Montana, Tennessee, and Texas have all passed state-level consumer privacy laws in recent weeks, becoming the eighth, ninth, and tenth states to do so. While the nuances of the laws differ somewhat, collectively they reinforce the need for organizations to base their privacy policies and procedures not on the specificities of a given law, but rather on fundamental principles and best practices.
On April 21, 2023, the Montana state legislature unanimously passed the Montana Consumer Data Privacy Act (MCDPA) (SB 384), which is scheduled to go into effect on October 1, 2024. Shortly there after, on May 10th, the Texas Senate passed H.B. 4, the Texas Data Privacy and Security Act (TDPSA), which is heading to Governor Gregg Abbott for final signature. If signed, it will go into effect on March 1, 2024. Just one day later, on May 11th, the Tennessee Information Protection Act (TIPA) passed unanimously through both legislative chambers and was signed into law by Governor Bill Lee. It won’t go into effect until July 1, 2025.
Montana’s law closely resembles Connecticut’s, with its requirement for recognition of universal opt-outs like the Global Privacy Control and a lower threshold of 50,000 residents, rather than the 100,000 required by many laws. It requires businesses to conduct privacy assessments for processing activities and accessible, clear, and meaningful privacy notices for consumers. Citizens have data rights of access, deletion, correction, and portability. Its 60-day cure period sunsets in 2026.
Of existing state privacy laws, the TDPSA most closely resembles Virginia’s, with some extended protections related to personal, pseudonymous, and de-identified data, as well as a broader definition of “sale” of data, covering non-monetary, but nonetheless valuable, transactions. Texas’s law provides similar rights to its residents as Montana’s law (access, correction, deletion, portability, the right to opt out of certain processing), as well as including requirements relating to data minimization, limits for processing, security, and privacy assessments. It does not include a private right of action, and violations would be subject to $7,500 fines if not cured within a 30-day period.
Like TDPSA, TIPA aligns closely with Virginia’s VDCPA, applying to businesses that “control or process personal information” of 100,000 consumers or derive more than 50% of their revenue from the sale of personal information. Unlike any other states’ laws so far, it requires businesses adhere to the National Institute of Standards and Technology’s (NIST) Privacy Framework—and requires them to keep up to date with its policies as they evolve over time. It provides similar rights to citizens as Montana’s law and requires clear, accessible privacy notices. Unlike Montana’s, it’s 60-day cure period does not expire.
States are taking data privacy seriously, and we have seen tremendous growth with five new privacy laws being passed in just one legislative session. Consumers are expecting data privacy protections from all companies, regardless of the size. Companies are often pushing these data privacy obligations down to their vendors, which means companies in the B2B space may experience a sales impact if they do not comply. Companies who do recognize privacy and incorporate it into their marketing and sales activities, as well as features, if applicable, have an advantage over the companies that might choose to take the slower approach.
Companies that have a solid understanding of how data is collected, used, stored and shared will have an advantage in complying with these laws. Companies will need to determine if they have a scalable process for honoring individual rights and if they have trained teams on data privacy, including the marketing and product teams as they launch new initiatives. Privacy is not just the legal or compliance department’s responsibility; it’s everyone’s.
State Laws
While Indiana’s privacy law is new, several laws passed in the recent past are going into effect in 2023, including in California, Colorado, and Connecticut. If you want to make sure you’re able to comply with these laws, check out Exterro’s 3 C’s Privacy Pack.
Download the PDF version of this Data Privacy Alert here.