After several months of privacy developments to start 2023, this trend has not only continued, but has continued at an accelerated pace into June. As state legislatures adjourn for summer recess, it is a good time to take note of the flurry of activity thus far in 2023. As of the close of May, Indiana, Montana, and Tennessee all passed comprehensive data privacy laws, with Texas entering the foray most recently this week, which leaves us now with ten comprehensive state privacy laws.

We have also seen sectoral privacy laws pass state legislatures as part of this tumultuous second quarter, including Washington's My Health My Data Act, which applies broadly beyond the health care industry. 

Businesses will need to take note of these new laws and prepare for privacy policy updates as these laws come into effect.

Indiana

The Indiana Consumer Data Protection Act was signed into law on May 1st. The Act will allow ample time for compliance with an effective date of January 1, 2026, which is the latest effective date we have seen thus far.

The Act is largely modeled after Virginia’s data privacy law and will apply to any business that conducts business in Indiana or produces products or services that are targeted towards Indiana residents and which also in a calendar year: (1) controls or processes personal information of 100,000 consumers who are Indiana residents; or (2) controls or processes data of at least 25,000 Indiana residents and derives more than 50% of gross revenue from the sale of personal information.

The law applies to traditional “consumers” that are acting for a personal, family, or household purpose, and excludes individuals acting in an employee or business capacity.

The Act contains several of the same exceptions and limitations we have seen in other state privacy laws, with one notable exception: the Act expressly states that it does not restrict “an owner of a riverboat licensed under IC 4-33-6” from implementing and operating a facial recognition program approved by the Indiana gaming commission as a nod to Indiana’s gaming industry.   

Consumer rights granted include the right to know, the right to access, the right to correct, the right to delete, and the right to opt out. The law also requires data protection impact assessments (DPIAs) for certain processing activities as well as data processing contracts. The law is enforced by the Indiana Attorney General and does not allow for a private right of action.

Tennessee

On May 11, Tennessee’s governor signed the Tennessee Information Protection Act (TIPA) into law. TIPA combines some elements of the current existing comprehensive laws (TIPA most closely resembles Virginia's privacy law), while introducing some interesting twists and new elements not yet seen in other comprehensive laws.

TIPA applies to entities that produce products or services targeted to residents of the state and that (1) control or process personal information of at least 100,000 consumers; or (2) control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

TIPA includes the traditional suite of consumer rights (such as the rights to know, access, correct, delete, portability, and non-discrimination) and business obligations (privacy notices, data processing contracts, requirements for processing sensitive data, and DPIAs).

Despite its similarities to other comprehensive laws, TIPA features a key difference because it requires a data controller or processor to create, maintain, and comply with a written privacy program that meets the National Institutes of Standards of Technology (NIST) "A Tool for Improving Privacy through Enterprise Risk Management Version 1.0." This marks the first of the comprehensive laws to reference a specific technical standard and to provide businesses an affirmative defense to TIPA violations if they are in compliance with NIST standards.

TIPA will come into effect on July 1, 2024. Note that Tennessee’s law, along with Montana’s law below are effective before Indiana, despite later passage.

Montana

On May 19, Montana’s governor signed the Montana Consumer Data Privacy Act (MCDPA). MCDPA will become effective on October 1, 2024.

There is no revenue threshold, but other applicability thresholds are lower than is typical for comprehensive privacy laws. The threshold in Montana is data of only 50,000 Montana residents and if only 25% of annual gross revenue is derived from the sale of data, the threshold is decreased to 25,000 Montana consumers.

The law puts data minimization front and center as well, mimicking Connecticut’s edicts on only  processing personal data for purposes that are reasonably necessary or compatible with the purpose disclosed to the consumer and requiring consent for processing that is not reasonably necessary or compatible. Consumer consent is also required before processing any sensitive data of a consumer.  

The MCDPA also provides consumers with the right to request deletion of any personal data in a controller’s possession, not just data that the controller collected directly from the consumer. Additionally, the MCDPA grants consumers the right to opt out of targeted marketing, profiling, and the sale of their personal data. More robust protections for children are also introduced through opt-in rights for advertising and target marketing to minors between the age of 13 and 16.

Also of note under Montana’s law is a prohibition of dark patterns that subvert or impair consumer choice, and, beginning January 1, 2025, DPIAs will be required before an entity processes personal data in a way that presents a heightened risk of harm to consumers, which expressly includes targeted marketing and the sale of personal data. The MCDPA additionally requires data processing contracts when processing is performed on behalf of a controller.

Aligned with most other comprehensive state privacy legislation, the MCDPA is only enforceable by the Montana Attorney General; and until April 1, 2026, the Montana Attorney General will be required to provide entities with notice and an opportunity to cure any purported violation. There is no private right of action for consumers.

Texas

On May 29, Texas lawmakers passed the Texas Data Privacy and Security Act (TDPSA), which now awaits signature by Texas Governor Greg Abbott. Abbott has only ten days to sign the bill, and the effective date of the Act is July 1, 2024.

The TDPSA contains common comprehensive privacy law obligations but differs from other comprehensive privacy laws in its applicability. The Act contains unique applicability thresholds, where the typical number of residents whose information is processed, and monetary thresholds for applicability, are omitted. Rather, TDPSA applies to any entity that (1) conducts business in Texas or produces a product or service consumed by Texas residents, (2) processes or engages in the sale of personal data, and (3) is not a small business as defined by the U.S. Small Business Administration. This is a significant departure from the trend we have seen over the last two years, and it remains to be seen if other states will follow. 

The TDPSA also contains carveouts for certain typically excluded entities and data. Like Montana, the TDPSA similarly contains a prohibition of dark patterns to obtain consent, requires DPIAs when processing certain information, and additionally requires data processing contracts that contain certain enumerated requirements. The TDPSA is enforced by the Texas Attorney General and does not allow for a private right of action.