The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards.
By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson
(i) Indiana, Montana, and Tennessee have all enacted general data privacy legislation, bringing the total to nine US state data privacy laws.
(ii) Montana will be the first of the three new laws to take effect on October 1, 2024, followed by Tennessee on July 1, 2025, and Indiana on January 1, 2026.
(iii) For businesses subject to existing similar general data privacy laws in other US states, many of the requirements will look familiar. The laws in Indiana and Tennessee generally follow in the wake of Virginia’s privacy law, while Montana’s law tracks more closely to Connecticut’s privacy law.
(iv) All three laws will be exclusively enforced by the respective state attorneys general, but the penalties and applicable cure periods vary.