New Privacy Laws in Tennessee and Minnesota Take Effect July 2025

If your website serves customers in Tennessee or Minnesota, there are important legal updates on the horizon. Starting this July 2025, both states are launching new data privacy laws that could affect your business—even if you don’t physically operate in those states.

These new laws, the Tennessee Information Protection Act (TIPA) and the Minnesota Consumer Data Privacy Act (MCDPA), are part of a growing trend toward stronger consumer privacy protections in the U.S. Even though many small businesses may fall outside the strict legal thresholds, it’s still smart to understand what’s changing, how these laws work, and what you should do to stay ahead.

At Daybreak Digital Marketing, we work with small, service-based businesses across Texas and beyond—and we know privacy compliance can feel intimidating. That’s why we’re breaking down these laws in simple terms, explaining who’s affected, and sharing steps you can take to protect your business and customer trust.

What’s Happening and When?

Two new state privacy laws will take effect this summer:

• Tennessee Information Protection Act (TIPA): Effective July 1, 2025
• Minnesota Consumer Data Privacy Act (MCDPA): Effective July 31, 2025

These laws give consumers in each state more control over how their personal data is collected, stored, shared, and sold—and give state Attorneys General the authority to enforce compliance through investigations and penalties.

While the laws are aimed at larger companies that handle high volumes of data, even smaller businesses need to pay attention—especially if you plan to grow into new markets or work with partners who expect compliance.

Tennessee Information Protection Act (TIPA)

TIPA focuses on transparency, consumer rights, and responsible data use. It’s modeled after privacy laws in Virginia and Utah.

Who Must Comply With TIPA?

Your business must comply if it:

1. Conducts business in Tennessee or targets Tennessee residents,
   and
2. Has over $25 million in annual gross revenue,
   and
3. Meets one of the following:

• • Processes personal data of at least 175,000 consumers annually, or
  • Processes personal data of at least 25,000 consumers and earns more than 50% of revenue from selling personal data

TIPA defines “personal data” broadly—names, emails, IP addresses, browsing history, and more.

Key Requirements:

• Post a clear, detailed privacy policy
• Let users access, delete, or correct their data
• Allow opt-outs from data sales and targeted advertising
• Respond to consumer requests within 45 days
• Secure personal data against misuse or unauthorized access
• Violations can result in penalties of up to $7,500 per violation, and treble damages for willful violations

Minnesota Consumer Data Privacy Act (MCDPA)

Minnesota’s law is more expansive in some areas and applies to more businesses due to the absence of a revenue threshold.

Who Must Comply With MCDPA?

You’re subject to MCDPA if you:

1. Do business in Minnesota or target Minnesota residents,
   and
2. Either:

• • Process data of 100,000+ consumers annually (not including data used solely for payments), or
  • Process data of 25,000+ consumers and derive 25% or more of revenue from the sale of personal data

Key Requirements:

• A transparent and accessible privacy policy
• User rights to access, correct, delete, or port personal data
• Opt-outs from targeted advertising, data sales, and profiling
• Explicit consent before processing sensitive data (such as health or race)
• Contracts with vendors handling personal data
  • Data protection assessments for high-risk processing activities
  • Penalties of up to $7,500 per violation; enforcement handled solely by the MN Attorney General

What Is “Personal Data,” and Why Does It Matter?

The term “personal data” may sound abstract, but it’s everywhere on your website—even if you don’t realize it.

Examples of personal data include:

• Names and email addresses submitted through contact forms
• Phone numbers collected during appointment booking
• IP addresses logged by analytics tools
• Location data from mobile visitors
• Browsing activity captured by third-party tracking pixels

Under these new state laws, personal data doesn’t need to be sensitive (like a Social Security number) to be regulated. If it can be used to identify or track a person—even indirectly—it may fall under legal protections.

That means even basic tools many business websites use, like Google Analytics or Facebook Pixel, count as data collection mechanisms. If your privacy policy doesn’t disclose these tools or allow users to opt out of tracking, your site may be out of compliance.

Why Compliance Matters, Even If You’re Exempt

Even if your business doesn’t currently meet the thresholds for mandatory compliance, staying ahead of privacy regulations is more than just risk management—it’s a trust signal.

When customers visit your website, especially those who are tech-savvy or coming from regulated industries (like healthcare, legal services, or finance), they notice whether your business takes privacy seriously. A clear, current privacy policy helps assure them that you’re running a professional operation. It’s also a subtle but powerful differentiator if you’re competing against businesses that haven’t taken the time to address these details.

Additionally, state laws can change. Many of today’s small businesses become tomorrow’s success stories, and waiting to adopt compliance practices until you’re forced to can lead to rushed decisions, higher legal costs, or reputational risk. A proactive approach is not only simpler—it’s smarter.

What Should You Do to Prepare?

Even if your business isn’t required to comply today, these laws highlight growing expectations—and it pays to get ahead of them.

1. Review Where You Do Business

Do you currently serve or plan to serve customers in Tennessee or Minnesota? If you’re running digital ads, offering online services, or fulfilling out-of-state orders, these laws may apply.

2. Audit Your Website’s Data Collection

Take inventory of how your site gathers data. This includes:

• Contact forms
• Newsletter sign-ups
• Analytics tools (like Google Analytics)
• CRM and scheduling tools
• Any third-party plug-ins or scripts

3. Update Your Privacy Policy

A solid privacy policy should:

• Clearly explain what you collect and why
• Tell users whether data is shared or sold
• Inform them of their rights and how to exercise them
• Be easily accessible from your site’s main navigation or footer

Even if you’re not strictly required to meet these standards, offering transparency shows professionalism and builds customer trust.

4. Be Ready to Grow

Today you might not meet the thresholds. But tomorrow’s success might include expanding to new regions. Taking a privacy-first approach now is easier (and cheaper) than scrambling later.

How Daybreak Can Help

We’re not attorneys, but we are your website team. We help small businesses stay compliant with best practices in website content, privacy presentation, and user experience.

We can help you:

• Review your current privacy policy layout
• Implement or update privacy policy links on your website
• Add cookie banners or opt-out functionality if required
• Coordinate with your legal provider or third-party policy service

If your business doesn’t yet have a privacy policy, we’ll help you get one set up that’s tailored to your needs—not just a generic template.

Final Thoughts

These new laws are part of a much larger shift in how consumer data is regulated across the U.S. While Tennessee and Minnesota might not be your top markets today, there’s value in showing your customers you care about their privacy.

If you’d like help reviewing or updating your privacy policy, we’re happy to support you. There’s no pressure—just practical guidance from a local agency that works with small businesses every day.

Contact us here to start the conversation: https://www.daybreak-marketing.com/contact-us