Continuing the state-by-state legislative trend, three more state legislatures; Indiana, Montana, and Tennessee (via their respective “Acts”); have passed comprehensive data privacy laws. Even while a federal comprehensive data privacy law remains elusive, these laws join the patchwork of data privacy laws in California, Colorado, Connecticut, Iowa, Utah, and Virginia. Below are some highlights from these Acts:

  • Effective Dates. The Acts all push effective dates of these laws beyond 2023. The Tennessee Act becomes effective on July 1, 2024, the Montana Act becomes effective on October 1, 2024, and the Indiana Act becomes effective on January 1, 2026.
  • Volume or Revenue Application Thresholds. All three new laws employ a test for determining the application of its state’s data privacy obligations based on the number of consumers involved or the revenue generated from the sale of data. It is important to note that all these laws do not recognize a minimum revenue limit and are therefore likely to affect smaller businesses and that the Montana Act maintains the lowest volume threshold of all current data privacy laws at 50,000. The thresholds for application are in the chart below.[1]
Volume thresholdCollection/process personal data of 100,000 consumersCollection/process personal data of 50,000 consumersCollection/process personal data of 100,000 consumers
Sell/Share ThresholdControl/process personal data of At least 25,000 consumers and derives more than 50% of sale of personal dataControl/process personal data of not less than 25,000 consumers and derive more than 25% gross revenue from the sale of personal dataControl/process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information
  • Opt-Out Options for Sensitive Data. The Montana Act and the Tennessee Act require entities to present consumers clear notice and the opportunity to opt-out before the collection of “sensitive data” (e.g., precise geolocation data or biometric data), while the Indiana Act requires express consent by having the consumer choose to opt-in prior to the collection of sensitive data.[2] This contributes to a growing conflict among state laws with regard to whether some types of data should be handled on an opt-in or opt-out basis.
  • Data Impact Assessments. The Acts all require entities to conduct risk assessments of certain processing activities with “heightened risks of harm” (referred to as data protection impact assessments or data protection risk assessments).[3] 
  • Global Opt-Out Preference Signal. The Montana Act joins the data privacy laws in California, Connecticut and Colorado in requiring companies to recognize the global opt-out signal but delays the compliance deadline to January 1, 2025.[4]
  • Security Program Compliance. The Tennessee Act introduces a new concept for these comprehensive data privacy laws by  requiring entities to create, maintain, and comply with a written privacy program that reasonably conforms to the National Institute of Standards (NIST) and Technology privacy framework.[5]
  • No Private Rights of Action & Cure Period. The Acts all limit enforcement authority to their respective attorney generals and do not provide a private cause of action for their consumers. [6]For now, each one also allows for cure periods when a violation occurs but at differing time frames: Indiana at 30 days[7], Tennessee at 60 days[8], and Montana at 60 days but it will sunset April 1, 2026.[9]

Key Takeaways

  • National vs. Localized Data Privacy Program. As the list of states with separate (and disparate) data privacy laws grow, national and international companies will need to determine whether to segment compliance efforts state-by-state or employ a global program applying the most restrictive aspects of each law to all states. While most of these laws employ a similar framework, significant deviations among them such as opt-in versus opt-out rights may force a default program of opting-in.
  • Enactment dates. These three laws, like Iowa, have established effective dates sufficiently far in the future that the American Data Privacy and Protection Act, proposed national legislation, may preempt them before they go into effect. The ADPPA would go into effect six months after enactment. That said, enterprises are better off to assume that these new statutes will go into effect.
  • New Privacy Requirements for Local Entities. On again, While these obligations do not represent novel obligations on states conducting business in states like Colorado or Virginia, businesses collecting only personal information of Indiana, Montana, or Tennessee residents will need to invest in a privacy compliance program. With the closest effective date in July 2024, businesses have plenty of time to develop one.

[1] Ind. Code § 24-15-1-1(a) ; Mont. Code Ann. § 30-14-3; Tenn. Code Ann. § 47-18-3202.

[2] Ind. Code §  24-15-4-1(5); Mont. Code Ann. § 30-14-7(2)(b); Tenn. Code Ann. § 47-18-3204(a)(6).

[3] Ind. Code § 24-15-6-1 ; Mont. Code Ann. § 30-14-9; Tenn. Code Ann. § 47-18-3206.

[4] Mont. Code Ann. § 30-14-6(b)

[5] Tenn. Code Ann. § 47-18-3213(a)(1).

[6] Ind. Code § 24-15-10-4.

[7] Ind. Code §  24-15-10-3(a).

[8] Tenn. Code Ann. § 47-18-3212(b).

[9] Mont. Code Ann. § 30-14-12(b).