Introduction
In recent years, the importance of data privacy has gained significant attention worldwide. Governments and organizations alike are increasingly recognizing the need for robust data protection laws to safeguard individuals’ personal data. In this comprehensive analysis, we delve into the recent developments of Indiana, Montana, and Tennessee’s general data privacy laws, exploring their key provisions, implications, and the broader context of data privacy legislation in the United States.
Background
The digital age has ushered in an era where personal data is being collected, processed, and shared on an unprecedented scale. As technology advances, so does the need for comprehensive legal frameworks to ensure individuals’ privacy rights are upheld. Recognizing this imperative, several states in the US have taken proactive steps to enact data privacy laws in the absence of a comprehensive US Federal data privacy regulation, with Indiana, Montana, and Tennessee being the most recent additions to this growing list.
Indiana’s General Data Privacy Law – Effective Date, January 1, 2026
Indiana’s General Data Privacy Law, The Indiana Consumer Data Protection Act (ICDPA), aims to provide residents with enhanced control over their personal data while imposing obligations on businesses to ensure responsible data handling practices. The key provisions of Indiana’s data privacy law include:
Terms: Consumer, Personal data
- The term “Consumer” is explicitly defined as a natural person, residing in Indiana, who interacts with the business in a personal capacity. It is important to note that this specific definition unequivocally excludes both employees and business-to-business relationships, underscoring that they do not fall under the classification of “consumer”.
- The term “Personal data” is defined as information that can be directly linked, or is reasonably connectable to an identifiable or identified individual. It is crucial to understand that this definition deliberately excludes de-identified data, aggregate data, and publicly accessible data.
Scope: The law applies to businesses that collect personal data from Indiana residents and meet certain data processing thresholds. Contrasting with the consumer privacy laws of California and Utah, the Indiana Consumer Data Privacy Act (ICDPA) distinguishes itself by not establishing a revenue threshold for its application. The requisite conditions for a business to be governed by the ICDPA are twofold: the business must either operate in Indiana or deliberately target its products or services to consumers in Indiana, and it must also meet one of the following criteria:
- Control or process the personal data of 100,000 or more Indiana consumers; or
- Control or process the personal data of at least 25,000 Indiana consumers and obtain more than half of its gross revenue from the sale of such data.
Consumer Rights: Indiana residents are granted various rights, such as the right to access their personal data, request its deletion, and opt-out of the sale of their personal data.
Data Breach Notification: Businesses must promptly notify affected individuals in the event of a data breach of their personal data that poses a risk of harm.
Data Protection Assessments: Certain businesses are required to conduct regular assessments to identify and address potential data privacy risks.
For more information, find the ICDPA Senate Bill 5 here.
Montana’s Data Privacy Act – Effective Date, October 1, 2024
Montana’s Data Privacy Act follows a similar trajectory as other state privacy laws, emphasizing transparency, consumer rights, and corporate accountability. The key elements of Montana’s data privacy law include:
Terms: Consumer, Personal data
- The term “Consumer” is specifically defined as a natural person who is domiciled in Montana and engages with the business in a personal capacity. It’s paramount to note that this distinct definition deliberately leaves out both employees and business-to-business (B2B) relationships, indicating that they do not fall within the ambit of the term “consumer”.
- “Personal data” is definitively described as information that can be associated, or reasonably linked, to an identified or identifiable individual. Nevertheless, it’s critical to highlight that this definition explicitly omits deidentified data and data that is publicly accessible.
Scope: The law applies to businesses that collect personal data from Montana residents and meet specific criteria based on revenue or data processing activities. The Montana Consumer Data Privacy Act (MCDPA) is characterized by distinctive thresholds that serve as one of its most unique elements. The regulation applies to businesses that either operate in Montana or aim their products or services at consumers within the state, with the following conditions set as the application criteria:
- Control or process the personal data of at least 50,000 Montana consumers. It’s essential to note that this does not include data managed or processed exclusively for payment transaction completion.
- Control or process the personal data of a minimum of 25,000 Montana consumers and generate more than a quarter of their gross revenue from the sale of this data.
Consumer Rights: Montana residents are granted rights such as the right to access their personal data, correct inaccuracies, and opt-out of the sale of their personal data.
Sensitive Data: The law places additional safeguards on the processing of sensitive information, including biometric data, health information, and precise geolocation data.
For more information, find the MCDPA SB0384 here.
Tennessee’s Consumer Data Privacy Act – Effective Date, January 1, 2025
Tennessee’s Consumer Data Privacy Act represents a significant step forward in ensuring the protection of individuals’ personal information based in the state of Tennessee. The key components of Tennessee’s data privacy law include:
Terms: Consumer, Personal Information
- The term “consumer” is precisely defined as a natural person residing in Tennessee and interacting in a personal environment. It’s essential to note that this definition explicitly excludes both employees and business-to-business (B2B) connections, thereby indicating they do not fall within the scope of the term “consumer”.
- “Personal Information” is described as information that can be associated, or is reasonably connectable, to an identified or identifiable individual. However, this definition explicitly precludes deidentified data, aggregate data, and data that is publicly accessible.
Scope: The law applies to businesses that conduct business in Tennessee or collect personal information from its residents, meeting specific revenue or data processing thresholds. Emulating the approach used by Utah, the Tennessee Information Privacy Act (TIPA) establishes both a revenue and a processing volume threshold to determine its applicability. Specifically, the TIPA applies to businesses that operate within Tennessee or focus their products or services towards consumers in Tennessee, and also meet one of the following criteria:
- Generate more than $25 million in revenue; and
- Control or process the personal information of 175,000 or more Tennessee consumers; or
- Control or process the personal information of a minimum of 25,000 Tennessee consumers and draw more than half of their gross revenue from the sale of such data.
Consumer Rights: Tennessee residents are granted rights such as the right to access, correct, delete, and obtain a copy of their personal information.
Sale of Personal Information: Businesses must provide an opt-out mechanism for the sale of personal information, giving individuals greater control over their personal information.
Transparency Obligations: Covered businesses must disclose information regarding their data processing practices, including the categories of personal information collected and the purpose of processing.
For more information, find the TIPA SB0073 here.
Comparison and Implications
With the enactment of these data privacy laws, Indiana, Montana, and Tennessee have joined the ranks of states prioritizing the protection of personal data. While each state’s legislation shares common objectives, nuances exist that make it essential for businesses to carefully analyze and ensure compliance with specific requirements. Furthermore, these state-level laws serve as a catalyst for potential federal consumer data privacy legislation. As more states implement data privacy laws, there is growing momentum for a comprehensive federal framework to harmonize regulations and establish a consistent standard across the nation.
The implications of these data privacy laws extend beyond state borders. Businesses operating on a national scale or collecting personal data from residents across multiple states must navigate a complex landscape of varying regulations. Compliance with Indiana, Montana, and Tennessee’s laws requires a thorough understanding of the specific requirements imposed by each state, including data handling practices, consumer rights, and breach notification obligations.
To ensure compliance and build consumer trust, businesses should implement robust data privacy practices. This entails adopting comprehensive data protection policies, conducting regular assessments to identify and mitigate risks, implementing strong security measures, and providing transparent information to consumers regarding data collection and processing activities.
By prioritizing data privacy and proactively complying with these state-level laws, businesses can gain a competitive advantage in the digital marketplace. Respecting individuals’ privacy rights and demonstrating a commitment to responsible data handling practices not only helps to build trust with customers but also mitigates the risk of costly legal actions and reputational damage.
Conclusion
Indiana, Montana, and Tennessee have taken significant steps to address the growing concerns surrounding data privacy. These state-level laws underscore the importance of safeguarding personal data and provide individuals with greater control over their personal data. By understanding and complying with the specific provisions of these laws, businesses can not only meet their legal obligations but also enhance customer trust, mitigate risks, and position themselves as leaders in data privacy. It is crucial for organizations to stay abreast of evolving data privacy regulations and adapt their practices accordingly to navigate the ever-changing landscape of data protection in the digital age.
At BD Emerson, we recognize the crucial role that a comprehensive cybersecurity and privacy strategy plays in today’s business landscape. Our team of experts assist organizations with building out privacy programs that comply with applicable privacy laws and regulations. If your organization is seeking to improve its cybersecurity and privacy measures, BD Emerson can support the development of this critical function – for further information, please contact us at info@bdemerson.com or drew.danner@bdemerson.com.