Five New States Advance Privacy Laws in May 2023

June 7, 2023

It has been an active legislative season, with numerous states advancing new data privacy laws. In May, Indiana, Montana, and Tennessee joined Iowa in adopting new privacy laws, while the legislature in Texas sent an omnibus privacy bill to the governor’s desks for approval. May also saw other privacy laws advance—including a privacy bill in Florida that generally has a narrower scope than the other omnibus privacy bills.

Below, we provide a brief overview of these latest developments. Looking ahead, in the absence of a comprehensive federal privacy law, we expect that additional states will adopt omnibus privacy laws, creating an even more complicated compliance environment. This increasingly complex privacy landscape underscores the need for businesses to stay up to date on data privacy requirements and develop an adaptable compliance strategy.

The New State Omnibus Privacy Laws.

Key Similarities to Leverage for a Universal Compliance Strategy. First, the good news—there are significant common elements among the new omnibus privacy laws in Indiana, Montana, Tennessee, and Texas that will be helpful to businesses building out nationwide compliance plans. For example, these laws all include a core group of consumer rights consisting of the right to access, delete, correct, port, and opt out of targeted advertising, sale, and certain forms of profiling.

Additionally, the new laws in Indiana, Montana, Tennessee, and Texas all impose similar affirmative obligations on businesses, including (1) limiting processing of personal data to what is reasonably adequate, relevant, and necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer, (2) implementing reasonable data security practices to protect personal data, (3) refraining from processing sensitive personal data without consent, and (4) having specific contractual provisions in place with service providers/vendors.

Notably, as with several of the laws that are going into effect in 2023, the new laws also impose a requirement for controllers to conduct a data protection impact assessment (DPIA) for certain processing activities. For example:

  • In Indiana, a DPIA must be completed annually if a controller engages in the following processing activities: (1) targeted advertising, (2) sale of personal data, (3) profiling when certain risk factors are present, (4) processing sensitive personal data, and (5) processing that presents a heightened risk of harm to the consumer.
  • In Montana, under the new law, controllers must conduct a data protection assessment for processing activities that have a heightened risk of harm to a consumer, including: (1) targeted advertising, (2) sale of personal data, (3) processing sensitive personal data, and (4) profiling if there is a reasonably foreseeable risk of unfair or deceptive or unlawful disparate impact on consumers, “intrusion upon seclusion,” or other financial, reputational, or physical harms.
  • Tennessee’s new law requires a DPIA prior to engaging in certain processing activities, including: (1) targeted marketing, (2) sale of personal data, (3) profiling if there is a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational, or physical harms, (4) processing sensitive personal data, and (5) processing that presents a heightened risk of harm to a consumer.
  • In Texas, once signed, the law will require a controller to conduct a data protection assessment prior to engaging in processing, including: (1) targeted advertising, (2) the sale of personal data, (3) profiling if certain risk factors are present, (4) processing sensitive personal data, and (5) processing with a heightened risk of harm to a consumer.

Distinctions and Other Features to Be Aware of in New Privacy Laws. Despite certain key similarities, these laws are not cookie cutter and each brings its own twist to the already complicated patchwork of U.S. state privacy laws. A high-level overview of the scope, key unique elements, and enforcement protocol for each is provided below:

Indiana

  • Scope. The INCDPA applies to persons who conduct business in Indiana or produce products or services that are targeted at residents of Indiana and that during a calendar year (1) control or process personal data of at least 100,000 consumers who are Indiana residents; or (2) control or process personal data of at least 25,000 consumers who are Indiana residents and derive more than 50% of gross revenue from the sale of personal data. The law exempts B2B and employee personal data, as well as financial institutions covered by GLBA, entities subject to HIPAA, and nonprofit organizations.
  • Enforcement. The INDCDPA will be enforced by the Indiana Attorney General, which may impose civil penalties of up to $7,500 per violation. The law allows for a 30-day cure period. There is no private right of action.

Montana

  • Scope. The MTCDPA applies to any person that conducts business in Montana or persons that produce products or services targeted to Montana residents and (1) control or process the personal data of more than 50,000 consumers, excluding data used solely for processing payments; or (2) control or process the personal data of more than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data. The MTCDPA provides exceptions for B2B and employment personal data, financial institutions covered by GLBA, entities subject to HIPAA, and certain nonprofit organizations.
  • Global opt-out. The MTCDPA requires controllers to honor global opt-out control requests by January 1, 2025.
  • Enforcement. The MTCDPA is enforced by the Montana Attorney General. The law allows for a 60-day right to cure, which will sunset on April 1, 2026. There is no private right of action.

Tennessee

  • Scope. The TIPA applies to persons who do business in Tennessee or produce products or services targeted to residents and that (1) during a calendar year, control or process personal information of at least 100,000 consumers; or (2) control or process the personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information. The TIPA provides exceptions for B2B and employee personal data and certain entities, including insurance companies licensed under state law, financial institutions covered by GLBA, entities subject to HIPAA, and certain nonprofit organizations.
  • NIST Safe Harbor. A controller or processor has an affirmative defense to a cause of action for a violation of the TIPA if the controller or processor maintains a privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0” or other documented policies, standards, and procedures designed to safeguard consumer privacy. To take advantage of this safe harbor, the privacy program must be updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two years of the publication date stated in the most recent revision to the NIST or comparable privacy framework.
  • Enforcement. TIPA is enforced by the Tennessee Attorney General, which may impose civil penalties of up to $7,500 per violation. The law allows for a 60-day cure period. There is no private right of action.

Texas

  • Scope. The TDPSA applies to any person that (1) conducts business in Texas or produces products or services consumed by residents of the state; or (2) processes or engages in the sale of personal data. The TDPSA does not have a required threshold level of data processing (such as a minimum number of consumers or percentage of revenue from the sale of data), which results in this law having a wider scope than other state laws. The TDPSA provides exceptions for B2B and employee personal data, as well as entities that are considered small businesses, financial institutions covered by GLBA, entities subject to HIPAA, and certain nonprofit organizations.
  • Global opt-out. The TDPSA requires businesses that sell personal data or use it for targeted advertising to respond to a global opt-out signal.
  • Enforcement. The TDPSA will be enforced by the Texas Attorney General, which may impose civil penalties of up to $7,500 for each violation. The law allows for a 30-day cure period; however, it attaches several novel conditions on being able to utilize the cure period. There is no private right of action.

Florida

The Florida legislature passed the Florida Digital Bill of Rights (FDBR) on May 4, 2023 and the bill was signed into law by the Governor on June 6, 2023. It will go into effect on July 1, 2024.

  • Scope & Controller Definition. The FDBR has a unique definition for “controller” and generally, the privacy provisions in the bill target larger technology companies that engage in specific activities, including data sales. Specifically, “controller” is defined as a business that collects personal data about Florida residents, determines the purposes and means of processing personal data about those consumers, generates over $1 billion in global gross annual revenue and either (1) derives at least 50% of global gross revenue from the sale of advertisements online; (2) operates a consumer smart-speaker and voice-command service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation; or (3) operates an app store or digital distribution platform that offers at least 250,000 apps for consumers to download. The FDBR does not apply to B2B or employee personal data. It also exempts from coverage financial institutions covered by GLBA, entities subject to HIPAA, and nonprofit organizations.
  • Teen Data. The FDBR defines a “child” to be a consumer under the age of 18—raising the age threshold from the typical state-law approach to children’s data.
  • Consumers Rights. The bill includes a unique consumer right to opt out of the collection of personal data collected through the operation of a voice recognition feature.
  • DPIA. A controller must conduct a DPIA prior to processing personal data for certain purposes, including: (1) targeted advertising, (2) sale of personal data, (3) profiling if there is a reasonably foreseeable risk of unfair or deceptive treatment or unlawful disparate impact, or financial, physical or reputational injury to a consumer, (4) processing that could cause a physical harm or other “intrusion on solitude or seclusion,” or if processing would cause other substantial injury, (5) processing of sensitive personal data, and (6) processing that involves a heightened risk of harm to a consumer.
  • Enforcement & Implementation. The FDBR is enforced by the Florida Attorney General, which may impose civil penalties of up to $50,000 per violation. These civil penalties may be tripled for violations involving a known child under the age of 18. The law also allows for a discretionary 45-day cure period, and does not establish a private right of action. Like the California and Colorado laws, the Florida law grants rulemaking authority for the Department of Legal Affairs.

***

Wiley has a deep and experienced bench of attorneys specializing in privacy compliance—please contact any of the authors on this alert to discuss your privacy needs.

Patrick Wohl, a Wiley 2023 Summer Associate, contributed to this blog post.

Wiley Connect

Sign up for updates

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.