Next month ushers in two new US state comprehensive consumer privacy laws in Tennessee and Minnesota, which become effective on July 1 and July 31, respectively. While these laws track the current plethora of US state comprehensive consumer privacy laws in many respects (e.g., requiring businesses to provide clear and conspicuous privacy notices and providing certain data subject rights), there are certain differences worth noting, including but not limited to those outlined below.
Tennessee
- Second state to require both a revenue threshold and a processing volume threshold to trigger applicability.
- Provides a 60-day cure period to address violations with no sunset date.
- Provides companies with an affirmative defense for violations if the business creates, maintains and complies with a written privacy policy that is compliant with the National Institute of Standards and Technology (NIST) Privacy Framework or other documented policies, standards and procedures designed to safeguard consumer privacy.
- No private right of action.
Minnesota
- Includes more prescriptive requirements for opt-out rights than many other US state comprehensive consumer privacy laws, such as providing access to a clear and conspicuous method outside the privacy notice for consumers to opt out of:
- The sale or processing of their personal data for targeted advertising.
- The use of their personal data for profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.
- Requires privacy notices to include a description of retention policies for personal data.
- Requires privacy notices to be made available to the public in each language in which a product or service is provided.
- No private right of action.
A business’s privacy notice and privacy compliance program that are designed to comply with other US state comprehensive consumer privacy laws may likely satisfy many of Tennessee’s and Minnesota’s requirements, although Minnesota’s requirement for opt-outs beyond the privacy notice may necessitate additional operational elements to comply. That said, penalties for noncompliance can be significant – in particular, Tennessee’s goes up to $22,500 per intentional violation – so companies should undertake a review of their existing notices and practices to ensure compliance. For an in-depth look at how certain other states are currently taking action against companies for noncompliance, see our May 30 client alert analyzing the California Privacy Protection Agency’s recent settlement with Honda.
[View source.]
