Two new comprehensive state privacy laws are coming into effect in July; the Minnesota Consumer Data Privacy Act (MNCDPA) and the Tennessee Information Protection Act (TIPA) will take effect on July 31, 2025, and July 1, 2025, respectively. These two states are the 14th and 15th states with state privacy laws now in effect (with four more such laws becoming effective in the coming months). These laws provide an array of consumer rights and place a variety of obligations on businesses to honor those rights and make certain disclosures and notices to consumers.
Minnesota
The MNCDPA applies to all Minnesota businesses (and businesses that target products or services to Minnesota residents) that meet certain thresholds. Most Minnesota dealers will meet those thresholds and therefore must comply with the new law. ComplyAuto conducted a webinar earlier this month with the Minnesota Automobile Dealers Association to cover the details of the new law. Dealers may access that webinar here.
Notably, the MNCDPA does not exempt entities regulated under the Gramm-Leach-Bliley Act (GLBA), making its applicability broader than many other state privacy laws.
The MNCDPA grants Minnesota residents a range of rights concerning their personal and sensitive data. These include the right to access, correct, delete, and opt out of certain data processing activities. Importantly, Minnesota also grants a unique right to question the results of profiling, extending beyond the requirements of other state privacy laws, which typically only mandate the ability to opt out of profiling altogether.
Similar to California, Oregon, Colorado, Connecticut, Montana, and Texas, Minnesota will require businesses to recognize universal opt-out mechanisms (e.g., the Global Privacy Control, or GPC). The Minnesota Act is one of the few state privacy acts that partially exempts small businesses (as defined by the United States Small Business Administration), though even a small business may not sell a consumer’s sensitive data without the consumer’s prior consent.
Additionally, the MNCDPA imposes a distinctive requirement on controllers: they must document and maintain a description of the policies and procedures they have adopted to ensure compliance with the MNCDPA. This documentation must include the name and contact information of the Chief Privacy Officer or the individual primarily responsible for compliance with the MNCDPA.
The MNCDPA becomes effective July 31, 2025. Businesses in Minnesota have a 30-day right to cure any alleged violations for the first six months of the new law (this cure right expires on January 31, 2026).
ComplyAuto is working closely with many Minnesota dealers to meet the obligations of the new law, and we have ensured that our Privacy software addresses the specific requirements of the MNCDPA.
Tennessee
The Tennessee privacy law (TIPA) applies to businesses with over $25 million in annual revenue and (a) control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information, or (b) during a calendar year, control or process the personal information of at least 175,000 consumers.
This is a relatively high threshold, and as a result, the TIPA applies only to larger businesses, and may mean that many TN dealers do not fall under the requirements of the TIPA. In addition, the TIPA has a broad exemption for GLB entities, which could also mean that TN dealers are exempt from the strict requirements of the TIPA.
The TIPA grants Tennessee residents a number of rights over their personal and sensitive information. These include the right to access their data, the right to correct inaccuracies, the right to delete their data, and the right to opt out of the processing of their data for purposes such as targeted advertising, sale, or profiling.
Tennessee adopts a narrower definition of “sale” than many other states. Under TIPA, a “sale” refers only to the exchange of personal information for monetary consideration. In contrast, states like Minnesota include both monetary and other valuable consideration in their definitions.
TIPA includes a unique safe harbor provision that allows controllers and processors to assert an affirmative defense to alleged violations, provided they maintain a written privacy program that “reasonably conforms” to the current privacy framework established by the National Institute of Standards and Technology (NIST).
The TIPA is effective July 1, 2025, and businesses in Tennessee have a 60-day right to cure alleged violations; this cure period does not currently have an expiration date.
Neither the TIPA nor the MNCDPA includes a private right of action, meaning consumers cannot directly sue businesses for violations under these laws. This leaves enforcement of these laws to the attorney general for each state.
Honoring Consumer Rights Is Becoming de facto Standard
Both of these state consumer privacy laws are complicated, and each has its own specific requirements. Many of these laws clearly apply to dealers, while others contain higher size, or other thresholds or exemptions, that could give dealers strong arguments against being subject to the requirements of these laws. That makes it complicated for dealers to fully determine their obligations under this patchwork of laws.
Even if you determine that your state’s privacy law does not clearly apply to your dealership, there are a number of important reasons why dealers may want to consider taking steps to honor these consumer privacy rights:
- First, a consensus is emerging that these consumer privacy laws have become the de facto consumer protection standard with respect to privacy. Every dealer should, for example, ensure that they have a clear and compliant privacy notice, even if there is no privacy law in their state.
- Second, many dealers have decided that, whether the laws strictly apply to them or not, they would rather ensure they are honoring these rights upon consumer request rather than trying to explain to their customers why they are exempt and therefore do not honor the privacy rights granted under state law.
- Third, many larger groups—multi-state dealer groups in particular—are opting to simply comply with these requirements across all locations rather than trying to determine on a consumer-by-consumer basis whether to honor consumer requests or not.
- Fourth, many OEMs have decided to apply consumer privacy rights to all consumers (whether as a matter of policy or convenience), and are imposing those obligations on their dealers by contract or otherwise, by requiring certain privacy policy requirements, data handling obligations, or requirements to honor specific consumer privacy rights.
- Finally, there is much debate about the scope of some of the exemptions under these state laws, particularly the GLBA entity exemptions. For example, questions have arisen on whether an entire entity would be exempt because some of the activities of the entity were subject to GLBA.1 Dealers should discuss this issue and their specific facts with their attorney. Note also that to date, at least one state has repealed the GLBA exemption in the state law because of the concern about the scope of the exemption.
This is a complicated area, and of course, dealers must make their own individual legal and business determinations. However, for these reasons and more, many dealers have decided to take steps to comply with these laws—even if that dealership is not in a state with such a law, or they are potentially technically exempt from the specific requirements of their state’s law.
ComplyAuto Has Dealers Covered
We understand that compliance with these various laws would be very difficult for a dealer to meet on their own. Perhaps the most compelling reason to take steps to comply with these laws, regardless of the specifics of each law, is that ComplyAuto has already figured it out for you—and made it simple for dealers. We are endorsed by the state associations in every state that has a consumer privacy law in effect. We have even worked directly with state regulators in several states to ensure our software meets the technical requirements of each law.
If you have questions about these state laws or how you can fully automate your dealership’s compliance with these complex new laws, reach out to ComplyAuto today. ComplyAuto’s software solution makes compliance simple and automatic. We are at the forefront of state privacy compliance for dealerships and offer automated software solutions to help make compliance straightforward and efficient. Partnering with ComplyAuto is a smart move. Reach out today to learn more.
1 For example, would all of Google be exempt because Google operates “Google Pay”? That is unlikely.