Leawood, Kan. – September 12, 2025: In the evolving landscape of data privacy and protection, U.S. States are increasingly stepping in to regulate how businesses collect, process, and safeguard personal information. Recently, Tennessee, Minnesota, and Maryland have enacted comprehensive consumer data privacy legislation to bolster data privacy protections for their citizens. The Tennessee Information Protection Act (House Bill 1181) the “Tennessee Act,” the Minnesota Consumer Data Privacy Act (HF 4757, Chapter 121) the “Minnesota Act” and the Maryland Online Data Privacy Act of 2024 (Senate Bill 541) the “Maryland Act” or collectively the ”Acts,” all create consumer controls of their personal data through several specified rights, impose security and disclosure obligations on entities that control and process the data, and are exclusively enforced by each State’s Attorney General. The Tennessee Act took effect on July 1, 2025. The Minnesota Act took effect on July 31, 2025. The Maryland Act takes effect on October 1, 2025, but does not apply to personal data processing activities occurring before April 1, 2026.
Below is a broad overview of some key aspects of all the Acts collectively that include: 1) consumer data privacy requirements; 2) entities required to comply; 3) requirements for the entities that control and process the data (sometimes called the “controllers” and/or the “processors,” respectively); 4) consumer rights; 5) exemptions; and 6) penalties for non-compliance.
Consumer Data Privacy Requirements
The Acts cover transactions involving the collection, storage, use, disclosure, analysis, deletion or modification of a consumer’s personal information. They further require the implementation of reasonably accessible, clear and meaningful privacy notices. The Acts all follow a similar definition of “consumer” found in other privacy acts, which is a natural person who is a resident of the state acting only in a personal context and does not include a natural person acting in a commercial or employment context. Personal Information or Personal Data is generally defined as information that is linked or reasonably linkable to an identified or identifiable natural person. See, T. C. A. Section 2, §47-18-3201 (17); M.S.A. §3250.02 (p); MD §14-4601 (W)(1).
Entities Required to Comply
Under the Acts, legal entities and natural persons, including controllers and processors, must create, maintain, and comply with these recently enacted laws concerning the collection, processing and storage of their state residents’ personal data. The Acts define controller as “the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.” T. C. A. §47-18-3201(8); M.S.A. §3250.02 (h); MD §14-4601(K). They define processor as “a natural or legal person [entity] who processes personal data [information] on behalf of a controller.” T. C. A. §47-18-3201(20); M.S.A. §3250.02 (r); MD §14-4601(Z). Each Act applies to state residents who generate a certain amount of revenue in a calendar year and process personal information for a target number of consumers. For specific requirements, see T. C. A. §47-18-3202 (1) and (2); M.S.A. §3250.03 (a)(1) and (2); and MD §14-4602 (1) and (2).
Controller and Processor Requirements
The Acts specifically call out the requirements between a controller and a processor. The responsibilities between a controller and a processor include contractual obligations for instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. These include but are not limited to: 1) ensure that each person processing personal information is subject to a duty of confidentiality with respect to the data; 2) at the controller’s direction, delete or return all personal information to the controller as requested at the end of the provision of services, unless retention of the personal information is required by law; 3) upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations in this part; 4) allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor; and 5) engage a subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal information. See, T. C. A. §47-18-3205 (a)-(d); M.S.A. §3250.04 (a)-(g); and MD §14-4608 (A)(3).
Personal Information and Data Rights – Consumer
Under the Acts, consumers have the right to the following: 1) confirm whether a controller is processing their personal data and to access that data; 2) correct inaccurate personal data concerning the consumer; 3) delete personal data concerning the consumer (Maryland carves out an exception to this where the retention of personal data is required by law); 4) obtain a copy of the consumer’s personal data that the consumer previously provided, to the extent technically feasible; 5) opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects or similarly significant effects concerning the consumer; and 6) obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data, or, if the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data. T.C.A. §47-18-3203 (a)(2)(A)-(E); M.S.A. §3250.05 (a)-(f); MD §14-4605 (B)(1)-(7).
Exemptions
All three Acts provide several exemptions including the Gramm-Leach-Bliley Act (GLBA), which governs how financial institutions handle personal information, and Minnesota includes small business exemptions. T. C. A. §47-18-3210(a)(2); M.S.A. §3250.03, Subdivision 2(a)(9) and (19); MD §14–4603(a)(1). The Minnesota Act further provides a limited exemption for small businesses as defined by the United States Small Business Administration. M.S.A. §3250.075(a). The only restriction for small businesses is that they must not sell a consumer’s sensitive data without the consumer’s prior consent. Id.
Right to Cure and Penalties
The Acts provide a right to cure provision. T. C. A. §47-18-3212; M.S.A. §3250.010; MD §14-4614 (C). And for Tennessee and Minnesota, there is no private right of action, while the Maryland Act states that a consumer may pursue “any other remedy provided by law.” MD §14-4613 (B).
The attorney general in each respective state has the authority to enforce the Acts. In the absence of a cure, the controller is subject to fines ranging from $7,500 to $10,000. T.C.A. §47-18-3212(d)(1); M.S.A. §3250.010(c); and MD §13-410 and §13-411. In Tennessee, if the violation is determined to be willful, a discretionary award for treble damages is available. T.C.A. §47-18-3212(d)(2).
Other Amendments and Additions
This is a very broad overview of some of the parts of the Acts. To view the laws in their entirety, click here: Tennessee Information Protection Act , Minnesota Consumer Data Privacy Act, and Maryland Online Data Privacy Act.
About the Compliance Libraries:
The Compliance Libraries provide a one stop location for comprehensive information on the laws, rules and standards regulating gift cards. Its range includes federal and state laws, GAAP accounting standards and tax rules along with other helpful items.
For more information visit www.compliancelibraries.com.
CARD Alerts are distributed by Compliance Libraries which is maintained by Card Issuance & Management, Inc., a subsidiary of Card Compliant, LLC.