Indiana, Tennessee, and Montana join the growing list of states regulating consumer privacy. With Indiana’s bill signed into law and the governors in Tennessee and Montana governors likely to sign their state’s respective bills, the current patchwork quilt of state consumer data privacy laws continues to expand.  

Indiana’s bill, passed on April 13, 2023, takes a business-friendly approach similar to Virginia, Utah, and Iowa. The bill will apply to businesses that process the personal data of 100,000 consumers or derive 50 percent of revenue from selling data of more than 25,000 consumers. Like other business-friendly states, Indiana bill gives sole enforcement power to the State’s Attorney General and i) has a permanent cure period, ii) provides limited consumer rights, and iii) only applies to data sold for monetary value. While the new law won’t become effective until January 2026, businesses should watch for potential changes to the law in the two legislative sessions leading up to the effective date.

In contrast, consumer advocates hail Montana’s bill, passed on April 21, 2023, as a great success. The bill aligns with Connecticut and includes i) a requirement to recognize universal opt-out mechanisms, ii) an April 2026 sunset on the right to cure, iii) lower application thresholds, and iv) heightened protections for children under 15 years old. Like other state privacy laws, the Montana Attorney General has sole enforcement authority and consumers have the standard menu of privacy rights. If enacted, the bill will be effective on October 1, 2024.

Tennessee also passed a progressive privacy bill on April 21. While the bill includes familiar provisions like a sunsetting right to cure and consumer rights response timeline, Tennessee also included a unique security requirement. This first-of-its-kind provision requires covered businesses to “create[], maintain[], and compl[y] with a written privacy program” that meets NIST’s or other similar privacy standards. Compliance with this provision also provides businesses with an affirmative defense when subject to an enforcement action. While this is a labor-intensive requirement for most businesses, Tennessee’s bill also has the narrowest application threshold: business that make more than $25 million in revenue while processing data on 25,000 consumer AND a gross revenue from the sale of data of more than 175,000 consumers. If signed into law, Tennessee’s bill will go into effect in July 2025.

Businesses already complying with the more privacy-protective state laws can comply with Indiana, Montana and Tennessee by tweaking their existing compliance practices. However, businesses that only comply with laws on the more business-friendly side of the spectrum should start building out their compliance programs now. Please reach out to one of the lawyers on our Privacy and Cybersecurity team for assistance, if needed.