Three More States. The Same Core Problem for Marketers.
The patchwork of US state privacy laws keeps growing, and the operational burden on marketing and data teams grows with it. Tennessee's comprehensive privacy law took effect July 1, 2025. Minnesota's took effect July 31, 2025. Maryland's Online Data Privacy Act takes effect October 1, 2025 and carries some of the strictest data-minimization requirements of any state law passed so far.
If your business collects consumer data from residents of any of these states, these laws apply to you regardless of where your company is based. The thresholds vary by law, but the pattern is consistent: businesses that process personal data above certain volume or revenue thresholds are covered. The question is not whether to pay attention. It is whether your current data practices can withstand scrutiny under each law.
What Makes Maryland Different
Maryland's Online Data Privacy Act is worth calling out specifically because its data-minimization standard is more demanding than most comparable state laws. The law requires that data collection be limited to what is reasonably necessary and proportionate to the purpose for which it is collected. That is a higher bar than a generic consent requirement, and it has direct implications for the breadth of tracking, retargeting, and audience-building practices common in digital marketing.
Maryland also places restrictions on the processing of sensitive data for advertising purposes and gives consumers meaningful rights to access, correct, delete, and opt out of targeted advertising. With October 1 as the effective date, organizations that have not yet assessed their compliance posture are running short on time.
The Compliance and Data Strategy Checklist
Across all three laws, the core obligations overlap enough that a unified assessment framework covers most of the ground. Work through these in order.
1. Inventory Your Data Collection
Before you can assess compliance, you need to know what data you are collecting, from which states, through which mechanisms, and for what stated purposes. This includes first-party data from forms and CRM systems, pixel and tag-based behavioral data, third-party data purchases or partnerships, and any call or chat data you collect. If you do not have a current data map, build one. It is the foundation of everything else.
2. Assess Legal Basis for Each Collection Purpose
Under all three laws, you need a lawful basis for processing personal data. For marketing purposes, that typically means consent or a legitimate interest assessment. Review each data collection point and confirm you have documented the legal basis. Gaps here are where enforcement risk concentrates.
3. Audit Your Consent Mechanisms
Consent under these laws must be freely given, specific, and informed. Pre-checked boxes, buried disclosures, and consent obtained through dark patterns do not qualify. Audit your cookie consent tools, lead capture forms, and any other consent touchpoints. If you serve Maryland residents, pay particular attention to how you handle consent for targeted advertising and sensitive data categories.
4. Review Data Retention Practices
Data-minimization requirements mean you cannot hold data indefinitely. Review your retention schedules for marketing data, ad platform audience lists, CRM records, and call recordings. Implement automated deletion or anonymization for data that has exceeded its useful life and retention schedule.
5. Confirm Consumer Rights Fulfillment Capacity
All three laws give consumers rights to access their data, request corrections, request deletion, and opt out of certain processing. Make sure you have a mechanism to receive and fulfill these requests within the timeframes each law requires. Silence or missed deadlines are the most common enforcement triggers in the consumer rights context.
6. Update Privacy Notices
Your privacy notice needs to accurately describe what you collect, why, how long you retain it, who you share it with, and what rights consumers have. If your current notice does not cover Tennessee, Minnesota, and Maryland residents specifically, it needs updating before the applicable effective dates.
The First-Party Data Imperative
These laws are accelerating the shift toward first-party data strategies for a practical reason: data you collect directly with proper consent and a clear disclosed purpose is far easier to defend under any state privacy law than data acquired through third-party networks or scraped from behavioral signals of uncertain provenance.
Teams that have already invested in first-party data infrastructure, direct consent flows, and clean CRM hygiene are in a significantly better position when these laws arrive than teams still dependent on third-party audience targeting. That gap will only widen as more states follow.
Do Not Wait for October to Start
Tennessee and Minnesota are already in effect. Maryland is weeks away as of this writing. The organizations that will navigate this environment most cleanly are the ones who treat privacy compliance as a data-strategy decision, not a legal afterthought. That means building practices that would pass scrutiny under the strictest applicable law rather than calibrating to the minimum each law technically requires.
If you want to align your data collection and tracking architecture with the current and emerging state privacy landscape, AdStack™'s first-party data tracking practice builds these systems with compliance durability in mind. Book a call to assess where your current setup stands.

Article imagery is illustrative. Product names, logos, and brands that may appear in images or text are the property of their respective owners and are used for identification and commentary only; their appearance does not imply any affiliation with, or endorsement by, those owners.



