July Privacy Deadlines Are Here: What Tennessee, Minnesota, and the FTC Require

You may be out of the office, but regulators aren't taking time off. July brings three key compliance deadlines every business should be tracking.

Tennessee’s Information Protection Act took effect on July 1. It gives consumers the right to access, correct, delete, and opt out of the sale or targeted use of their personal data. The law applies to businesses with over $25 million in revenue that handle data on 175,000 or more consumers, or 25,000 if more than 50 percent of revenue comes from selling personal information. Covered businesses must respond to consumer requests within 45 days and provide clear, transparent privacy notices.

On July 14, the FTC’s “Click to Cancel” rule becomes enforceable. It requires companies that offer subscriptions or auto-renewing services to make cancellation as simple as enrollment. If a customer signed up online, they must be able to cancel online. The rule applies to both individual and business customers, except for individually negotiated B2B contracts, which still must include fair cancellation terms.

Minnesota follows with its Consumer Data Privacy Act, effective July 31. The law is similar to Tennessee’s, giving Minnesotans rights over their personal data and requiring businesses to implement reasonable security and clear privacy disclosures. It applies to companies that handle data on 100,000 or more consumers, or 25,000 if more than 25 percent of revenue comes from selling personal information.

These rules raise expectations around transparency, user control, and data governance. Businesses should review privacy policies, verify opt-out mechanisms, and ensure their cancellation flows meet the new standards. July may be a busy month, but you don’t want to miss these deadlines.

*Author’s post-publication note: On July 8, 2025, the Eighth Circuit Court of Appeals vacated the amended Negative Option Rule, eliminating the “Click to Cancel” requirement. The ruling is available here.