an executive order by President Trump to prevent “woke AI” bias in federal agencies. Each of these moves highlights different approaches to ensuring AI and data practices are fair, transparent, and respectful of privacy.

Read More »
August 4, 2025
Instagram Linkedin
Copyright © 2024 Privacy Evolved
Powered by PE