Montana, Tennessee join Indiana and Iowa as next States to pass comprehensive data protection laws
Montana and Tennessee have both passed comprehensive bills in their state legislatures on April 21st, making them the latest additions to the states that have enacted privacy laws this year, alongside Indiana and Iowa.
Iowa Data Privacy Act (IDPA)
Iowa joined Connecticut, Utah, Virginia, Colorado, and California on March 29th as the sixth state to approve a comprehensive privacy law. The law will become effective on January 1st, 2025, which provides organizations with 21 months to meet the new requirements. Even though the law shares several similarities with other state privacy laws, organizations need to pay attention to a few distinctions as they broaden their compliance efforts across the United States.
The Iowa Data Privacy Act (IDPA) applies to businesses that operate in Iowa or target products or services to Iowa consumers and control or process personal data of 100,000 or more Iowa consumers or 25,000 or more Iowa consumers and derive over 50% of gross revenue from the sale of that data. The IDPA’s definition of a “consumer” includes natural persons who are Iowa residents acting in a personal (noncommercial and nonemployment) context, and excludes employees and B2B contacts. The IDPA imposes obligations on data controllers, such as limiting the purpose of processing personal data, implementing reasonable safeguards, refraining from discrimination, being transparent in their privacy notice, and ensuring contracts control relationships with their processors. It provides Iowa consumers with opt-out, deletion, access, appeal, and data portability rights. Sensitive personal information includes racial/ethnic origin, religious beliefs, and geolocation data, among others, and controllers must provide clear notice and an opportunity to opt-out of nonexempt processing.
The Iowa Attorney General has exclusive enforcement authority, and the IDPA does not allow for a private right of action.
Indiana Bill on Consumer data protection
Indiana is set to become the seventh state to enact a comprehensive privacy law when Senate Bill No. 5 is signed by Governor Eric Holcomb. The law goes into effect on January 1, 2026.
The Indiana privacy law applies to businesses that process the personal data of at least 100,000 Indiana residents or 25,000 Indiana residents and generate more than 50% of their gross revenue from the sale of personal data. Certain entities and data are exempt from the law. The law requires businesses to provide consumers with a clear and meaningful privacy notice and gives consumers the right to confirm, access, correct, delete, and port their personal data. Consumers can also opt-out of the processing of their personal data for targeted advertising, sale of personal data, or profiling that produces significant effects. There is no private right of action, and businesses have a 30-day cure period for any alleged violations. The Indiana privacy law is similar to other comprehensive state privacy laws, such as the Virginia Consumer Data Protection Act.
Montana Consumer Data Privacy Act (MCDPA)
After passing both houses of the Montana legislature, the Montana Consumer Data Privacy Act (MCDPA) now awaits Governor Greg Gianforte’s signature. The MCDPA is similar to the laws in Connecticut and Virginia, suggesting that these models are becoming the foundation for other state privacy laws concerning consumers.
The Montana Consumer Data Privacy Act (MCDPA) applies to companies that do business in Montana, control or process personal data of 50,000 or more Montana consumers or 25,000 or more Montana consumers and derive over 25% of gross revenue from the sale of that data. “Consumer” is defined as a natural person who is a resident of Montana acting in a personal context. Personal data includes information that is linked or reasonably linkable to an identified or identifiable individual. Sensitive data includes information about a person’s race/ethnic origin, religion, health diagnosis, sex life, sexual orientation, citizenship, immigration status, and genetic or biometric information. Companies must provide a standard set of consumer rights, including opt-out rights related to the sale of personal data, deletion rights, access rights, correction rights, appeal rights, opt-in rights for advertising and targeted marketing to individuals aged 13 to 16, and data portability rights. Sensitive data cannot be processed without obtaining the consumer’s consent or, in the case of a child, complying with COPPA. The MCDPA requires controllers to limit the purpose of processing personal data to that which is reasonably necessary and proportional, take steps to implement reasonable safeguards for the personal data within their control, refrain from discriminating against consumers for exercising their rights, and be transparent in their privacy notice.
The Montana Attorney General has exclusive enforcement authority, and there is no private right of action. The MCDPA will go into effect on October 1, 2024.
Tennessee Information Privacy Act (TIPA)
If Governor Bill Lee approves, Tennessee will soon join the states with comprehensive privacy laws with the implementation of the Tennessee Information Privacy Act (TIPA). The TIPA largely follows the model of California’s CCPA, but with one notable exception.
TIPA applies to companies doing business in or targeting products or services to Tennessee residents, and processing personal information of at least 100,000 consumers, or 25,000 consumers and deriving more than 50% of their gross revenues from the sale of personal information. Compliance with CCPA obligations will likely result in compliance with TIPA, subject to obligations with respect to the NIST Privacy Framework. The NIST Privacy Framework requires companies to identify, govern, control, communicate and protect privacy risks. Failure to comply with TIPA may result in penalties of up to $15,000 per violation, enforced by the Tennessee Attorney General.
Outlook
Several states are currently working on passing their own comprehensive consumer privacy bills this year, and there are also plans for more specialized privacy laws. For example, there are proposed laws focused on children, social media (such as Utah’s Social Media Regulation Act), and health information not covered by HIPAA (such as Washington’s My Health My Data Act). In addition, there is also the draft legislation for a comprehensive data protection law at the federal level.