The last several weeks have been interesting to say the least. When I wrote The Year of Data Privacy Law in January, I was focused more on the existing laws that would become effective in 2023. I was more correct than I knew however, with a slate of new regulations being signed (or pending signature) in four new states so far this year. This is setting the stage in the United States for privacy to be on the development / process roadmap of most national organizations every year for the next several as there are some new requirements to consider with each of these laws.
Below is a brief description of each of the new laws, with some highlights on things to be aware of. Businesses operating in, or targeting the users of these states are strongly recommended to speak to legal counsel to determine compliance obligations.
Montana
The State of Montana (which at time of publishing is awaiting signature), will begin enforcement of it’s data privacy law on October 1st, 2024. Unlike other recently passed laws (which often mirror Virginia) Montana instead mirrors Connecticut’s approach in many regards.
As such, Montana’s laws afford more protections to users than other Republican controlled states. Here we’ll find the ability to revoke consent (shared with Colorado and Connecticut) as well as support for a universal opt out preference signal, which would become enforceable on January 1st, 2025. Users also will not need to verify their request to opt-out of their sale of personal data, targeted advertising or certain profiling.
Care should be taken in Montana’s use of lower thresholds (likely due to Montana’s lower population). This may end up with a a business being subject to Montana’s law before other States which use a higher percentage of the population in their requirements.
Enforcement will rest with the Montana Attorney General, which must provide a 60 day written notice to cure. It should be noted that this notice to cure will expire on April 1st, 2026.
Iowa
Slated for enforcement on January 1st, 2025, the Iowa law is similar to other State Privacy laws, albeit with it’s own twists.
Consumers in general gain less rights, with no ability to correct their information or opt-out of automated decision making or certain processing. Nor does it require the end user to Opt-In to sensitive data processing. Notably, the ability to opt-out does not apply to pseudonymous data, placing it at odds with other laws such as those in Colorado and Virginia.
As far as business obligations, unlike the other laws – there are no requirements for data protection or privacy risk assessments. Likewise, there no mention of a universal opt-out preference signal being supported.
Still, there are clauses around contract requirements and deadlines for compliance of specific data subject access requests. Iowa does continue these trends laid out in the other State Laws.
Enforcement will rest with the Iowa Attorney General, which must provide a 90 day written notice to cure. With the law being largely less perspective than other states in how compliance must be handled companies may find that it ultimately proves more challenging for some compliance activities.
Tennessee
Still pending signature, Tennessee closely mirrors Virginia’s law (which went into effect earlier this year). Tennessee’s law is slated for enforcement, if signed, on July 1st, 2025.
In addition to more a more narrow scope of compliance in terms of applicability, Tennessee’s law mandates reasonable compliance with to the existing (and future revisions of) the NIST Privacy Framework. It will be required to update compliance with-in a year of each new revision publish.
Failure to develop or maintain a privacy program that reflects the required data privacy practices to a reasonable degree of accuracy will be considered a Unfair and Deceptive Trade Practice under present law. Note, this does not bestow a privacy right of action.
Enforcement will rest with the Tennessee Attorney General, which must provide a 60 day written notice to cure. This notice to cure provision does not sunset. Fines can range up to $15,000 for each violation. Notable, the court can award treble damages if they find the controller or processor willfully or knowingly violated the law regardless if actual damages were suffered.
Indiana
The Indiana law closely tracks with existing laws laid out in other States like Virginia likely resulting in a lower compliance effort required if work has already been undertaken for those other States. Indiana’s law does not go into effect until January 1st, 2026 giving a large window any compliance efforts which may still be required if gaps exist in an existing privacy program.
Special care should be taken in evaluating requirements such as their definition of sale (which is for monetary consideration) as well as how the use of pseudonymous data may change opting out of sale requirements. It should be noted that unlike other states, Indiana does not mention support for a universal opt-out preference signal.
Like other recent laws, Indiana has provisions around collection purpose, contract requirements and data security requirements.
Increasingly common, Indiana will require Data Protection Impact Assessments for specific activities. These assessments will be required for any processing activities that occur after December 31st, 2025.
Enforcement will rest with the Indiana Attorney General, which must provide a 30 day written notice to cure. This right to cure does not have a sunset date.