Following the enactment of the California Consumer Privacy Act in 2020, data and privacy protection is quickly becoming one of the most urgent state legislative matters.
The following 5 states made notable strides in consumer protection in 2023, so if you do business in any of them, this could affect you!
Here’s a quick breakdown of the upcoming state privacy acts developed this year that you should be aware of:
Texas Data Privacy and Security Act (July 2024)
The TDPSA affects any company that:
1. Conducts business in Texas or produces a product or service consumed by residents of Texas.
2. Processes or engages in the sale of personal data.
3. Is not a small business as defined by the United States Small Business Administration (SBA).
In addition, even small businesses must obtain a consumer’s consent for the sale of sensitive personal data.
One of the cornerstones of the Texas bill is a set of rights that a consumer may exercise in respect of their data, including the right to:
Confirm that the data controller is processing their data.
Access their personal data.
Correct inaccuracies in their personal data.
Delete their personal data.
Obtain a copy of their data in a portable and readily usable format.
Opt out of having their data processed for the purpose of targeted advertising, the sale of their data, or profiling that produces a legal or significant effect on the consumer.
The bill requires data controllers to display an accessible and clear privacy notice outlining how it uses personal data. In particular this notice should address:
The categories of personal data being processed, including whether sensitive data is processed.
The purposes of the processing.
How consumers may exercise their rights.
The categories of data that are shared with third parties, as well as the categories of third parties with whom data is shared.
Controllers must limit the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purpose for which that personal data is processed;” and “shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices.” Controllers, as defined by the TDPSA, must perform data protection assessments only in the limited circumstances set out in the Act. Contracts with processors (a person that processes personal data on behalf of a controller) must include requirements to protect consumers’ personal data. Controllers are required to publish a privacy notice that meets specified requirements. (jdsupra)
Tennessee Information Protection Act (October 2024)
The TIPA affects any company that conducts business in Tennessee or produced products or services that target Tennessee residents, and that:
• Exceed $25 million in annual revenue, and
• Either (1) control or process personal information of at least 25,000 consumers and derive more than fifty percent (50%) of gross revenue from the sale of personal information or (2) during a calendar year, control or process personal information of at least 175,000 consumers.
The right to confirm whether a controller is processing their personal information.
The right to access their personal information.
The right to correction inaccuracies in their personal information, but limited to data the consumer previously provided.
The right to have their personal information deleted.
The right to receive a copy of the personal information held about them in a portable and usable form (data portability).
Controllers must (i) obtain a consumer’s consent for processing sensitive data, (ii) implement and maintain reasonable data security practices, (iii) avoid unlawful discrimination, (iv) limit data collection and processing to what is necessary, and (v) provide consumers with a privacy notice. (jdsupra)
Montana Consumer Data Privacy Act (October 2024)
The law applies to a person or company that conducts business in Montana and:
• Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
• Controls and processes the personal data of not less than 25,000 consumers and derives more than 25 percent of gross revenue from the sale of personal data.
Confirm whether a controller is processing the consumer’s personal data.
Access personal data processed by a controller.
Delete personal data.
Obtain a copy of personal data previously provided to a controller.
Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
The controller must provide a reasonably accessible, clear, and meaningful privacy notice that includes certain information, such as the categories of personal data that it processes, the purpose for processing personal data, and the categories of personal data that are shared with third parties, if any. (jdsupra)
Iowa – Consumer Data Protection Act (Effective Jan 2025)
The Iowa privacy law applies to companies that conduct business in Iowa or produce products or services that target consumers in the state, and that:
- Controls or processes the personal data of at least 100,000 Iowa consumers, or
- Controls or processes the personal data of at least 25,000 consumers and derives more than 50% of its gross revenue from the sale of personal data.
The right to confirm whether a controller is processing their personal data and to access that data
The right to delete the personal data they provided to the controller
The right to obtain a copy of the personal data they provided to the controller (with some exceptions)
The right to opt out of the sale of personal data
Data Security: Controllers must adopt and implement reasonable administrative, technical and physical practices for data security, appropriate to the volume and nature of the data.
Sensitive Data: Controllers must provide consumers with clear notice and the ability to opt out before they process sensitive data.
Nondiscrimination: Controllers must not process personal data in violation of state or federal laws prohibiting unlawful discrimination against consumers, and may not discriminate against consumers who exercise their rights under the ICDPA.
Transparency and Purpose Specification: A controller’s privacy notice must disclose: (1) what categories of data are processed; (2) the purpose for such processing; (3) how consumers can exercise their rights; (4) categories of personal data shared with third parties; (5) the categories of those third parties with whom personal data is shared; and (6) how consumers can appeal a business’s refusal to take action on a consumer request. And as mentioned above, the controller must also clearly and conspicuously disclose that it is selling personal data to third parties and/or participating in targeted advertising and the manner in which consumers can opt out of such activity. (AkinGump)
Indiana – Consumer Data Protection Act (Effective Jan 2026)
The ICDPA applies to persons conducting business in Indiana or producing products and services targeted to Indiana residents, and that:
- Control or process the personal data of at least one hundred thousand (100,000) consumers that are Indiana residents; or;
- Control or process the personal data of at least twenty-five thousand (25,000) consumers who are Indiana residents and derive more than fifty percent (50%) of their gross revenue from the sale of personal data.
The right to confirm whether or not a data controller is processing their personal data, and the ability to access that data.
The right to correct any information that may have become inaccurate/obsolete/misleading since it was collected.
The right to request the deletion of any personal data collected by or provided to a controller.
The right to obtain either a copy of or a representative summary of their personal data previously provided to the controller in a portable and readily usable format that allows the consumer to transmit the data or summary to any controller without any hindrance.
The right to opt out of the processing of their personal data for purposes of:
- Targeted advertising;
- Sale of personal data;
- Profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Controllers are required to conduct a DPIA when the following activities are taking place:
- Personal data processed for targeted advertising
- Personal data sold
- SPI is being processed
- Personal data processed for profiling with any “foreseeable” risk
- Personal data processed with heightened risk to consumers
Data controllers must provide a “reasonably accessible, clear, and meaningful” privacy notice to its consumers, including:
- Categories of personal data processed
- Purpose of processing personal data
- Mechanism for consumers to exercise their rights (e.g. right to appeal, correction, etc.)
- Categories of personal data shared with third parties
- Categories of third parties that personal data is being shared with (onetrust)
Stay up to date on US Privacy Legislation with the IAPP US State Privacy Legislation Tracker.