State privacy laws are changing rapidly in the U.S. Here are summaries of seven new state laws that have been enacted and go into effect in the next few years. We anticipate that more state legislatures will continue to enact privacy laws to protect consumers due to the absence of a federal privacy law.
Under each of the acts summarized below, consumers will have the right to access their personal data, the right to correct inaccurate data, the right to data portability, the right to have their data deleted, and the right to opt out of targeted advertising of personal data. Businesses will be required to practice purpose limitation, maintain data security, get consumer consent for data processing, and complete regular data impact assessments. Businesses will be barred from discriminating against consumers who exercise their rights under the law and will be required to secure data processing agreements with service providers. Similarly, these laws each exclude financial institutions or their affiliates that are governed by, or personal data that is collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act ; state bodies/agencies; nonprofit organizations; institutions of higher education; national securities associations registered with the SEC; and covered entities or business associates as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Indiana
The Indiana Consumer Data Protection Act applies to entities that conduct business in the state, or produce products or services targeted at Indiana residents, and control or process the personal data of either 100,000 consumers or 25,000 consumers while deriving over 50 percent of their gross revenue from the sale of personal data. The Indiana Consumer Data Protection Act will become effective on January 1, 2026. The Indiana Attorney General may levy up to $7,500 per violation, and businesses will have a 30-day cure period for alleged violations of the Act.
Iowa
A business falls within the scope of the Iowa Consumer Data Protection Act if it controls or processes personal data of at least 100,000 Iowa consumers or businesses that derive more than 50 percent of gross revenue from the sale of personal data if they control or process personal data of at least 25,000 Iowa consumers. The Iowa Attorney General may levy up to $7,500 per violation, and businesses will have a 90-day period to cure alleged violations. The law will go into effect on January 1, 2025.
Montana
The Montana Consumer Data Privacy Act will affect businesses that conduct business in Montana, or produce products or services targeted to Montana residents, and that either control or process the personal data of no less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or control or process the personal data of no less than 25,000 consumers if more than 25 percent of their gross revenue is derived from the sale of personal data. The Montana Consumer Data Privacy Act will go into effect on October 1, 2024, and businesses will have a 60-day period to cure alleged violations.
Oregon
The Oregon Consumer Privacy Act applies to businesses operating in Oregon, or that provide products or services to Oregon residents, and control or process the personal data of at least 100,000 consumers, except for purposes of completing a payment transaction, or at least 25,000 consumers, while deriving at least 25 percent of its annual gross revenue from selling the personal data. The Oregon Attorney General may levy fines up to $7,500 per violation and must afford businesses a 30-day notice and cure period. The Oregon Consumer Privacy Act will go into effect on July 1, 2024.
Tennessee
The Tennessee Information Protection Act applies to companies that conduct business in Tennessee, or produce products or services that target Tennessee residents, and exceed $25 million in annual revenue, and either control or process personal information of at least 25,000 consumers and derive more than 50 percent of gross revenue from the sale of personal information during a calendar year, or control or process personal information of at least 175,000 consumers. It will allow businesses to assert an affirmative defense to claims of violations if they create, maintain, and comply with a written privacy program that “reasonably conforms” to the current and updated National Institute of Standards and Practices privacy framework or “other documented policies, standards, and procedures designed to safeguard consumer privacy.” The Tennessee Attorney General will be able to levy fines up to $7,500 per violation. The Tennessee Information Protection Act will go into effect on July 1, 2025.
Texas
The Texas Data Privacy and Security Act applies to a person that (1) conducts business in Texas or produces products or services consumed by Texas residents; and (2) processes or engages in the sale of personal data. It excludes “small businesses” as defined by the U.S. Small Business Administration, except for requiring small businesses to obtain consumer consent prior to selling sensitive data. The Texas Data Privacy and Security Act will go into effect on July 1, 2024.
Utah
The Utah Consumer Privacy Act will regulate entities that conduct business in the state or produce a product or service that is targeted to consumers who are residents of the state; has annual revenue of $25,000,000 or more; and satisfies one or more of the following thresholds: during a calendar year, controls or processes personal data of 100,000 or more consumers; or derives over 50 percent of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers. The Utah Attorney General may levy fines up to $7,500 per violation and businesses will have a 30-day cure period. The Utah Consumer Privacy Act will go into effect on December 31, 2023.
Although California’s data privacy law arguably continues to be the most stringent of any U.S. data privacy laws, many of the individual state privacy laws have nuances and they are not uniform. These nuances continue to make it difficult for national companies to comply with the patchwork and require a close eye on them. We will continue to update our readers about new privacy laws enacted to assist with that task.
Blair Robinson, non-lawyer intern, co-authored this article.