2023 Round-Up on State Consumer Data Privacy Laws

Ilse Johnson, Michael Katz
Mintz - Privacy & Cybersecurity Viewpoints
Contact
LinkedIn
Facebook
X
Send
Embed

Mintz - Privacy & Cybersecurity Viewpoints

Looking back sometimes means looking forward. That is absolutely the case for new comprehensive data privacy statutes enacted in a number of U.S. states during 2023, including Indiana, Tennessee, Montana, Florida, Texas and Oregon. While these states have now codified a range of consumer rights with respect to their personal data, as well as new obligations imposed on covered businesses collecting and processing that data, the new laws do not take effect until the middle of 2024 or beyond. All the same, companies who may be subject to these laws in the future should start preparing now to comply with what are becoming increasingly standardized requirements across many U.S. states.

To assist our readers become more familiar with the new laws, we have prepared a summary chart below describing key features with respect to consumer rights, business obligations, and enforcement provisions. A few things jump out – for example, the laws are strikingly similar and provide consumers with nearly identical rights to request information about personal data a business is collecting and to exercise greater control over how it will be used. Covered businesses will also have largely consistent obligations with respect to personal data they are collecting with only minor variations (e.g., how often consumers may request information about their personal data, or when data impact assessments will need to be conducted, or when consent may be required for collecting a minor’s information for targeted advertising purposes). Potential penalties vary somewhat but all of the states will rely on state attorneys general offices to enforce their statutes, rather than provide consumers with a private right of action.

For more comprehensive summaries of each statute, we invite you to review our blog posts from earlier this year by clicking the following links:  IndianaTennesseeMontanaFlorida and Texas. These articles have direct links to the laws as well. If you have any questions related to state consumer data privacy laws, please feel free to contact anyone from Mintz’s Privacy & Cybersecurity team.

Similar to existing state privacy laws, the new laws establish applicability thresholds described in the chart below for determining what are covered businesses subject to the statute.

INDIANA

Persons that conduct business in Indiana or targeting products / services to residents in Indiana, and during a calendar year the business:

  1. Control or process personal data of 100,000 or more IN consumers who are residents; or
  2. Control or process personal data of 25,000 IN consumers who are residents and derives more than 50% of gross revenue from sale of personal data.
TENNESSEE

Persons that conduct business in Tennessee or targeting products / services to residents in Tennessee, if, during a calendar year the company generates at least $25 million in gross annual revenue and must either:

  1. Control or process personal data of 170,000 or more TN consumers; or
  2. Control or process personal data of 25,000 TN consumers and derives more than 50% of gross revenue from sale of personal information.
MONTANA

Persons that conduct business in Montana or targeting products / services to residents in Montana, and during a calendar year the company:

  1. Control or process personal data of 50,000 or more MT consumers, excluding for the purpose of completing payment transactions; or
  2. Control or process personal data of 25,000 MT consumers and derives more than 25% of gross revenue from sale of personal data.
FLORIDA

Persons that generate at least $1 billion in gross revenue and must either:

  1. Derive 50% or more of its global annual revenues from targeted advertising or the sale of ads online;
  2. Operate a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud service and hands-free verbal activation, or
  3. Operate an app store that offers at least 250,000 software applications for consumers to download.
TEXAS

Persons that:

  1. Conduct business in Texas or produce products / provide services consumed by residents of Texas;
  2. Process or engage in the sale of personal data; and
  3. Do not qualify as a small business as defined by the United States Small Business Administration (with limited exceptions).
OREGON

Persons that conduct business in Oregon or that provide products / service to residents in Oregon, and during the calendar year the company:

  1. Control or process personal data of 100,000 or more OR consumers, other than for completing a payment transaction; or
  2. Control or process personal data of 25,000 OR consumers and derive 25% or more of gross revenue from sale of personal data.

In addition to the applicability requirements of each law, the chart below provides a snapshot of consumer rights, business obligations and enforcement provisions addressed by the new state consumer privacy laws passed in 2023. Please note that the consumer rights created by these new laws are not available with respect to personal data collected from individuals acting in a commercial context (i.e., B2B) or employment context.

Consumer Rights Indiana Tennessee Montana Florida Texas Oregon
Right to know Yes Yes Yes Yes Yes Yes
Right to access Yes Yes Yes Yes Yes Yes
Right to correct Yes Yes Yes Yes Yes Yes
Right to delete Yes Yes Yes Yes Yes Yes
Right to portability Yes Yes Yes Yes Yes  
Right to opt out of targeted advertising Yes Yes Yes Yes Yes Yes
Right to opt out of sale of personal data  Yes Yes Yes Yes Yes Yes
Right to opt-out of profiling  Yes Yes Yes Yes Yes Yes
Right to opt in for sensitive data processing  Yes Yes Yes Yes Yes Yes
Right to opt in or out the collection of precise geolocation data or voice recognition features  Yes, opt in for geolocation data Yes, opt in for geolocation data Yes, opt in for geolocation data Yes, opt out for both Yes, opt in for geolocation data Yes, opt in for both
Business Obligations Indiana Tennessee Montana Florida Texas Oregon
Respond to consumer requests Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days
Provide required information to consumers free of charge Yes, up to 1x per year Yes, up to 2x per year Yes, up to 1x per year Yes, up to 2x per year Yes, up to 2x per year Yes, up to 1x per year
Authenticate requests Yes Yes Yes Yes Yes Yes
Establish a process for consumers to appeal any refusal to take action Yes Yes Yes Yes Yes Yes
Provide a “reasonably accessible” and clear privacy notice Yes Yes Yes Yes Yes  
 Disclose any sale of personal data or use of personal data for targeted advertising (and how to opt-out) Yes Yes Yes Yes Yes Yes
Conduct and document data protection impact assessments for processing activities generated:  After December 31, 2025 On or after July 1, 2024 After January 1, 2025 On or after July 1, 2023 After July 1, 2024 On or after July 1, 2024
Limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes  Yes Yes Yes Yes Yes Yes
Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents Yes Yes Yes Yes Yes Yes
Do not discriminate against a consumer for exercising any consumer rights Yes Yes Yes Yes Yes Yes
Obtain consent before selling or using data from users between 13 and 15 years of age for targeted advertising No No Yes No No Yes
Enforcement Indiana Tennessee Montana Florida Texas Oregon
Private right of action No No No No No No
Enforcement Attorney General Attorney General Attorney General Florida Department of Legal Affairs Attorney General Attorney General
Opt-in default for sensitive data (requirement age) 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age
Right-to-cure period 30 days 60 days 60 days* 45 days 30 days 30 days*
Max civil fine per violation $7,500 $7,500 None established $50,000 $7,500 $7,500
Effective date  January 1, 2026 July 1, 2025 October 1, 2024 July 1, 2024 July 1, 2024 July 1, 2024, July 1, 2025 for non-profits

*The procedural notice and cure period will sunset on April 1, 2026 for Montana and January 1, 2026 for Oregon.

We expect that 2024 will bring new state data privacy laws, in the absence of a federal omnibus privacy statute. Watch this space.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Mintz - Privacy & Cybersecurity Viewpoints

Written by:

Mintz - Privacy & Cybersecurity Viewpoints
Mintz - Privacy & Cybersecurity Viewpoints
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide