Articles
State guides
Data protection in the United States: June 2025 update
State guides
new

Data protection in the United States: June 2025 update

Published  

6/11/2025

by 

Patrick Austin

8
min read

Published  

June 11, 2025

by 

Patrick Austin

10 min read
Summary

State legislatures have been quite busy in recent months passing or amending laws that will impact the broader data privacy landscape in the United States

For example, new consumer data privacy laws are scheduled to take effect in a matter of weeks. Multiple states have enacted new privacy protections for children’s data, and some states are contemplating additional data privacy regulations.

 

Keep reading for a general overview of notable regulatory and legislative developments related to data protection in the United States in June 2025.

Consumer data privacy laws set to take effect in Tennessee & Minnesota

For companies operating in the Volunteer State and/or the Gopher State, now is the time to update (or establish) your compliance programs for new data privacy laws set to go into effect in July. 

Specifically, the Tennessee Information Protection Act will take effect on July 1, 2025, while the Minnesota Consumer Data Privacy Act will take effect on July 31, 2025. Each law contains unique provisions and compliance obligations. Let’s take a look at each. 

Overview of the Tennessee Information Protection Act (TIPA)

TIPA is similar to the Virginia Consumer Data Protection Act in that it is structured to be a more “business-friendly” data privacy law

For example, like in Virginia’s law, the TIPA defines a “consumer” to exclude a natural person “acting in a commercial or employment context.” Basically, this means that employment data and commercial data is not subject to the TIPA, which narrows the scope of covered personal data under the Tennessee law. 

In addition to a narrow definition of “consumer”, the TIPA  applies to businesses in Tennessee producing products or services that target state residents, generate more than $25 million in annual revenue, and that either: 

  • (i) control or process the personal data of 175,000 or more Tennessee consumers; or
  • (ii) control or process the data of 25,000 consumers while deriving more than 50 percent of gross revenue from the sale of personal information. 

The combination is a revenue threshold and relatively high numerosity threshold (e.g., Virginia’s numerosity threshold is triggered when a business processes the personal data of 100,000 or more residents), further limiting TIPA’s scope and application. 

Like other state consumer data privacy laws, and the European Union’s General Data Protection Regulation, the TIPA governs the personal data activities of “controllers” (i.e., those empowered to determine the purpose and means of processing personal data) and “processors” (i.e., those empowered to process the personal data on the controller’s behalf). 

When a controller engages a processor to handle personal data, the TIPA requires controllers to enter into binding contractual agreements with processors that, among other things, must: 

  • (i) describe the nature and purpose of the processing; 
  • (ii) provide instructions for the data processing; and 
  • (iii) set forth the rights and obligations of both the controller and the processor. 

Under such an agreement, processors must agree to adhere to a duty of confidentiality when processing personal data, to delete or return all personal data to the controller upon the controller’s request at the end of the provision of services, make personal data available upon the controller’s request, and cooperate with the controller during an assessment or regulatory investigation. 

Under the TIPA, state residents are afforded a set of data subject rights comparable to those afforded under other state consumer data privacy laws. For example, under the TIPA, consumers in the Volunteer State have the right to: 

  • Know whether a controller is processing the consumer’s data; 
  • Access the consumer’s data;
  • Request correction of any inaccuracies in the consumer’s personal data; 
  • Delete personal data provided by, or obtained about, the consumer; 
  • Obtain a copy of their personal data in a portable and readily usable format; and 
  • Opt out of processing for the sale of personal data, targeting advertising or profiling.

Similar to the consumer data privacy laws in Virginia, Iowa, Colorado, Connecticut, Nebraska, Texas, etc., the TIPA requires covered companies to establish protocols allowing a consumer to appeal the refusal to process, or denial, of a data subject request. 

A unique aspect of the TIPA is an affirmative defense provision that provides a safe harbor to companies in the event they are sued for an alleged violation of the law. Specifically, the safe harbor provision is triggered when companies can produce evidence that their written privacy policy “reasonably conforms” to the NIST Privacy Framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.” Tennessee is currently the only state to provide such an affirmative defense in its data privacy law. 

For context, the NIST Privacy Framework is a set of voluntary guidelines based on five core functions:

  1. Developing organizational understanding to manage privacy risk to individuals from processing personal data.
  2. Implementing a governance structure to enable ongoing understanding of risk management priorities.
  3. Implementing appropriate activities to allow individuals or organizations to manage data effectively and manage privacy risk.
  4. Developing appropriate activities to allow individuals and organizations to understand privacy risks associated with data processing.
  5. Implementing appropriate data processing safeguards to prevent cybersecurity-related privacy events

In addition to the NIST affirmative defense, the TIPA  contains a generous 60-day cure period. This is one of the longest cure periods among all the enacted state consumer data privacy laws. In fact, only Iowa’s 90-day cure period is longer. This means that, before an enforcement action can be initiated by the Tennessee Attorney General’s Office, a notice must be provided to a covered business identifying the alleged compliance violation and allowing the business 60 days to remedy the alleged violation. 

Overview of the Minnesota Consumer Data Privacy Act (MCDPA)

Minnesota’s consumer data privacy law - much like the data privacy laws in Tennessee, Virginia, Utah, Iowa, and others - is also generally considered to be a more “business-friendly” data privacy law.  

For example, the MCDPA only applies to companies that control or process the personal data of at least 100,000 unique Minnesota consumers; or control or process personal data of 25,000 unique Minnesota consumers and derive over 25% of gross revenue from the sale of personal data, but excludes companies that process personal data of Minnesota consumers solely for the purpose of completing a payment transaction. This unique exclusion means that many brick-and-mortar businesses in the Gopher State will likely fall outside the MCDPA’s jurisdictional orbit.

Similar to the Tennessee law, the MCDPA imposes compliance obligations on data controllers and processors, including the requirement that controllers and processors enter into written agreements governing a processor’s data processing procedures performed on behalf of a controller. 

Specifically, the MCDPA requires contractual provisions that include clear instructions for the processing of applicable data, describe the type of data subject to, and the duration, nature, and purpose of such processing, and specify the rights and obligations of each party, including compliance inspections and information requests.

The MCDPA also obligates controllers to provide consumers with a reasonably accessible and clear privacy notice, which, among other things, must contain the following disclosures:

  • The categories of personal data processed by the controller and the purpose of such processing;
  • The categories of personal data that the controller sells to or shares with third parties, if any;
  • The categories of third parties, if any, to whom the controller sells or shares personal data;
  • How consumers may exercise their privacy rights, including the appeals process
  • The controller's contact information
  • A description of the controller's retention policy for personal data; and
  • The date the privacy notice was last updated. 

The MCDPA provides residents of Minnesota with data subject rights comparable to the TIPA and many other state data privacy laws. For example, the MCDPA affords residents the right to: 

  • Confirm processing of personal data (along with access to categories of personal data being processed);
  • Correct inaccurate personal data;
  • Request deletion of a data subject’s personal information;
  • Request a copy of their personal data in a transferable format;
  • Question the results of profiling decisions made by covered companies, including understanding the reasoning behind such decisions and how to achieve different outcomes;
  • Opt out of (i) targeted advertising; (ii) the sale of personal data; and (iii) profiling in furtherance of automated decisions that produce legal or similarly significant effects; and
  • Request a list of specific third parties to whom a covered company has disclosed a consumer's personal data. 

A unique aspect of the MCDPA is that it requires controllers to obtain opt-in consent from consumers identified as being between the ages of 13 and 16 before selling or sharing their personal data for targeted advertising. 

Similar to the Tennessee law, the MCDPA contains a cure period for companies to correct any alleged compliance violations. However, the cure provision in the MCDPA is limited to 30 days and will sunset on July 31, 2026 (i.e., one year after the law takes effect). 

New Jersey regulatory agency proposes data privacy regulations

States are not only passing and amending consumer data privacy laws. Some are also contemplating new data privacy regulations that could impact how businesses collect and process personal data. 

For example, the New Jersey Data Protection Act, which went into effect on January 15, 2025, empowers the Director of the Division of Consumer Affairs (DDCA) to promulgate data privacy regulations. A draft of proposed regulations was recently published by the DDCA. 

By way of background, New Jersey is one of only a few states with a consumer data privacy law that authorizes formal rulemaking. The proposed regulations are broad and, in some instances, highly prescriptive. Notable provisions include the following:

  • Privacy notices must “clearly define” each processing purpose while broad or future-facing justifications are expressly prohibited.
  • New consent is required if a business is processing data in a manner that is not "reasonably compatible" with previously disclosed purposes.
  • Controllers must limit data collection to what’s “reasonably necessary.”
  • Controllers must delete sensitive data within 15 days of a consumer withdrawing consent.
  • Prescriptive requirements for providing consumer notices and obtaining valid consent.
  • New factors to consider whether a processing purpose is compatible with disclosed activities or requires new consent.
  • New data minimization requirements that would obligate businesses to create a “data inventory” and to “immediately delete” sensitive data upon revocation of consent.
  • Requirement for covered companies to “refresh” consent within 24 months.
  • Risk assessments must include any technology used by a covered company, the potential for psychological harm to certain data processing activities, and an analysis of whether the data processing’s benefits outweigh its risks.

As mentioned, these regulations are in proposal form and have not been finalized. The public comment period runs until August 1, 2025. Nevertheless, New Jersey intends to establish a robust regulatory regime that companies will need to be prepared to comply with in the near future. 

Multiple states enact child data privacy laws and amendments

Tennessee and Minnesota are not the only states with new data privacy laws on the books. New York and Arkansas recently passed more targeted data privacy legislation designed to strengthen privacy protections for children’s data. 

The recent trend toward child data protection appears to be spurred by the fact that the federal Children's Online Privacy Protection Act (COPPA) only applies to data of minors age 13 and younger. Many states, such as New York, Arkansas, and Montana, are passing laws that help “fill the gap” for minors between the ages of 14 and 18. 

Let’s take a look at the new laws coming into effect in New York and Arkansas, along with recent amendments to Montana’s data privacy law. 

Overview of the New York Child Data Protection Act

The New York Child Data Protection Act (NYCDPA) is on track to take effect on June 20, 2025. 

The law generally prohibits website “operators, third-party operators, and processors” from collecting, using, sharing, or selling the personal data of anyone residing in New York that is under the age of 18, unless doing so is strictly necessary for the purpose of the website or the operator of the site receives informed consent from the covered user. 

According to the NYCDPA, a “covered user” is defined as a user of a website, online service, online application, mobile application, or connected device, or portion thereof, in the state of New York who is:

  • (a) actually known to be a minor or 
  • (b) using a website, online service, online application, mobile application, or connected device primarily directed to minors.

An “operator” is defined in the NYCDPA as any person who operates or provides a website on the internet, online service, online application, mobile application, or connected device, and who, alone or jointly with others, controls the purposes and means of processing personal data. 

The NYCDPA prohibits operators from processing, or allowing their processors to process, the personal data of a covered user unless:

  • (i) the covered user is 12 years of age or younger and processing is permitted under the COPPA; or 
  • (ii) the covered user is 13 years of age or older and processing is strictly necessary for certain specified activities, or informed consent has been obtained.

The NYCDPA is unique in requiring businesses to respect “age flags” that signal the age of users. For context, the age flag provision requires operators to treat users as covered users if their device communicates or signals that the user is, or shall be treated, as a minor through a browser plug-in, privacy setting, device setting, or other mechanism.

The New York Attorney General recently issued guidance indicating that specific rulemaking on “age flags” will be forthcoming. In the interim, the New York Attorney General’s Office will “exercise discretion” on this provision for businesses that exhibit good faith efforts to comply with the rest of the law.

Overview of the Arkansas Children and Teens’ Online Privacy Protection Act

The Arkansas Children and Teens’ Online Privacy Protection Act (ACTOPPA) was recently signed into law and is expected to go into effect on July 1, 2026. The law establishes enhanced data privacy protections for individuals between the ages of 13 and 16.

Similar to New York’s child data protection law, the ACTOPPA applies to “operators” of a website, online service, online application, or mobile application that are “directed at children or teens” or when operators have actual knowledge that they are collecting personal information from children or teens. The law prohibits an operator that has actual knowledge it is collecting personal information from children or teens from engaging in further collection of personal information for the purposes of targeted advertising. 

The law also obligates an operator who has actual knowledge that it is collecting personal information from children or teens to:

  • Provide a clear and conspicuous privacy notice of specific uses, processing, and disclosures of personal data, as well as the rights available to parents;
  • Provide users (and their parents) the opportunity to request the deletion of the account of a child or teen;
  • Obtain consent for the collection, use, or disclosure of personal information from a teen or a parent of a teen; 
  • Provide the opportunity to challenge the accuracy of and correct inaccurate personal information of a child or teen; and
  • Provide a means for a teen or a child’s parent to obtain personal information collected from that teen or child, respectively.

Montana Amends Consumer Data Privacy Law 

Montana recently enacted SB 297, which contains a series of significant amendments to the Montana Consumer Data Protection Act

For example, SB 297 would require a controller that offers an online service, product, or feature to a consumer whom the controller “actually knows or willfully disregards” is a minor under the age of 18 to use reasonable care to avoid a “heightened risk of harm” caused by the product. 

SB 297 would also prohibit a controller from processing a known minor’s personal data for: 

  • Targeted advertising, sale, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; 
  • Any processing purpose other than that disclosed or that is reasonably necessary for and compatible with the processing purpose; 
  • A duration no longer than what is reasonably necessary to provide the online service, product, or feature, without the minor’s consent.

In addition, SB 297 would require data protection assessments to be conducted for data processing activities that present a heightened risk of harm to minors. 

How Didomi can help your company comply with data privacy laws in the U.S.

As you can see, there is a lot of activity in the U.S. consumer data privacy space, and this summer is expected to be a busy one.

Didomi is taking proactive steps to help organizations gear up: We recently introduced updates to our CMP that facilitate multi-regulation compliance, and are consistently releasing guidance for organizations. Recently, this inlcluded key topics mentioned in this article such as compliance with underage data protection laws or general guidance on how to comply with the patchwork of consumer data privacy laws in the U.S.

To continue the conversation and discuss how to make the most out of your privacy efforts in the U.S., get in touch with our team:

{{discover-us-solutions}}

The author
Patrick Austin
Cybersecurity & Data Privacy Counsel at Woods Rogers
U.S.-based data privacy attorney and Certified Information Privacy Professional (CIPP/US, CIPP/E, CIPM)
Access author profile

Related Articles

State guides
Everything you need to know about the California Delete Act
March 12, 2025
Read article
State guides
Understanding sensitive personal information (SPI) in U.S. data privacy laws
December 20, 2024
Read article
State guides
Tennessee privacy law: Understanding the Tennessee Information Protection Act (TIPA)
December 13, 2024
Read article
State guides
Delaware Personal Data Privacy Act (DPDPA): Exploring the Delaware privacy law
November 20, 2024
Read article
State guides
New Hampshire Privacy Act (NHPA): Everything you need to know
November 13, 2024
Read article
State guides
Montana Consumer Data Privacy Act (MTCDPA): What to know and how to comply
November 7, 2024
Read article