Find an umbrella. . . . The recent deluge of state-level privacy legislation continues. Legislatures in three additional states—Indiana, Montana, and Tennessee—have adopted comprehensive privacy laws. The Indiana Consumer Data Protection Act (ICDPA) was signed into law on May 1, 2023, making Indiana the seventh state to adopt such a law, and legislatures in Montana and Tennessee have passed legislation that is expected to be signed into law by their respective governors soon. Only one month ago, Iowa became the sixth state to adopt a comprehensive privacy law, and, of course, California, Colorado, Connecticut, Utah, and Virginia each have laws that either are already in effect or that will go into effect later his year. Meanwhile, on April 27, 2023, the governor of Washington signed into law the My Health My Data Act, a significant development that will impact many businesses that collect or process consumer health data (expect an update on this topic here soon).
Indiana Privacy Law
Leading off, on May 1, 2023, the Indiana governor signed into law the ICDPA, which has been labeled by some as business-friendly and is generally modeled on Virginia’s privacy law. It will not go into operation until January 1, 2026, giving companies time to comply. This additional time will also provide ample opportunity for amendments, so further developments may be forthcoming.
Applicability and Scope: The ICDPA will apply to entities conducting business located in Indiana or that offer products or provide services targeted to Indiana residents, but—similar to other state laws, with California being a notable exception—only if, during a calendar year, the entity controls or processes the personal data of 100,000 Indiana residents or controls or processes personal data of at least 25,000 Indiana residents and derives more than 50% of its gross revenue from the sale of such data. Nonprofits, government entities, higher educational institutions, public utilities and their affiliated service companies, and entities subject to the Gramm-Leach-Bliley Act (GLBA) or the Health Insurance Portability and Accountability Act (HIPAA) are exempt. Other exemptions apply based on the type of data processed. For example, the law will not apply to data used in some medical research, data deidentified to the HIPAA standard, and data subject to the Fair Credit Reporting Act (FCRA) or the Family Educational Rights and Privacy Act (FERPA).
Consumer Rights: As with other states, the ICDPA will provide state residents with a number of privacy rights: (i) the right to know; (ii) the right to correct; (iii) the right to delete; (iv) the right to access; and (v) the right to opt out of targeted advertising, the sale of personal data, and profiling. Copies of the specific pieces of information provided in response to a request to know must be in a portable and readily usable format that allows transmission. The rights are subject to a number of exceptions that could limit their practical application in some cases. Controllers must respond to requests within 45 days, but they may extend the window for an additional 45 days when reasonably necessary with proper notice to the consumer.
Principles of Processing: The ICDPA will incorporate so-called “principles of processing,” such as the purpose limitation and data minimization. Businesses will be required to limit their collection of personal information to data that are “adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed.” The use and disclosure of personal information will likewise need to be “reasonably necessary and proportionate” to the purpose of the processing and “adequate, relevant, and limited to what is necessary in relation to the specific purpose.” Consent will be required for the processing of defined categories of sensitive data.
Data Protection Impact Assessments (DPIAs): There is a growing trend in state laws to require DPIAs (also termed Privacy Impact Assessments, Data Protection Assessments, etc.). Even where not expressly required, they are a best practice that enables businesses to address the principles embedded in state privacy laws. Under the ICDPA, when a controller engages in targeted advertising, profiling, the processing of sensitive data, or processing activities that present a heightened risk of harm, the controller must perform a data protection impact assessment (DPIA) identifying and weighing the benefits to the controller, consumers, other stakeholders, and the public against the potential risks to the rights of impacted consumers, as mitigated by any safeguards in place. A single DPIA may cover multiple sets of processing operations if they include similar activities, and a controller may rely on a DPIA generated for compliance with a different law or regulation. The Indiana attorney general may also request a copy of a DPIA if it is relevant to an investigation.
Enforcement: The ICDPA will be enforced by the state attorney general. This authority enables the attorney general to issue civil investigative demands if there is reasonable cause to believe that there has been a violation, as well as to pursue injunctions and civil penalties of up to $7,500 per violation. Controllers and processors have the benefit of a 30-day cure period. The attorney general also has discretion but is not required to provide “a list of resources for controllers, including sample privacy notices and disclosures” on its website before the law comes into force to aid controllers in their compliance efforts.
Montana and Tennessee Privacy Laws
While many waited for the governor’s signature on the ICDPA, the Tennessee and Montana state legislatures passed their own data protection legislation, which now sit on the desks of their respective governors.
The Tennessee Information Protection Act (TIPA) would go into effect on January 1, 2025. Many of its provisions mirror those of its predecessors, including defining applicability based on control of consumers’ personal information and revenue from the sale of personal information; vesting exclusive enforcement authority in the state attorney general; providing exemptions for personal information covered by HIPAA, GLBA, FERPA, and the Children’s Online Privacy Protection Act (COPPA); and requiring a response to data subjects’ rights requests within 45 days. Like the ICDPA, DPIAs are also required for certain processing activities. One major wrinkle in the TIPA is the requirement that controllers and processors “create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards and Technology privacy framework” and update the program within one year of any revision to the NIST framework.
Montana’s Consumer Data Privacy Act (MCDPA) would be the first of the three state’s laws to go into operation, entering into force on October 1, 2024. Like the ICDPA and the TIPA, the MCDPA requires data protection assessments for “processing activities that present a heightened risk of harm to a consumer.” While it also looks to the control of personal data for applicability, the threshold is lower than those of most other state laws in this space at 50,000 consumers. Straying further from existing state statutes, Montana’s law requires companies to recognize universal browser opt-out settings (i.e., Global Privacy Control). While the MCDPA includes a 60-day cure period, the provision sunsets on April 1, 2026; the state attorney general has exclusive enforcement authority. The definition of “consent” also makes clear that “an agreement obtained using dark patterns” does not qualify.
While businesses already in scope for privacy laws in other states likely will not need to make major changes to their compliance programs in wake of the ICDPA and new laws in Tennessee and Montana, they should ensure that their infrastructure is sufficient to address obligations such as the completion of DPIAs. Additionally, the adoption of these laws reinforces the importance of implementing comprehensive privacy programs. For businesses that process a large volume of personal information, it is increasingly difficult to take a state-by-state approach, although the nuances of each law should be taken into account. Passage of the laws in Indiana, Montana, and Tennessee will also provide further incentives to other state legislatures that do not want to be left behind in the rush to adopt legislation. The deluge may quickly become a flood. Ropes & Gray will continue to track developments.