Tennessee, Montana, Iowa, and Indiana have each recently passed a consumer privacy statute in recent weeks. These laws follow the same trend started by California’s Consumer Privacy Act by granting consumers the right to know whether a company is processing their data; the right to access that data, obtain a copy, and to have it deleted; and to opt out of the sale of personal data. Similar to Connecticut’s Data Privacy Act, which appears to be emerging as a new standard, these laws grant special protections to children’s data up to age 16. The three statutes additionally impose data security, use and collection limitations, and consumer disclosure requirements.

However, each law comes with its own quirks. For example, Iowa’s Consumer Data Privacy Act includes a 90-day cure period for businesses before state Attorney General enforcement. None of these new laws provide consumers with a private right of action. California remains the only state to include a private right of action for consumer privacy violations. In addition, each of the new state privacy laws excludes an individual acting in a commercial or employment context, a move away from California’s law that applies in those scenarios.

Tennessee’s Information Protection Act was signed into law by Governor Bill Lee on May 11, 2023, and takes effect on July 1, 2024, the soonest of the additional four states to become effective. It applies to people conducting business in Tennessee or producing products or services that are targeted to residents of Tennessee that either control or process personal information of at least 100,000 consumers during a calendar year or control or process personal information of at least 25,000 consumers and derive more than 50 percent of their gross revenue from the sale of personal information. The Tennessee Attorney General has jurisdiction over violations and may seek civil penalties of up to $15,000 for each violation.

Montana’s Consumer Data Privacy Act goes into effect October 1, 2024. It applies to Montana companies that process or control the personal data of 50,000 or more Montana residents or control or process the personal data of 25,000 or more consumers and derive more than 25 percent of gross revenue from the sale of personal data.

Iowa’s Consumer Data Privacy Act becomes effective January 1, 2025. It applies to Iowa companies that control or process the personal data of at least 100,000 Iowa residents or derive more than 25 percent of gross revenue from the sale of personal data.

Indiana’s Consumer Data Privacy Act goes into effect January 1, 2026. It applies to Indiana companies that control or process the personal data of at least 100,000 Iowa residents or derive more than 25 percent of gross revenue from the sale of personal data. We will continue to monitor these consumer privacy laws as more states surely follow suit.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.