Data Points: Privacy & Data Security Blog

This month, Indiana, Montana and Tennessee passed comprehensive privacy laws. Each tracks closely the comprehensive privacy laws outside of California, but with some variations. None applies to employee data or has a private right of action.  All have cure rights. Tennessee uniquely provides an affirmative defense for controllers who follow the NIST privacy framework. Tennessee’s law will go into effect July 1, 2024, giving businesses just over a year to prepare to comply. Indiana’s law affords businesses more time to comply – it will not take effect until January 1, 2026. Montana’s law will go into effect October 1, 2024. Below is a summary of key points from each law.

Covered Entities

The laws share similarities in their applicability, however there are notable differences. Each applies to persons conducting business in the relevant state or to those producing products or services targeting the state’s residents. Each defines “consumers” as residents of the respective state and exclude individuals acting in a commercial or employment context from that definition.

• Indiana’s applicability provisions closely mirror the Virginia Consumer Data Privacy Act (the VCDPA) – the law applies to persons that, during a calendar year, (1) control or processes personal data of at least 100,000 consumer who are residents of the state or (2) control or processes personal data of at least 25,000 state residents and derives more than 50% of gross revenue from the sale of personal data.
• Tennessee’s law has a narrower scope. Like the Utah Consumer Privacy Act, Tennessee’s law includes a $25 million annual revenue minimum coverage requirement. Businesses that meet that revenue minimum also must either (1) during a calendar year, control or process personal information of at least 175,000 consumers or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.
• Montana’s law has a potentially wider application. There is no revenue minimum and the law applies to persons that (1) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or (2) control or process the personal data of not less than 25,0000 consumers and derive more than 25% of gross revenue from the sale of personal data.

All three define “personal data” broadly (as we’ve come to expect) as any information that is linked or reasonably linkable to an identified or identifiable individual, excluding deidentified or publicly available information. Indiana and Tennessee also exclude aggregate data from the definition of “personal data.”

Exceptions and Exemptions

Each law includes exemptions seen in other comprehensive state data privacy laws – each exempts government entities, nonprofits, institutions of higher education, financial institutions and data covered by Title V of the Gramm-Leach-Bliley Act (GLBA), entities and personal health information covered by the Health Insurance Portability and Accountability Act (HIPAA), or processing regulated by the Fair Credit Reporting Act. Additionally, both Tennessee and Indiana exempt public utilities from their laws. Tennessee also exempts insurance companies licensed in the state.

Consumer Rights

Each of these three laws includes consumer rights of access, correction, portability, and deletion and also gives consumers a right to opt-out of processing of their personal data for the purposes of targeted advertising, sale of their personal data, and profiling if such profiling is in furtherance of automated decision-making that produces legal or other similarly significant effects.

• Like the Connecticut Data Privacy Act (CTDPA), both Montana and Tennessee define “sale” broadly to include not just exchange of personal data for money, but for “other valuable consideration” as well, but does not include further disclosure to a third party that processes data on behalf of the controller or disclosure to an affiliate. Indiana’s law limits the meaning of “sale” to a transfer or access involving monetary exchange.
• Setting it apart from other state privacy laws, Montana has no requirement that an opt-out request be authenticated. The law also creates universal opt-out rights, requiring that controllers allow consumers to unambiguously opt out of any processing of personal data for the purpose of targeted advertising or sale of such personal data.
• All three laws also include provisions requiring consumers to affirmatively opt-in to the collection and processing of sensitive personal data. In each, “sensitive personal data” includes data revealing information on a person’s race, ethnicity, religion, health, sexual orientation, citizenship status, genetic and biometric data, data collected from a known child, and precise geolocation data. Montana’s law also includes “information about a person’s sex life” as sensitive personal data.
• With regards to access rights, Indiana’s law differs from other state privacy laws on the books in that a controller responding to an access request may provide a representative summary of the data instead of a copy.

Data Protection Assessments

Like the Colorado’s Data Privacy Act, the VCDPA, and the CTDPA, the Indiana, Montana and Tennessee laws also require controllers that process personal data for the purposes of targeted advertising, the sale of personal data, profiling, or process sensitive data to conduct and document data protection assessments that identify and weigh the benefits from the processing of the data to the controller, consumer and public against the risk the processing poses to the consumers whose data is being processed, factoring in safeguards used by the controller to reduce such risk. If an enforcement action is initiated by the state’s attorney general against a controller, these assessments may be evaluated for determining compliance with the law.

Enforcement

Under each law, the state Attorney General has exclusive enforcement authority – there is not a private right of action.

• In both Tennessee and Montana, the Attorney General must provide 60 days’ written notice prior to initiating any enforcement proceeding. In Indiana, the notice period is 30 days.
• Currently, each also includes an opportunity to cure between receipt of notice and initiation of an enforcement proceeding. However, Montana’s law includes a sunset provision, and the right to cure will expire April 1, 2026.
• Tennessee and Indiana follow the VCDPA and limit penalties to $7,500 per violation; Tennessee’s law also allows for treble damages in cases of controllers who willfully or knowingly violate the law. Montana’s law does not include any provisions specifying or limiting the penalties that may be imposed.
• In a first-of-its kind provision for these comprehensive privacy laws, Tennessee’s law includes an affirmative defense for data controllers or processors. If a controller creates, maintains, and complies with a written privacy policy that is appropriate in scope and scale for the data the controller is processing, and reasonably conforms to the federal National Institute of Standards and Technology (NIST) privacy framework (or “other documented policies, standards, and procedures designed to safeguard consumer privacy”), and such policy is kept up-to-date with any revisions to NIST or a comparable framework, then the controller may have an affirmative defense against a claim they violated the law.

Conclusion

Given the growing list of state comprehensive privacy laws, businesses will need to continue keeping track of the varying rights consumers have in each state, their obligations under the law and what technological mechanisms and internal policies need to be put into place before each law goes into effect. As more state legislative sessions wrap up, we expect to see additional states pass comprehensive privacy laws.