State Privacy Law Updates—An Ever-Growing List of States

Abstract

Six new states enacted data privacy laws.

These laws impact a consumer's ability to know what data is collected and why.

How that data is used, with whom that data is shared, how the consumer can obtain a copy, correct or delete that data.

Introduction

In the first half of 2023, state legislatures have continued the trend of enacting comprehensive privacy laws, with, in order of enactment, Iowa, Indiana, Tennessee, Montana, Texas, and Oregon joining the list of states with comprehensive privacy laws. These states have followed California, Colorado, Connecticut, Utah, and Virginia, which have enacted their own comprehensive privacy laws in prior years. This survey provides an overview of the newly enacted state privacy laws. At a high level, the newly enacted laws in Iowa, Indiana, Tennessee, Montana, Texas, and Oregon generally adopt the major substantive provisions and themes from earlier privacy laws, with each law specifying to whom it applies, exemptions from applicability, consumer rights, responsibilities of controllers, and how the laws are enforced. This survey addresses these major themes at a high level and notes major differences between these six new state laws. However, this survey does not address every aspect of each law and is meant only to provide a general overview of the common concepts in each law. This survey also provides an update on laws enacted in prior years that are currently in effect, or that will be in effect soon.

Six New State Privacy Laws

Like current state privacy laws, the privacy laws in Indiana, Iowa, Montana, Oregon, Tennessee, and Texas apply to “controllers” and “processors” of personal data, provided that the entity in question meets certain triggering requirements. As an initial matter, because of the varying applicability of each law, it is important to first understand each law and to whom it applies.

Applicability

The Iowa CDPA, Indiana CDPA, and the Tennessee IPA have substantially similar scope requirements. Using the Iowa CDPA as an example, the law applies to:

[A] person conducting business in [Iowa] or producing products or services that are targeted to consumers who are residents of the state and that during a calendar year does either of the following: (a) Controls or processes personal data of at least 100,000 consumers; [or] (b) Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.

Indiana and Tennessee have almost identical scope requirements.

The Montana CDPA has a slightly broader scope requirement in that it applies to:

[P]ersons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and: (1) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

For the Oregon CPA, the law has a similar scope to the Montana CDPA, but has a higher threshold for applicability, as it applies to:

[A]ny person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (a) The personal data of 100,000 or more consumers, other than personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) The personal data of 25,000 or more consumers, while deriving 25% or more of the person’s annual gross revenue from selling personal data.

The Texas DPSA has the most unique applicability section, in that the law applies to a person that:

(1) conducts business in [Texas] or produces a product or service consumed by residents of this state; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration, except to the extent that Section 541.107 [prohibition on the sale of sensitive personal data without prior consent] applies to a person described by this subdivision.

Therefore, instead of making the law’s applicability tied to the number of consumers, the Texas DPSA is more focused on the size of the business in question, so long as it conducts business in Texas and processes or sells consumer data.

As in most other state privacy laws, the entity subject to each of these laws is designated as a “controller” or “processor” of personal data. A “controller” means “a person that, alone or jointly with others, determines the purpose and means of processing personal data.” “Processor” generally means “a person that processes personal data on behalf of a controller” and “processing” means “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.” Each of these laws also generally provides a similar definition for “personal data,” and defines the term to essentially mean information that is “linked to or reasonably linkable to” an identified individual or consumer, but excluding certain information such as “de-identified data,” publicly available information, and, in some states, “aggregate data.”

Exemptions

The state privacy laws enacted in 2023 all include a comprehensive list of persons and types of data that are not subject to the respective law. Notably for financial institutions, most of these state laws provide some form of an exemption for financial institutions governed by or data subject to the Gramm-Leach-Bliley Act (“GLBA”). The Iowa CDPA, Indiana CDPA, and Tennessee IPA exempt financial institutions and affiliates under the GLBA or “data subject to” the GLBA. Similarly, the Texas DPSA exempts “a financial institution or data subject to” the GLBA, but does not expressly exempt affiliates of financial institutions. In contrast, while the Montana CDPA exempts financial institutions and affiliates governed by the GLBA, the data-level exemption only relates to “personal data collected, processed, sold, or disclosed in accordance with” the GLBA.

Oregon has deviated from most other state privacy laws enacted to date by providing a narrower exemption for financial institutions. With respect to financial data, the Oregon CPA does not apply to “[i]nformation collected, processed, sold or disclosed under and in accordance with [the GLBA].” Thus, the data-level exemption in Oregon is most similar to the data exemption under the Montana CDPA. However, the financial institution exemption is more limited because the Oregon CPA only exempts “[a] financial institution, as defined in ORS 706.008, or a financial institution’s affiliate or subsidiary that is only and directly engaged in financial activities, as described in 12 U.S.C. § 1843(k).” Under the referenced Oregon statute, “financial institution” is defined as “an insured institution, an extranational institution, a credit union . . . , an out-of-state credit union . . . or a federal credit union.” “Insured institution” means “a company, the deposits of which are insured under the provisions of the Federal Deposit Insurance Act.” Therefore, instead of exempting any financial institution as defined under the GLBA, the Oregon CPA only exempts financial institutions as defined under Oregon law, which appears to ultimately mean entities with deposits that are insured by the Federal Deposit Insurance Corporation (“FDIC”). Consequently, under the Oregon CPA, essentially only depository institutions insured by the FDIC and state or federal credit unions would be exempt from the law as a financial institution. This is a much narrower grouping of entities than entities under the GLBA exemption in most states, since the GLBA definition of financial institution includes any entity offering a financial product or service. This means that the GLBA definition of financial institutions encompasses not only depository institutions, but also other companies, such as non-bank lenders, brokers, or arrangers of loans, mortgage companies, money transmitters, and virtually any other entity broadly engaged in offering a financial product or service. Consequently, the entity level exemption for financial institutions under the Oregon CPA is much more limited than the financial institution exemption found in most other states’ privacy laws.

Among many other exemptions listed in these statutes, notable exemptions under the laws include: governmental entities; a nonprofit corporation or institution of higher education; protected health information under the Health Insurance Portability and Accountability Act; certain types of data subject to regulation under the Fair Credit Reporting Act; and data processed or maintained in the context of employment purposes for purposes such as maintaining emergency contact information or to administer benefits.

Consumer Personal Data Rights

At a broad level, the laws in Indiana, Montana, Oregon, Tennessee, and Texas establish the following rights for consumers: the right to confirm whether a controller is processing the consumer’s personal data and the right to access the consumer’s personal data; the right to correct inaccuracies in a consumer’s personal data that the consumer provided to the controller; the right to delete the consumer’s personal data; the right to obtain a copy of the consumer’s personal data; and the right to opt out of the processing of the consumer’s personal data for certain purposes, including targeted advertising or the sale of personal data. The rights established under the Iowa CDPA are similar, except that the Iowa law does not include the right to correct inaccuracies. These rights generally follow the rights established in previously enacted state privacy laws.

Exercising Consumer Rights and Responding to Requests

A consumer may exercise a right by submitting a request to a controller specifying the rights the consumer intends to exercise. The process for responding to a consumer request is very similar between the laws in each of these states. As a general rule, in Indiana, Tennessee, Montana, Texas, and Oregon, the controller must take action and respond to a consumer’s request without “undue delay,” but no later than forty-five days after receipt of the consumer’s request. Iowa is the outlier from this requirement, because it provides the controller with an initial ninety-day window to respond to the request. The controller may extend the initial forty-five-day period by an additional forty-five days (or a ninety-day period in Iowa) if reasonably necessary due to the amount or complexity of requests. If the controller has grounds to extend the initial forty-five-day period, the controller must inform the consumer before the initial forty-five-day period expires of the length of the extension and the reasons for the extension. If a controller declines to take action in response to a request, the controller must inform the consumer of the reasons for not taking action without “undue delay,” which generally means within forty-five days after receipt of the request.

If the controller fails to take action under the respective state privacy laws, in addition to informing the consumer of the reasons for not taking action, the controller must inform the consumer in writing with information regarding how to appeal the decision. The appeal is generally done through an internal process that the controller is required to establish. If an appeal is denied the controller also must provide the consumer information regarding how to contact the respective state attorney general to submit a complaint. The controller generally must provide an “online mechanism” to submit a complaint to the attorney general in this context.

Duties of Controllers

Each of the states with newly enacted laws generally provides similar duties for controllers. Among other duties specified under each law, common duties include: the duty to limit collection of data to what is “adequate,” “relevant,” and “necessary” with respect to the processing purposes as disclosed to the consumer; the duty to implement security practices and safeguards to protect the “confidentiality, integrity, and accessibility” of personal data; the duty to not process personal data in violation of state or federal laws prohibiting discrimination, unless a statutory exception applies; and the duty to not process “sensitive data” about a consumer without obtaining the consumer’s consent, with additional requirements applying for processing sensitive data regarding a known child. Controllers also must provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that includes certain required content.

Enforcement Authority

Under all of the privacy laws newly enacted in 2023, the attorney general in each respective state has exclusive authority to enforce the law and none of these laws contain a private right of action. Each law also requires the attorney general to provide a controller or processor with a written notice identifying each alleged violation of the law prior to bringing an action, and allow for specified period of time to cure the violation. The notice and cure period in Indiana, Texas, and Oregon is thirty days after receipt of the notice from the attorney general. The notice and cure period in Tennessee and Montana is sixty days, while Iowa provides for a ninety-day period. In Iowa, Indiana, Texas, and Oregon, the attorney general may recover a civil penalty of up to $7,500 per violation, while the Tennessee IPA allows for a penalty of up to $15,000 per violation. The Montana CDPA does not provide a specific monetary penalty amount.

Update on Currently Enacted Laws

As noted above, the six new state privacy laws enacted in 2023 have joined already existing comprehensive privacy laws in California, Colorado, Connecticut, Utah, and Virginia. The California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”), became effective on January 1, 2023. The Virginia Consumer Data Protection Act also became effective on January 1, 2023. The Colorado Privacy Act and the Connecticut Data Privacy and Online Monitoring Act became effective on July 1, 2023. The Utah Consumer Privacy Act will become effective on December 31, 2023. In addition, the regulations implementing the CPRA amendments were only finalized on March 29, 2023. The CPRA regulations were initially meant to be enforced as of July 1, 2023. However, a June 30, 2023, ruling from the Sacramento County Superior Court held that the California Privacy Protection Agency (“CPPA”) could not enforce the CPRA regulations until March 29, 2024, based in part on the CPPA’s delay in finalizing the CPRA regulations. Therefore, businesses subject to the CPRA now have more time to come into compliance with the implementing regulations.