Tennessee, Montana, Iowa, and Indiana have each recently passed a consumer privacy statute in recent weeks. These laws follow the same trend started by California’s Consumer Privacy Act by granting consumers the right to know whether a company is processing their data; the right to access that data, obtain a copy, and to have it deleted; and to opt out of the sale of personal data. Similar to Connecticut’s Data Privacy Act, which appears to be emerging as a new standard, these laws grant special protections to children’s data up to age 16. The three statutes additionally impose data security, use and collection limitations, and consumer disclosure requirements.
However, each law comes with its own quirks. For example, Iowa’s Consumer Data Privacy Act includes a 90-day cure period for businesses before state Attorney General enforcement. None of these new laws provide consumers with a private right of action. California remains the only state to include a private right of action for consumer privacy violations. In addition, each of the new state privacy laws excludes an individual acting in a commercial or employment context, a move away from California’s law that applies in those scenarios.
Tennessee’s Information Protection Act was signed into law by Governor Bill Lee on May 11, 2023, and takes effect on July 1, 2024, the soonest of the additional four states to become effective. It applies to people conducting business in Tennessee or producing products or services that are targeted to residents of Tennessee that either control or process personal information of at least 100,000 consumers during a calendar year or control or process personal information of at least 25,000 consumers and derive more than 50 percent of their gross revenue from the sale of personal information. The Tennessee Attorney General has jurisdiction over violations and may seek civil penalties of up to $15,000 for each violation.
Montana’s Consumer Data Privacy Act goes into effect October 1, 2024. It applies to Montana companies that process or control the personal data of 50,000 or more Montana residents or control or process the personal data of 25,000 or more consumers and derive more than 25 percent of gross revenue from the sale of personal data.
Iowa’s Consumer Data Privacy Act becomes effective January 1, 2025. It applies to Iowa companies that control or process the personal data of at least 100,000 Iowa residents or derive more than 25 percent of gross revenue from the sale of personal data.
Indiana’s Consumer Data Privacy Act goes into effect January 1, 2026. It applies to Indiana companies that control or process the personal data of at least 100,000 Iowa residents or derive more than 25 percent of gross revenue from the sale of personal data. We will continue to monitor these consumer privacy laws as more states surely follow suit.