In a span of less than eight weeks ending in late May, four states – Iowa, Indiana, Tennessee, and Montana – adopted comprehensive consumer data privacy laws, kicking off a 2023 legislative period in the U.S. that has already doubled the number of state comprehensive privacy laws from five to 10.
Of the "wave of four", Iowa's consumer data protection law (ICDPA) is generally considered the least robust, and the Montana Consumer Data Protection Act (MCDPA) is generally considered the most robust, with Indiana's Consumer Data Protection Act (INCDPA) and the Tennessee Information Protection Act (TIPA) in the middle. However, there are significant nuances that require careful attention.
Scope of Applicability
Both Iowa's ICDPA and Indiana's INCDPA follow the scope of applicability standards of Virginia's comprehensive privacy law (VCDPA), applying to businesses that (i) conduct business in the applicable state or produce products to or services targeted at residents of that state and (ii)(a) "process" or control the "personal data" of at least 100,000 "consumers" or (b)(x) "process" or control the "personal data" of at least 25,000 "consumers" and (y) derive more than 50% of their gross revenue from the "sale" of "personal data".
Tennessee's TIPA applies a more restrictive standard, applying to businesses that (i) conduct business in Tennessee producing products to or services targeted at the state's residents, (ii) exceed $25 million in revenue, and (iii)(a) "process" or control the "personal information" of at least 175,000 "consumers" or (b)(x) "process" or control the "personal information" of at least 25,000 "consumers" and (y) derive more than 50% of their gross revenue from the "sale" of "personal information". (This note will use the term "personal data" to apply to "personal information" under TIPA, as well as to "personal data" under each of the other state laws.)
Montana's MCDPA applies an ostensibly less restrictive standard, applying to businesses that (i) conduct business in Montana or produce products to or services targeted at residents of the state and (ii)(a) "process" or control the "personal data" of at least 50,000 "consumers" or (b)(x) "process" or control the "personal data" of at least 25,000 "consumers" and (y) derive more than 50% of their gross revenue from the "sale" of "personal data". However, it's notable that the 50,000-consumer threshold of Montana represents almost 4.4% of that state's population, significantly higher than the corresponding percentage thresholds in Iowa (3.1%) and Indiana (1.5%).
The applicability of each of the above laws is subject to directionally similar applications of customary (but, again, with some distinctions) exemptions – for example, exempting government entities, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to HIPAA, nonprofit organizations, and institutions of higher education. Tennessee's TIPA is the only one of these four state laws that also provides a separate exemption for licensed insurance companies.
All four of these state laws also exclude from the definition of "consumer" individuals acting in a commercial or employment context, leaving California's CCPA still as the only U.S. state comprehensive privacy law that covers "workforce" personal data (i.e., pertaining to employees and B2B contacts).
Consumer Rights
With a standard framework having emerged across state comprehensive privacy laws, it is not surprising that these four state laws provide consumers with a relatively similar set of rights with respect to their personal data. However, again, there are some crucial differences.
All four of these state laws provide consumers with the following rights, which, if "authenticated", the controller must honor:
- Right to Access
- Right to Delete
- Right to Data Portability
- Right to Opt Out of the Sale of Personal Data
Notably, Montana's MCDPA applies the broader "monetary or other valuable consideration" formulation to the definition of "sale of personal data", while each of the other three state laws uses the narrower "monetary consideration" formulation.
Even more significantly, Indiana's INCDPA, Tennessee's TIPA, and Montana's MCDPA – but not Iowa's ICDPA – also provide consumers with the following additional rights:
- Right to Correct
- Right to Opt Out of "Targeted Advertising"
- Right to Opt Out of "Profiling" in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
While Iowa's ICDPA does not provide consumers with the right to opt out of targeted advertising, it does require controllers that engage in targeted advertising to "clearly and conspicuously disclose such activity, as well as the manner in which a consumer may exercise the right to opt out of such activity".
Significantly, Montana's MCDPA is the only one of these four laws that requires controllers to comply with opt-out requests submitted via a universal opt-out mechanism such as an "Internet browser setting or extension" or a "global setting on an electronic device". This puts Montana in the same category as California, Colorado, and Connecticut in requiring a response to universal opt-out settings like Global Privacy Control.
Sensitive Data
Each of these four state laws includes provisions with respect to the processing of "sensitive data", although there are significant differences in both the applicable consent framework and the definition.
Following the Virginia/Colorado/Connecticut model, each of Indiana's INCDPA, Tennessee's TIPA, and Montana's MCDPA requires affirmative "opt-in" consent for the processing of "sensitive data". In contrast, Iowa's ICDPA applies an "opt-out" framework for the processing of such data, more akin to California's "right to limit".
The definition of "sensitive data" in each of the four state laws generally means a category of personal data that includes:
- personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status;
- genetic or biometric data that is processed for the purpose of uniquely identifying an individual;
- personal data collected from a known child; or
- precise geolocation data.
However: (i) Montana's definition includes (a) a broader "health" prong, covering mental or physical health "conditions" (in addition to "diagnoses") and (b) a broader "sexuality/sex-related" prong, covering "information about a person's sex life" (in addition to "sexual orientation"); and (ii) Indiana's definition includes an ostensibly narrower "health" prong, requiring the diagnosis to be "made by a health care provider".
"Precise geolocation data" has the same radius (1,750 feet, approximately one-third of a mile) under each of the four state laws.
Dark Patterns
Montana's MCDPA is the only one of these four state laws that includes provisions with respect to "dark patterns", defined as a "user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice". The MCDPA expressly provides that agreements obtained through the use of "dark patterns" do not constitute valid "consent".
Safe Harbor
Tennessee's TIPA is unique in that it provides controllers and processors with an affirmative defense to claims for TIPA violations if, in addition to providing the substantive rights required by the law, they create, maintain, and comply with a written privacy policy that "reasonably conforms with the current and updated National Institute of Standards and Technology (NIST) privacy framework... or other documented policies, standards, and procedures designed to safeguard consumer privacy". The current NIST privacy framework sets forth five functions – Identify, Govern, Control, Communicate, and Protect – "to manage privacy risks arising from data processing".
Cure Periods, Enforcement, and Damages
Each of these four state laws provides a cure period to correct violations following receipt of notice of the violation from the applicable state attorney general, as follows:
- Iowa's ICDPA: 90 days
- Indiana's INCDPA: 30 days
- Tennessee's TIPA: 60 days
- Montana's MCDPA: 60 days
Montana's MCDPA, however, "sunsets" that cure period; the section providing for the cure period expires on April 1, 2026 (18 months after the law's effective date).
Notably, each of these four state laws provides that the applicable attorney general has the exclusive authority for enforcement, meaning that California currently remains the only state comprehensive privacy law with a private right of action (albeit a limited one solely in relation to certain personal data breaches).
Each of Iowa's ICDPA, Indiana's INCDPA, and Tennessee's TIPA provides for a civil penalty of up to $7,500 per violation, and the Tennessee law also provides that treble damages can be awarded for willful or knowing violations. Montana's MCDPA does not include an express provision with respect to maximum damages.
Effective Dates
Although Montana's MCDPA was the last of these four privacy laws to be passed, it will be the first of the four to go into effect, on October 1, 2024. Iowa's ICDPA will follow shortly thereafter, becoming effective on January 1, 2025. Tennessee's TIPA will take effect on July 1, 2025, and Indiana's INCDPA will not go into effect until January 1, 2026.
Conclusion
The first half of 2023 has seen an explosion of new U.S. state comprehensive privacy laws, adding substantial complexity to an already fragmented patchwork of data protection laws, rules, and regulations. Linklaters has extensive experience helping our clients navigate such divergent legal and regulatory frameworks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
