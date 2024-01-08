Looking back sometimes means looking forward. That is absolutely the case for new comprehensive data privacy statutes enacted in a number of U.S. states during 2023, including Indiana, Tennessee, Montana, Florida, Texas and Oregon. While these states have now codified a range of consumer rights with respect to their personal data, as well as new obligations imposed on covered businesses collecting and processing that data, the new laws do not take effect until the middle of 2024 or beyond. All the same, companies who may be subject to these laws in the future should start preparing now to comply with what are becoming increasingly standardized requirements across many U.S. states.

To assist our readers become more familiar with the new laws, we have prepared a summary chart below describing key features with respect to consumer rights, business obligations, and enforcement provisions. A few things jump out – for example, the laws are strikingly similar and provide consumers with nearly identical rights to request information about personal data a business is collecting and to exercise greater control over how it will be used. Covered businesses will also have largely consistent obligations with respect to personal data they are collecting with only minor variations (e.g., how often consumers may request information about their personal data, or when data impact assessments will need to be conducted, or when consent may be required for collecting a minor's information for targeted advertising purposes). Potential penalties vary somewhat but all of the states will rely on state attorneys general offices to enforce their statutes, rather than provide consumers with a private right of action.

For more comprehensive summaries of each statute, we invite you to review our blog posts from earlier this year by clicking the following links: Indiana, Tennessee, Montana, Florida and Texas. These articles have direct links to the laws as well. If you have any questions related to state consumer data privacy laws, please feel free to contact anyone from Mintz's Privacy & Cybersecurity team.

Similar to existing state privacy laws, the new laws establish applicability thresholds described in the chart below for determining what are covered businesses subject to the statute.

INDIANA Persons that conduct business in Indiana or targeting products / services to residents in Indiana, and during a calendar year the business: Control or process personal data of 100,000 or more IN consumers who are residents; or Control or process personal data of 25,000 IN consumers who are residents and derives more than 50% of gross revenue from sale of personal data. TENNESSEE Persons that conduct business in Tennessee or targeting products / services to residents in Tennessee, if, during a calendar year the company generates at least $25 million in gross annual revenue and must either: Control or process personal data of 170,000 or more TN consumers; or Control or process personal data of 25,000 TN consumers and derives more than 50% of gross revenue from sale of personal information. MONTANA Persons that conduct business in Montana or targeting products / services to residents in Montana, and during a calendar year the company: Control or process personal data of 50,000 or more MT consumers, excluding for the purpose of completing payment transactions; or Control or process personal data of 25,000 MT consumers and derives more than 25% of gross revenue from sale of personal data. FLORIDA Persons that generate at least $1 billion in gross revenue and must either: Derive 50% or more of its global annual revenues from targeted advertising or the sale of ads online; Operate a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud service and hands-free verbal activation, or Operate an app store that offers at least 250,000 software applications for consumers to download. TEXAS Persons that: Conduct business in Texas or produce products / provide services consumed by residents of Texas; Process or engage in the sale of personal data; and Do not qualify as a small business as defined by the United States Small Business Administration (with limited exceptions). OREGON Persons that conduct business in Oregon or that provide products / service to residents in Oregon, and during the calendar year the company: Control or process personal data of 100,000 or more OR consumers, other than for completing a payment transaction; or Control or process personal data of 25,000 OR consumers and derive 25% or more of gross revenue from sale of personal data.



In addition to the applicability requirements of each law, the chart below provides a snapshot of consumer rights, business obligations and enforcement provisions addressed by the new state consumer privacy laws passed in 2023. Please note that the consumer rights created by these new laws are not available with respect to personal data collected from individuals acting in a commercial context (i.e., B2B) or employment context.

CONSUMER RIGHTS INDIANA TENNESSEE MONTANA FLORIDA TEXAS OREGON Right to know Yes Yes Yes Yes Yes Yes Right to access Yes Yes Yes Yes Yes Yes Right to correct Yes Yes Yes Yes Yes Yes Right to delete Yes Yes Yes Yes Yes Yes Right to portability Yes Yes Yes Yes Yes Right to opt out of targeted advertising Yes Yes Yes Yes Yes Yes Right to opt out of sale of personal data Yes Yes Yes Yes Yes Yes Right to opt-out of profiling Yes Yes Yes Yes Yes Yes Right to opt in for sensitive data processing Yes Yes Yes Yes Yes Yes Right to opt in or out the collection of precise geolocation data or voice recognition features Yes, opt in for geolocation data Yes, opt in for geolocation data Yes, opt in for geolocation data Yes, opt out for both Yes, opt in for geolocation data Yes, opt in for both

BUSINESS OBLIGATIONS INDIANA TENNESSEE MONTANA FLORIDA TEXAS OREGON Respond to consumer requests Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days (may be extended 45 days) Within 45 days Provide required information to consumers free of charge Yes, up to 1x per year Yes, up to 2x per year Yes, up to 1x per year Yes, up to 2x per year Yes, up to 2x per year Yes, up to 1x per year Authenticate requests Yes Yes Yes Yes Yes Yes Establish a process for consumers to appeal any refusal to take action Yes Yes Yes Yes Yes Yes Provide a "reasonably accessible" and clear privacy notice Yes Yes Yes Yes Yes Disclose any sale of personal data or use of personal data for targeted advertising (and how to opt-out) Yes Yes Yes Yes Yes Yes Conduct and document data protection impact assessments for processing activities generated: After December 31, 2025 On or after July 1, 2024 After January 1, 2025 On or after July 1, 2023 After July 1, 2024 On or after July 1, 2024 Limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes Yes Yes Yes Yes Yes Yes Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents Yes Yes Yes Yes Yes Yes Do not discriminate against a consumer for exercising any consumer rights Yes Yes Yes Yes Yes Yes Obtain consent before selling or using data from users between 13 and 15 years of age for targeted advertising No No Yes No No Yes

ENFORCEMENT INDIANA TENNESSEE MONTANA FLORIDA TEXAS OREGON Private right of action No No No No No No Enforcement Attorney General Attorney General Attorney General Florida Department of Legal Affairs Attorney General Attorney General Opt-in default for sensitive data (requirement age) 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age 13 years of age Right-to-cure period 30 days 60 days 60 days* 45 days 30 days 30 days* Max civil fine per violation $7,500 $7,500 None established $50,000 $7,500 $7,500 Effective date January 1, 2026 July 1, 2025 October 1, 2024 July 1, 2024 July 1, 2024 July 1, 2024, July 1, 2025 for non-profits



*The procedural notice and cure period will sunset on April 1, 2026 for Montana and January 1, 2026 for Oregon.

We expect that 2024 will bring new state data privacy laws, in the absence of a federal omnibus privacy statute. Watch this space.

