Why Should You Be Afraid of Privacy Obligations? Because Now There will be 7, 8, 9… States with Comprehensive Data Privacy Laws!

The state of Indiana recently became the seventh U.S. state to enact a comprehensive state data privacy law. And on Friday April 21^st, 2023, Montana and Tennessee’s legislatures passed comprehensive data privacy laws, which await the governors’ signatures, and are likely to become the eighth and ninth states to enact comprehensive data privacy laws. In addition to Montana and Tennessee, there are fifteen comprehensive state level privacy bills pending across the country.  This new wave of privacy legislation signals more to come—in terms of both compliance obligations and risks—for entities doing business across the U.S. 

Who Do These Laws Apply To? 

• Indiana Consumer Data Protection Act. The Indiana law applies to “a person that conducts business in Indiana or produces products or services that are targeted to residents of Indiana and that during a calendar year: (1) controls or processes personal data of at least 100,000 consumers who are Indiana residents; or (2) controls or processes personal data of at least 25,000 consumers who are Indiana residents and derives more than 50% of gross revenue from the sale of personal data.” 
• Montana Consumer Data Privacy Act. If signed into law, Montana’s legislation would apply to persons “that conduct business in this state or persons that produce products or services that are targeted to residents of this state and: (1) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.” Notably, the Montana controlling/processing threshold for consumer data is half that of what we see in other state comprehensive laws (50,000 consumers compared to 100,000 consumers), which is likely to account for the state’s lower population. 

• Tennessee Information Protection Act. If signed into law, Tennessee’s legislation would apply to entities that, “(1) control or possess the personal information of at least 100,000 consumers; or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal information.” 

When will these Laws become Effective? 

The Indiana law will become effective on January 1, 2026.  If signed into law, the Tennessee law will take effect on July 1, 2024, and the Montana law will take effect on October 1, 2024. 

Looking Forward 

The swift passage of this recent wave of comprehensive privacy legislation evidences the continued focus of U.S. legislators on privacy. Entities that have already implemented privacy programs designed to comply with currently effective comprehensive privacy laws in California and Virginia and/or with comprehensive data privacy laws that go into effect later this year in Connecticut, Colorado, and Utah, will be able to leverage key elements of these programs for purposes of compliance with the 7^th, 8^th, and 9^th laws. Organizations that have not started making the necessary updates to their privacy programs for compliance with state comprehensive data privacy laws will want to start preparing to meet their obligations under these laws sooner rather than later. For more information on what your organization can do to meet its obligations under comprehensive state privacy laws, please read our blog post on the topic, available here. 

Authors