The new laws introduce novel applicability thresholds and other requirements that businesses should consider when preparing for compliance with US state privacy laws, including those coming into effect from 2023 onwards.
By Robert Blamires, Marissa Boynton, Michael H. Rubin, Joseph Hansen, and Austin Anderson
(i) Indiana, Montana, and Tennessee have all enacted general data privacy legislation, bringing the total to nine US state data privacy laws.
(ii) Montana will be the first of the three new laws to take effect on October 1, 2024, followed by Tennessee on July 1, 2025, and Indiana on January 1, 2026.
(iii) For businesses subject to existing similar general data privacy laws in other US states, many of the requirements will look familiar. The laws in Indiana and Tennessee generally follow in the wake of Virginia’s privacy law, while Montana’s law tracks more closely to Connecticut’s privacy law.
(iv) All three laws will be exclusively enforced by the respective state attorneys general, but the penalties and applicable cure periods vary.
On the heels of Iowa passing the Iowa Consumer Data Protection Act, the state legislatures in Indiana, Montana, and Tennessee quickly followed by unanimously passing their own general state privacy legislation, further adding to the growing and complex patchwork of US state general data privacy laws. The Montana law (the Montana Consumer Data Privacy Act) will be the first to take effect on October 1, 2024, notably before the Iowa law, which will come into force on January 1, 2025. Tennessee’s privacy law (the Tennessee Information Protection Act) will take effect on July 1, 2025, followed by the Indiana privacy law (the Indiana Consumer Data Protection Act) on January 1, 2026.
See this summary of the effective dates for all nine US state general data privacy laws.
As a general matter, businesses subject to these new laws should review their data privacy compliance measures, including expanding the scope of their existing compliance measures to cover personal data collected about residents of Indiana, Montana, and Tennessee. This effort will generally involve:
- extending existing user-right mechanisms to include personal data about individuals in these states;
- updating privacy notices/appendices;
- reviewing contracts that involve the exchange of personal data; and
- determining whether existing data protection impact assessments and other internal policies and procedures adequately cover the processing activities of individuals in these states.
Overview of Requirements
Below is an overview of the scope and some of the core requirements of the new laws. All three laws generally refer to “consumers,” which they generally define as residents of the state, except those acting in a commercial or employment context (similar to the existing state data privacy laws, with the notable exception of California where all state residents are now in scope). Below, we use “consumers” and “individuals” interchangeably to refer to residents who fall within the scope of these laws.
While all three laws have applicability tests that are similar to some of the existing data privacy laws in other US states; there are some nuances, which are described in turn below:
For Indiana, the law applies to for-profit entities that do business in the state or target products or services to Indiana residents and, during a calendar year, either:
- control or process personal data of at least 100,000 Indiana consumers; or
- derive over 50% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more Indiana consumers.
For Montana, the law applies to for-profit entities that do business in the state or target products or services to Montana residents and:
- control or process personal data of at least 50,000 Montana consumers (excluding certain data collected from payment transactions); or
- derive over 25% of gross revenue from the sale of personal data and control or process personal data of at least 25,000 Montana consumers.
For Tennessee, the law includes both a revenue and processing threshold, similar to the California Consumer Privacy Act (CCPA). Specifically, the law applies to for-profit entities that exceed $25 million in annual revenue and do business in the state or target products or services to Tennessee residents and:
- during a calendar year, control or process personal information of at least 175,000 Tennessee consumers; or
- derive over 50% of gross revenue from the sale of personal information and control or process personal data of 25,000 or more Tennessee consumers.
2. Privacy Notice
The three laws require businesses to be transparent about their processing activities by providing a privacy notice that includes the following:
- The categories of personal data processed
- The purposes for which personal data is processed
- How consumers can exercise rights in relation to personal data about them, including how to appeal a denied rights request
- The categories of personal data shared with third parties
- The third parties with which personal data is shared
Additionally, if the business “sells” personal data or uses personal data for purposes of targeted advertising, such activity must be clearly and conspicuously disclosed in the privacy notice.
3. Individuals Rights
All three laws provide consumers with the same rights as Virginia, including the right to access, correct, delete, and opt out of the following activities: (i) sale of personal data, (ii) the processing of personal data for the purposes of targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Where the laws start to diverge, however, is the scope of the rights. For instance, Indiana and Tennessee adopt the narrower definition of “sale,” which includes only “monetary consideration.” Montana, in comparison, adopts the broader definition of “sale,” which includes both “monetary and other valuable consideration,” like California, Colorado, and Connecticut. Montana’s law further provides consumers with the ability to opt out of the sale of their personal data and the processing of their personal data for purposes of targeted advertising through an “opt-out preference signal” that businesses must implement by January 1, 2025, similar to that of Connecticut’s law.
Indiana’s law also subtly differs from other US state privacy laws related to the right to access. Indiana is the first state privacy law to provide businesses with discretion to provide a consumer, in response to an access request, with either (a) a copy of their personal data (similar to other laws) or (b) a “representative summary” of the consumer’s personal data (a new provision only in Indiana). As this term is not defined, Indiana appears to leave interpretation to the marketplace.
4. Appeals Process
All three laws provide that a business shall establish a process for individuals to appeal a rights request decision not to take action. Businesses have 60 days to respond to the appeal request, informing the individual of the reasons for its decision. If the appeal is denied, the business shall also provide the individual with a method to contact the state Attorney General to submit a complaint.
All three laws require that a business obtain affirmative consent from individuals to process their sensitive personal data or process personal data for secondary purposes that are incompatible with the original purpose(s) disclosed to the individual. In addition, a business must comply with the consent requirements set forth under Children’s Online Privacy Protection Act (COPPA) for processing personal data of children under the age of 13. Notably, similar to Connecticut, Montana’s law further requires that businesses obtain consent to process the personal data of consumers between the ages of 13 and 16 for purposes of targeted advertising or selling. In addition, like Connecticut, Montana requires providing individuals with a mechanism to revoke their consent, which upon receipt, the business shall cease processing as soon as possible, but no later than 45 days of the request.
6. Contractual Obligations
All three laws include specific contractual requirements for agreements between controllers and processors. These requirements mirror those in Virginia and other states.
7. Data Protection Impact Assessments
Similar to Virginia, all three laws require businesses to conduct a data protection impact assessment (DPIA) for each of the following activities: (i) processing sensitive personal data; (ii) the sale of personal data; (iii) processing personal data for targeted advertising; (iv) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; and (v) processing activities involving personal data that present a heightened risk of harm to consumers. Helpfully, for businesses subject to other laws that impose similar requirements, the laws provide that a business may leverage existing DPIAs of similar scope to comply with this requirement.
All three laws will be exclusively enforced by the respective state Attorneys General. All three laws provide businesses with a right to cure, meaning the respective Attorney General will issue a notice to a business for alleged noncompliance and then allow the business a period of time to remedy that noncompliance before commencing an enforcement action. However, each law’s right to cure carries some notable differences:
- Indiana: Indiana provides businesses with a 30-day cure period.
- Montana: Montana provides a 60-day cure period. However, Montana’s right to cure is not permanent: starting April 1, 2026, the Attorney General will no longer need to issue notice and an opportunity to cure before pursuing an enforcement action — similar to the cure periods for Colorado and Connecticut which sunset on January 1, 2025, and December 31, 2024, respectively.
- Tennessee: Tennessee provides a 60-day cure period.
The penalties also vary among the laws:
- Indiana: If a business violates the law by not curing the alleged violations within the cure period or breaches an express statement relating to a prior alleged violation, the Attorney General may file an enforcement action to recover civil penalties of up to $7,500 “for each violation,” as well as seek injunctive relief.
- Montana: The Montana privacy law does not expressly specify the damages available to the Attorney General. However, the Attorney General is granted the authority under Title 30, Chapter 14 (where the Montana law will ultimately be codified) to leverage civil penalties of up to $10,000 per violation, as well as seek injunctive relief.
- Tennessee: Tennessee provides for civil penalties up to $7,500 “for each violation.” Significantly, however, it includes treble damages for willful or knowing violations, potentially resulting in fines of up to $22,500. Tennessee also authorizes injunctive relief. Additionally, unique to Tennessee, businesses are further afforded a safe harbor against violations if they maintain and regularly update their privacy program so that it “reasonably conforms” with the National Institute of Standards and Technology (NIST) privacy framework and continues to provide individuals with the substantive rights under the law.
The passage of the laws in Indiana, Montana, and Tennessee add to the growing trend in which US states are implementing their own general data privacy legislation (in the absence of federal legislation). However, the requirements of each law track closely to those in place in Virginia and forthcoming in other states like Connecticut (in the case of Montana). Therefore, for most businesses subject to these laws, the main compliance burden will be updating compliance efforts to cover personal data collected about residents in those states. That being said, while we expect this trend to largely continue as similar legislation is pending in additional states, we are also beginning to see novel divergences being adopted in states such as Florida and Texas, which is likely to create further compliance challenges for businesses. As the US thus heads towards a 50-state patchwork (as is already the case with breach notification laws), businesses subject to multiple privacy laws should continue to assess their data privacy compliance program to ensure it is robust enough to satisfy current and forthcoming applicable data privacy laws and regulations.
Submit a comment about this post to the editor.