Data privacy laws continue to gain momentum among U.S. states. Just this spring, comprehensive consumer privacy bills have been enacted in Indiana, Iowa, Montana, and Tennessee. Florida enacted its Technology Transparency Act in June. Washington has also taken steps toward comprehensive privacy legislation with its My Health My Data Act, although it is more targeted than can be addressed in this overview. In Texas, a comprehensive privacy bill is awaiting the governor’s signature.
The new laws go into effect: Florida, July 2023; Tennessee, July 2024; Montana, October 2024; Iowa, January 2025; and Indiana, January 2026.
These laws have largely followed their predecessors in privacy trends, with a fairly standard offering of consumer rights, duties of controllers and processors, and enforcement power delegated to the states’ respective attorney generals.
So, what can consumers and RIM/IG professionals expect in these new privacy laws?
With consumer rights being some of the more prominent features in privacy regulation, here’s a basic breakdown of individual rights recognized by these states.
Right to access: Consumers in all five states will now have the right to confirm whether a data controller is processing their personal data and obtain a copy of the personal data the controller processes. This right corresponds to the data controller’s obligation to provide notice of processing activities.
Right to correct: Iowa departs from the norm here, choosing not to adopt a consumer’s right to correct inaccuracies in their personal data. The other four state laws, however, give consumers the right to correct their personal data.
Right to delete: While all five states have some version of a right to delete, they vary a bit. Indiana, Tennessee, and Florida have the broadest rights, permitting consumers to invoke the right to request deletion of their data and requiring data controllers to comply with requests to delete personal information collected about the consumer.
Iowa’s law is significantly more restrained, recognizing only a right for consumers to request deletion of personal data they’ve provided to a controller. This means data controllers will not have to delete data they obtained about the consumer from other sources.
Montana’s right is stated broadly, requiring controllers to comply with requests to delete personal data about the consumer, but also provides some conditions. Data controllers here are compliant if they:
- retain a record of the request to delete and keep the minimum data required to ensure the person’s data remains deleted (any retained data may not be used for any purpose other than a specifically exempted one); or,
- opt the consumer out of the processing of their data for any purpose other than exempted purposes.
Right to opt out of processing: Tennessee, Montana, Indiana, and Florida all include some degree of right to opt out of processing of personal data for certain purposes (in addition to sales). Iowa rejoins the group in allowing consumers to opt out of personal data processing for sales or targeted advertising.
Right to portability: All five states include the right for consumers to receive access to their personal data from data controllers in a readily usable format.
Sensitive data: Montana, Indiana, and Tennessee will require the consumer to opt-in to having their sensitive personal data processed, and prohibit data controllers from processing sensitive personal data without consent. Iowa, however, will require the consumer to opt out of sensitive personal data processing. Interestingly, Florida’s law doesn’t address sensitive data; however, with the applicability threshold for Florida’s law set at $ 1 billion in gross annual revenue, its scope will be limited to only the largest companies with business in that state.
Processing Children’s Data: For four out of the five states, “Child” is defined as children under the age of 13, and their personal data is always treated as sensitive data. Florida defines “Child” as children under the age of 18. The parent or legal guardian is entitled to invoke rights on the child’s behalf.
As with other state privacy laws, data controllers should be cautious about collecting and processing children’s data and processing it in compliance with the federal Children’s Online Privacy Protection Act. COPPA requires a website or online service operators directed to children (including any operator with actual knowledge it collects personal information from a child) to provide notice on the website of:
- what information is collected,
- how the information is used, and
- the operator’s disclosure practices.
COPPA also requires covered operators to obtain verifiable parental consent for the collection, use, or disclosure of personal information from children.
Data Controller Responsibilities
Notice Requirements: All five states have some sort of notice/transparency requirement for data controllers, including requiring them to notify consumers whose personal data they process. Generally, controllers regulated by these new laws must give notice to consumers of the following information:
- A means and method for contacting the controller to exercise consumer rights;
- the types of information processed and purposes for processing; and
- whether data is shared with third parties, and if so, with whom it is being shared.
Also, controllers selling (distinguished from sharing) personal data to third parties or using the data for targeted advertising, must disclose the activity and provide the ability to opt-out to the consumer. Florida goes a bit further, requiring data controllers to respect the consumer’s decision to opt and wait at least 12 months before asking the consumer to again authorize the sale or sharing of their personal information.
Duty to Respond: Under these new laws, data controllers must respond to authenticated consumer requests to exercise rights within a limited time. Florida, Indiana, Montana, and Tennessee require the data controller to respond within 45 days of receipt; Iowa provides 90 days.
No Discrimination: All five states are consistent in prohibiting data controllers from discriminating against consumers who invoke their data protection rights under the laws. Data controllers, however, are generally not required to provide a good or service that requires the personal data of a consumer the controller doesn’t collect or keep.
Risk Assessments and Data Security: Indiana, Montana, and Tennessee all include requirements for data controllers to conduct risk assessments for the personal data they process, which may be requested by the enforcing authorities in each state. Iowa and Florida notably omit this requirement, but rejoin the group when it comes to data security requirements.
All five states require data controllers to implement administrative, technical, and physical data security practices to protect the personal data they process. This includes ensuring the data processors they contract with also have adequate data security. Generally, these requirements don’t outline any specific means or methods of practice; instead, controllers must ensure security measures be “appropriate to the volume and nature of the personal data at issue.”
Reasonable Collection Limits: Finally, these states have common provisions limiting the collection or processing of personal data to that which is adequate, relevant, and reasonably necessary to the processing purposes disclosed to the consumer. Data controllers should be ready to defend why they collect and process personal data. They should be particularly cautious about over-collection and use for purposes not either explicitly permitted or required under the law, and not previously disclosed to the affected consumer.
Data controllers subject to Florida’s law should also be aware that Florida has prohibited controllers from collecting, without the consumer’s explicit authorization, precise geolocation data or personal information through the operation of voice recognition features. Florida also requires data controllers who operate search engines must also provide notice of how the search engine algorithm prioritizes or deprioritizes political partisanship or political ideology in its search results.
None of the five states have included a private right of action, opting to delegate sole enforcement power to the attorneys general of each state. Attorneys generally uniformly are required to provide notice of violation to controllers and processors before taking further action, with varying periods to reach compliance. Tennessee and Montana provide a 60-day cure period, while Iowa provides a more generous 90 days. Indiana and Florida keep controllers and processors on a much shorter leash, with a 30-day and 45-day cure period, respectively.
As U.S. states continue to enact data privacy laws, RIM and IG professionals can expect many of the same policies repeated, with perhaps only slight adjustments by each new state. Consistent data privacy practices should help businesses with compliance, though the growing patchwork of laws will also keep RIM professionals on their toes looking for different or conflicting provisions, restrictions, and requirements.