Three More States Join Consumer Privacy Trend
May 8, 2023
Indiana has recently enacted a comprehensive consumer privacy law, with Montana and Tennessee following close behind with the recent passage of privacy bills in each state’s legislature. These states are joining a trend that now stands at a total of nine states with comprehensive privacy laws—and likely more to come.
- On April 13, 2023, the Indiana legislature passed the Indiana Consumer Data Protection Act (“ICDPA”), which was signed into law on May 1, 2023;
- On April 21, 2023, the Montana legislature unanimously approved Montana’s Consumer Data Privacy Act (“MCDPA”), which is currently pending the governor’s signature; and
- On April 21, 2023, the Tennessee legislature unanimously passed the Tennessee Information Protection Act (“TIPA”), which is currently pending the governor’s signature.
As consumer privacy measures proliferate, companies will need to ensure their compliance with this expanding patchwork of privacy requirements.
Scope and Exemptions
Indiana. The ICDPA is set to take effect on January 1, 2026. The law defines personal data as information that is “linked or reasonably linkable to an identified or identifiable individual.” Personal data does not include de-identified data, aggregate data, or publicly available information. The statute applies to a person that (1) conducts business in Indiana or produces products or services that are targeted to residents of Indiana; and (2) during a calendar year, satisfies one of the following thresholds: (a) controls or processes personal data of at least 100,000 consumers; or (b) controls or processes personal data of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal data. The statute expressly exempts governmental entities, financial institutions subject to the Gramm-Leach-Bliley Act (“GLBA”), entities subject to the Health Insurance Portability and Accountability Act (“HIPAA”), nonprofit organizations, institutions of higher education, and public utility companies.
Montana. The MCDPA is set to go into effect on October 1, 2024. The MCDPA defines personal data as any information that is “linked or reasonably linkable to an identified or identifiable individual.” The term does not include de-identified data or publicly available information. The law applies to persons that (1) conduct business in Montana or produce products or services that are targeted to residents of Montana; and (2) satisfies one of the following thresholds: (a) controls or processes the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) controls or processes the personal data of at least 25,000 consumers and derives more than 25% of gross revenue from the sale of personal data. The statute does not apply to governmental entities, national securities associations registered under the federal Securities Exchange Act of 1934, financial institutions subject to the Financial Services Modernization Act of 1999, entities subject to HIPAA, nonprofit organizations, and institutions of higher education.
Tennessee. The TIPA is planned to take effect on July 1, 2024. The act defines personal information as information that “identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer.” Personal information does not include information that is de-identified or aggregate consumer data or publicly available information. The new Tennessee law applies to persons that (1) conduct business in Tennessee or produce products or services that are targeted to residents of Tennessee; and (2) satisfies one of the following thresholds: (a) during a calendar year, controls or processes personal information of at least 100,000 consumers; or (b) controls or processes personal information of at least 25,000 consumers and derives more than 50% of gross revenue from the sale of personal information. The law does not apply to governmental entities, financial institutions subject to GLBA, insurance companies, entities subject to HIPAA, nonprofit organizations, and institutions of higher education.
Under all three laws, consumers are defined as individuals acting in a personal context. The laws do not reach individuals acting in a commercial or employment context.
The ICDPA, MCDPA, and TIPA all offer consumers substantially the same consumer rights with respect to their personal data, which include:
- The right to confirm whether a controller is processing the consumer’s personal data and to access such personal data;
- The right to correct inaccuracies in the consumer’s personal data;
- The right to delete personal data provided by or obtained about the consumer;
- The right to data portability; and
- The right to opt out of the sale of personal data.
Indiana and Montana also offer consumers the right to opt out of the processing of the consumer’s personal data for purposes of targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. On the other hand, Tennessee offers consumers the right to request that a controller that sold personal information about the consumer, or disclosed the information for a business purpose, disclose to the consumer: (1) the categories of personal information about the consumer the business sold; (2) the categories of third parties to which the personal information about the consumer was sold by category of personal information for each category of third parties to which the personal information was sold; and (3) the categories of personal information about the consumer that the business disclosed for a business purpose.
Similar to other state privacy laws, Indiana, Montana, and Tennessee require controllers to respond to a consumer within 45 days after receipt of the request. This response period may be extended once by an additional 45 days when reasonably necessary, taking into account the complexity and number of the consumer’s requests, provided that the controller informs the consumer of any such extension and the reason for it within the initial 45-day response period. If the controller declines to take action on the request, the controller must inform the consumer within 45 days after the request, explain the reason for declining to act, and provide instructions for how to appeal the decision.
Data Controller Duties
Controllers, defined as a person that, alone or jointly with others, determines “the purpose and means of processing personal data,” must conduct and document data protection assessments for the following processing activities involving personal data: (1) the processing of personal data for purposes of targeted advertising; (2) the sale of personal data; (3) the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of disparate impact or injury to consumers; and (4) the processing of sensitive data. Indiana and Tennessee also include a catch-all provision requiring data protection assessments for any processing activities that present a heightened risk of harm to consumers.
- The categories of personal data processed by the controller;
- The purpose for processing personal data;
- How consumers can exercise their consumer rights, including how a consumer can appeal a controller’s decision on the consumer’s request;
- The categories of personal data that the controller shares with third parties, if any; and
- The categories of third parties, if any, with whom the controller shares personal data.
Notably, Tennessee is the first state to include a requirement to comply with the National Institute of Standards and Technology (“NIST”) privacy framework. Under this provision, controllers must create, maintain, and comply with a written privacy program that reasonably conforms to the NIST privacy framework. In addition, when a subsequent revision to the NIST privacy framework is published, controllers will have one year after the publication date to conform to it.
Under all three laws, controllers may not process sensitive data concerning a consumer without first obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with the federal Children’s Online Privacy Protection Act (“COPPA”). The laws all define sensitive data as a category of personal data that includes:
- Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a health care provider, sexual orientation, or citizenship or immigration status;
- Genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual;
- Personal data collected from a known child; or
- Precise geolocation data.
As also included in the other six states’ previously enacted privacy laws, the ICDPA, MCDPA, and TIPA also prohibit controllers from processing personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Controllers must not discriminate against a consumer for exercising any of their consumer rights, including by denying goods or services to the consumer, charging different prices or rates for goods and services, or providing a different level of quality of goods or services to the consumer.
Enforcement and Penalties
Similar to other state privacy laws, the ICDPA, MCDPA, and TIPA expressly do not provide for a private right of action. Rather, each state’s attorney general holds exclusive authority to enforce the statutes’ requirements. Before initiating an action, the attorney general must provide 30 days’ written notice in Indiana and 60 days’ written notice in Montana and Tennessee identifying the specific provisions allegedly violated. If, within the specified timeframe, the controller or processor cures the violation and provides the attorney general an express, written statement that the alleged violation has been cured and that no further violations will occur, then no action may be initiated. But if the violation persists, the attorney general may seek up to US$7,500 for each violation of the statute in Indiana or US$15,000 for each violation of the statute in Tennessee. The enforcement mechanism was not explicitly set forth in the Montana law.
While the future of a potential federal privacy law remains uncertain, the recent influx of bills in Indiana, Montana, and Tennessee reflects the continuing trend of states adopting comprehensive privacy laws for their residents. Indiana now joins California, Colorado, Connecticut, Utah, Virginia, and Iowa in adopting such measures—and at least a dozen other states have introduced similar bills. Companies will need to remain vigilant in tracking these laws to ensure they are in compliance with the appropriate privacy requirements when they take effect.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall W. Edwards, an O'Melveny partner licensed to practice law in California, Sid Mody, an O’Melveny partner licensed to practice law in Texas, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, John Dermody, an O'Melveny counsel licensed to practice law in California and the District of Columbia, and Kayla Tanaka, an O'Melveny associate licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2023 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.