The patchwork of state privacy laws just grew bigger. Seven years after the California Consumer Privacy Act (CCPA), considered the gold standard of state privacy laws, went into force, other states have followed suit with new privacy acts of their own or updating existing ones. The latest to join the pack are Tennessee and Minnesota with the latter being more stringent.
The Tennessee Information Protection Act (TIPA), which went into effect on July 1, applies to any business that processes the data of 175,000 or more consumers—the threshold drops to 25,000 if the business receives over half of its revenue from selling personal data. The framework largely aligns with the Virginia Consumer Data Protection Act (VCDPA), introduced in 2023, as well as similar privacy laws in several other states. One of the most notable characteristics of the TIPA is its provision allowing businesses to mitigate or even negate liability for a violation, provided they can prove that their privacy programs largely conform to the NIST Privacy Framework.
Minnesota has also raised the bar on data governance and management with the introduction of its Consumer Data Privacy Act (MCDPA), which applies to any organization handling the data of 100,000 or more consumers. The law is significantly more demanding than the TIPA, in that it requires applicable companies to maintain a comprehensive data inventory. Moreover, the MCDPA adds a much-needed layer of accountability, compelling businesses to appoint a Chief Privacy Officer responsible for compliance and whose contact information must be included in the company’s privacy policy documents. These obligations force software organizations to invest in data governance tools to clearly map and track their data, effectively making the concept of “privacy by design” mandatory.
A common criticism of US data privacy laws is that there’s no universal law at the federal level. As a result, privacy regulations remain a patchwork of state-level laws, sector-specific laws, and a handful of regulations at the state level, such as the Privacy Act of 1974. Naturally, lack of regulatory clarity and consistency present a significant challenge to companies operating across states. To address this complexity, companies should focus on aligning their privacy efforts with the universally recognized NIST Privacy Framework, upon which many regulations are based. Full alignment with the framework typically goes above and beyond most privacy laws, making it a safe bet for organizations regardless of where they’re based.
What’s more, to navigate the patchwork of state laws, organizations might fine some relief by meeting the standards of one of the most stringent privacy laws like the CCPA. Another step leaders should prioritize is to automate Data Subject Rights (DSR) workflows, even if it’s not specifically mandated or implied. Both TIPA and VCDPA also require responses within 45 days, which means that manual fulfilment is rarely practical. However, implementing an automated system for intaking, verifying, and processing consumer requests offers a scalable data management solution for assisting companies in achieving privacy by design and default.