Three More States Adopt Consumer Privacy Laws
The Tennessee Information Protection Act (“TIPA”) was signed into law by Gov. Bill Lee on May 11, 2023, with an effective date of July 1, 2025. The threshold for coverage by TIPA is narrower than state consumer privacy laws, applying to companies that make more than $25 million in revenue and control or process the personal information of at least: (a) 175,000 consumers, or (b) 25,000 consumers, and derive more than 50% of their gross revenue from personal information sales.
TIPA introduces that concept of an affirmative defense against enforcement for organizations that implement and adhere to written privacy programs that comply with the National Institute of Standards and Technology (“NIST”) privacy framework or comparable privacy standards, and any future revisions to such frameworks. In determining the appropriateness of an organization’s privacy program for the purposes of the affirmative defense, TIPA considers the program’s size and complexity, the nature and scope of its activities, the sensitivity of the information processed, the cost and availability of tools to improve privacy protections and data governance, and compliance with comparable state or federal laws.
On May 19, 2023, Gov. Greg Gianforte signed the Montana Consumer Data Privacy Act (MCDPA) into law, which will take effect on October 1, 2024. Given Montana’s smaller population, the threshold for coverage under the MCDPA is lower than what we have seen in other state consumer privacy laws, applying to entities that control or process the personal data of at least (a) 50,000 consumers (which is less than 5% of the state’s population), or (b) 25,000 consumers, and derive more than 25% of their gross revenue from personal data sales. The MCDPA most resembles Connecticut’s law, which trends on the more consumer-friendly side of the spectrum, and has few distinguishing features that set it apart from the other state privacy laws. Controllers must recognize opt-out preference signals and conduct data protection assessments starting January 1, 2025, and the law’s 60 day notice and cure period sunsets on April 1, 2026.
On May 28, 2023, the Texas Legislature passed the Texas Data Privacy and Security Act (“TDPSA”), which was ratified on June 9, 2023, and will become effective on July 1, 2024.
The TDPSA has a broad scope of coverage compared to the other state consumer privacy laws. For example, instead of the typical monetary or total consumer processing thresholds, the TDPSA applies to organizations that meet the following criteria:
- Conduct business in Texas or generate products or services consumed by (as opposed to targeted to) Texas residents;
- Process or engage in the sale of personal data; and
- Does not qualify as a “small business,” defined by the U.S. Small Business Administration as “an independent business having fewer than 500 employees.”
The combination of these criteria may extend the law’s purview to companies that would otherwise fall outside the scope of other state laws.
Additionally, the TDPSA requires that companies expressly disclose that they “may sell” consumers’ sensitive and/or biometric personal data, respectively. The TDPSA specifies that such disclosures “must be posted in the same location and in the same manner” as the privacy notice, although it is unclear whether “in the same location and in the same manner” means that the disclosures must be located within the privacy notice itself or shown independently.