The US “comprehensive” law landscape continues to expand, with two more states—Tennessee (July 1) and Minnesota (July 31) —joining the “comprehensive” privacy law club. Five of these -Delaware, Iowa, Nebraska, New Hampshire, and New Jersey- took effect in January. As the patchwork of state-level “comprehensive” privacy laws expands, what should business keep in mind? As outlined below, perhaps the biggest takeaway is that the laws add to a patchwork, one which consists of many overlapping requirements. Here are a few highlights from these two latest laws:
- Privacy Notice: Both Tennessee and Minnesota -as with other states- require businesses to publish a clear and accessible privacy policy. These policies must explain what data is collected, how the information is used, with whom information is shared, and how consumers can exercise their privacy rights. Minnesota, though, unlike Tennessee, requires businesses to include data retention periods in their privacy policies. Tennessee uniquely offers an affirmative defense in the event of an enforcement action if a business has a privacy policy that reasonably conforms to NIST’s privacy framework or equivalent safeguards.
- Options: Both states grant consumers the right to access, correct, delete, and port their personal information, as well as to opt out of the sale of their information, targeted advertising, and high-risk profiling. Additionally, both laws require businesses to obtain consent before processing sensitive information and to follow data minimization principles—collecting and using only the data necessary for the stated purpose. These mirror existing requirements in other states. Minnesota goes further by granting consumers the right to review, correct, and request reevaluation of information used in high-risk automated decision-making. It also requires letting consumers know -and opt out of- material changes to privacy practices that will impact them in the future.
- Compliance Documentation: Minnesota requires businesses to maintain privacy policies, compliance documentation, contact details for responsible personnel, and records of consumer appeals for at least 24 months. This is similar to requirements in California and Colorado.
- Enforcement and Cure Periods: Neither Tennessee nor Minnesota provides a private right of action, and each offers a cure period. Minnesota’s cure period is 30 days, but sunsets January 31, 2026. Tennessee’s is 60 days, and there is no sunset.
Putting It Into Practice: Businesses operating in or collecting data from these states’ residents should keep in mind the nuances and differences between these states’ laws and those in other jurisdictions. These include responding, in Minnesota, to a request to review information used in high risk automated decision making (if the company engages in that practice).