Why Should You Be Afraid of Privacy Obligations? Because Now There Will Be 7, 8, 9… States with Comprehensive Data Privacy Laws!

The patchwork of state comprehensive data privacy laws continues to grow. April 2023 saw three more states join the list, and with 15 additional bills pending nationally, organizations face an ever-expanding compliance challenge.

Indiana: The Seventh State

Indiana became the seventh state to pass a comprehensive data privacy law when Governor Eric Holcomb signed the Indiana Consumer Data Protection Act (CDPA) on May 1, 2023. The law takes effect January 1, 2026.

Applicability:

• Controls or processes the personal data of at least 100,000 Indiana consumers per year; or
• Controls or processes the personal data of at least 25,000 Indiana consumers and derives more than 50% of gross revenue from the sale of personal data

Consumer Rights: Access, correct, delete, portability, opt-out of targeted advertising, sale, and profiling

Enforcement: Indiana AG with a 30-day cure period; civil penalties up to $7,500 per violation

Montana: State Eight

The Montana Consumer Data Privacy Act was signed by Governor Greg Gianforte on April 21, 2023, taking effect October 1, 2024.

Applicability:

• Controls or processes the personal data of at least 50,000 Montana consumers (excluding payment processing data); or
• Controls or processes the personal data of at least 25,000 Montana consumers and derives more than 25% of gross revenue from the sale of personal data

Tennessee: State Nine

Tennessee’s Information Protection Act was passed on April 21, 2023 and takes effect July 1, 2024.

Applicability:

• Controls or processes the personal data of at least 100,000 Tennessee consumers; or
• Controls or processes the personal data of at least 25,000 Tennessee consumers and derives more than 50% of gross revenue from the sale of personal data

What This Means for Your Organization

Organizations that have already built compliance programs for California, Virginia, Colorado, Connecticut, and Utah are in a strong position to extend those programs to cover Indiana, Montana, and Tennessee. Key areas to evaluate:

1. Applicability thresholds: Analyze whether the new laws apply to your organization based on consumer counts and revenue
2. Consumer rights procedures: Verify that your DSR processes cover the rights created by each new law
3. Sensitive data handling: Each new law has slightly different definitions of sensitive data requiring heightened protection
4. Vendor agreements: Update data processing agreements to cover new state law requirements
5. Training: Update employee privacy training to reflect new state obligations

For a comprehensive multi-state compliance framework, see our earlier post, Winter Is Coming: 10 Steps Organizations Should Be Taking Now.