In the absence of meaningful progress from the U.S. Congress on passing a federal comprehensive privacy law, state legislatures have been busy this year passing their own solutions and adding to the complexity of U.S. privacy compliance. On May 1, 2023, Indiana Governor Eric Holcomb signed the Indiana Consumer Data Protection Act into law (SB 5) (InCDPA),1 making Indiana the seventh state to enact a comprehensive consumer privacy law, following California, Virginia, Colorado, Utah, Connecticut, and most recently, Iowa.2 On May 11, 2023, Tennessee Governor Bill Lee signed the Tennessee Information Privacy Act (HB 1181) (TIPA), making Tennessee the eighth state to enact such a law. Similar laws have passed the state legislatures in Montana and Florida and are awaiting action by those states’ respective governors. All four of the most recent laws are substantially similar to the prior state comprehensive consumer privacy laws, but they include a few particularities that companies should be aware of, including Tennessee’s written privacy program requirement and Florida’s focus on certain large technology companies.
Indiana
The InCDPA’s requirements are similar to that of the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (ColoPA), and Connecticut’s Act Concerning Personal Privacy and Online Monitoring (CPOMA), and most closely resembles the VCDPA. Companies that are engaged in compliance efforts for those state laws will likely need to conduct minimal updates to comply with the InCDPA.
Notably, the InCDPA’s right to access allows for companies to provide either a copy of or a “representative summary of” the consumer’s personal data that the consumer previously provided to the controller. The InCDPA’s right to correct is also narrower than the equivalent in other states, applying to data that the consumer previously provided to the controller, rather than all of the consumer’s personal data that the controller has in its possession. The InCDPA will not come into effect until January 1, 2026, giving companies more than two years to come into compliance.
Montana
On April 21, 2023, the Montana legislature unanimously passed the Montana Consumer Data Privacy Act (SB 384) (MCDPA), and then transmitted it to the state’s governor on May 11, 2023. Like the InCDPA, the MCDPA’s requirements are substantially similar to that of VCDPA, ColoPA, and CPOMA, but the MCDPA most closely resembles CPOMA. If signed by Montana’s governor, the MCDPA will come into effect on October 1, 2024. The MCDPA includes a few notable characteristics:
Tennessee
Like the InCDPA and MCDPA, TIPA’s requirements are substantially similar to the VCDPA, ColoPA, and CPOMA. The TIPA will come into effect on July 1, 2024.
Most notably, unlike any other state’s comprehensive consumer privacy law, TIPA appears to require controllers and processors to create, maintain, and comply with a “written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework” and any subsequent revisions. The scale and scope of this program can vary depending on factors such as the size and complexity of the business, the nature and the scope of the controller or processor’s activities, the sensitivity of the personal information processed, the cost and availability of tools to improve privacy protections and data governance, and compliance with a comparable state or federal law. In addition to conforming to the NIST privacy framework, the privacy program must also provide individuals with the substantive rights required by TIPA and disclose the commercial purposes for which the entity processes personal information. Failure to maintain such a privacy program will constitute an unfair and deceptive practice under Tennessee law, except that consumers are not entitled to a private right of action to enforce such violations. Companies that implement a written privacy program that meets these requirements, however, will have an affirmative defense to a cause of action for a violation of TIPA.
Florida
On May 4, 2023, the Florida legislature passed “An Act Relating to Technology Transparency” (SB 262)3 (FDBR).4 If signed by Florida's governor, the FDBR will come into effect on July 1, 2024. The FDBR is similar to the VCDPA, ColoPA, and CPOMA, but includes a few unique requirements and notable characteristics:
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will monitor state attorney general guidance, enforcement, and litigation in order to assist clients with compliance with the InCDPA, MCDPA, TIPA, FDBR, and other potential new state comprehensive consumer privacy laws. For more information, please contact Eddie Holman, Maneesha Mithal, Tracy Shapiro, Roger Li, or another member of the firm's privacy and cybersecurity practice.
[1]Wilson Sonsini derived the InCDPA acronym from the Act’s title: Indiana Consumer Data Protection Act.
[2]Wilson Sonsini’s prior client alerts summarizing these laws can be found at: California, Virginia, Colorado, Connecticut, Utah, and Iowa.
[3]Please note that SB 262 has multiple parts (including provisions on children’s online safety and content moderation), but this alert covers only the Digital Bill of Rights.
[4]Wilson Sonsini derived the FDBR acronym from the Act’s title: Florida Digital Bill of Rights.
[5]The FDBR defines sensitive data to include the following categories of data: personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying a natural person; personal data collected from a known child; and precise geolocation data.