In the absence of meaningful progress from the U.S. Congress on passing a federal comprehensive privacy law, state legislatures have been busy this year passing their own solutions and adding to the complexity of U.S. privacy compliance. On May 1, 2023, Indiana Governor Eric Holcomb signed the Indiana Consumer Data Protection Act into law (SB 5) (InCDPA),1 making Indiana the seventh state to enact a comprehensive consumer privacy law, following California, Virginia, Colorado, Utah, Connecticut, and most recently, Iowa.2 On May 11, 2023, Tennessee Governor Bill Lee signed the Tennessee Information Privacy Act (HB 1181) (TIPA), making Tennessee the eighth state to enact such a law. Similar laws have passed the state legislatures in Montana and Florida and are awaiting action by those states’ respective governors. All four of the most recent laws are substantially similar to the prior state comprehensive consumer privacy laws, but they include a few particularities that companies should be aware of, including Tennessee’s written privacy program requirement and Florida’s focus on certain large technology companies.
The InCDPA’s requirements are similar to that of the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (ColoPA), and Connecticut’s Act Concerning Personal Privacy and Online Monitoring (CPOMA), and most closely resembles the VCDPA. Companies that are engaged in compliance efforts for those state laws will likely need to conduct minimal updates to comply with the InCDPA.
Notably, the InCDPA’s right to access allows for companies to provide either a copy of or a “representative summary of” the consumer’s personal data that the consumer previously provided to the controller. The InCDPA’s right to correct is also narrower than the equivalent in other states, applying to data that the consumer previously provided to the controller, rather than all of the consumer’s personal data that the controller has in its possession. The InCDPA will not come into effect until January 1, 2026, giving companies more than two years to come into compliance.
On April 21, 2023, the Montana legislature unanimously passed the Montana Consumer Data Privacy Act (SB 384) (MCDPA), and then transmitted it to the state’s governor on May 11, 2023. Like the InCDPA, the MCDPA’s requirements are substantially similar to that of VCDPA, ColoPA, and CPOMA, but the MCDPA most closely resembles CPOMA. If signed by Montana’s governor, the MCDPA will come into effect on October 1, 2024. The MCDPA includes a few notable characteristics:
- It has a lower applicability threshold than other states. The MCPDA applies to persons (referred to as “controllers”) that conduct business in Montana or produce products or services targeted to Montana residents (referred to as “consumers”) and that: 1) control or process the personal data of at least 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 2) control or process the personal data of more than 25,000 consumers and derives more than 25 percent of gross revenue from the sale of personal data.
- Like ColoPA and the California Consumer Privacy Act (CCPA), the MCDPA does not recognize the validity of consent obtained through dark patterns.
- Similar to the CCPA, the MCDPA requires controllers to honor opt-outs of targeted advertising and sale of personal data through opt-out preference signals. Companies have until January 1, 2025, to fulfill this requirement.
- The MCDPA includes a 60-day right to cure, but this right sunsets on April 1, 2026.
Like the InCDPA and MCDPA, TIPA’s requirements are substantially similar to the VCDPA, ColoPA, and CPOMA. The TIPA will come into effect on July 1, 2024.
Most notably, unlike any other state’s comprehensive consumer privacy law, TIPA appears to require controllers and processors to create, maintain, and comply with a “written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework” and any subsequent revisions. The scale and scope of this program can vary depending on factors such as the size and complexity of the business, the nature and the scope of the controller or processor’s activities, the sensitivity of the personal information processed, the cost and availability of tools to improve privacy protections and data governance, and compliance with a comparable state or federal law. In addition to conforming to the NIST privacy framework, the privacy program must also provide individuals with the substantive rights required by TIPA and disclose the commercial purposes for which the entity processes personal information. Failure to maintain such a privacy program will constitute an unfair and deceptive practice under Tennessee law, except that consumers are not entitled to a private right of action to enforce such violations. Companies that implement a written privacy program that meets these requirements, however, will have an affirmative defense to a cause of action for a violation of TIPA.
On May 4, 2023, the Florida legislature passed “An Act Relating to Technology Transparency” (SB 262)3 (FDBR).4 If signed by Florida’s governor, the FDBR will come into effect on July 1, 2024. The FDBR is similar to the VCDPA, ColoPA, and CPOMA, but includes a few unique requirements and notable characteristics:
- The FDBR has the highest and most unique applicability threshold out of any state comprehensive consumer privacy law. Many of the FDBR’s provisions apply only to “controllers,” which the statute defines as a “[a] sole proprietorship, partnership, limited liability company, corporation, association, or legal entity” that, among other requirements, “[m]akes in excess of $1 billion in global gross annual revenues; and [s]atisfies at least one of the following: a. Derives 50 percent or more of its global gross annual revenues from the sale of advertisements online, including providing targeted advertising or the sale of ads online; b. Operates a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation …; or c. Operates an app store or a digital distribution platform that offers at least 250,000 different software applications for consumers to download and install.” This definition also includes any companies that control or are controlled by controllers. Because this definition has such a high applicability threshold and technology sector-specific requirements, many of the FDBR’s provisions will likely only apply to the largest (and very specific) technology companies.
- Like ColoPA, the CCPA, and the MCDPA, the FDBR does not recognize the validity of consent obtained through dark patterns.
- The FDBR includes a right to “opt out of the collection of personal data collected through the operation of a voice recognition or facial recognition feature.”
- The FDBR prohibits controllers and processors from using devices with certain recording features for “surveillance” purposes when such features are not in active use by the consumer or otherwise authorized by the consumer. The act does not, however, define “surveillance” or make clear which consumer (i.e., the device owner, user, or subject) must be using the feature or provide said authorization.
- The FDBR includes a unique duty of controllers that operate search engines to “make available, in an easily accessible location on the webpage which does not require a consumer to log in or register to read, an up-to-date plain language description of the main parameters that are individually or collectively the most significant in determining ranking and the relative importance of those main parameters, including the prioritization or deprioritization of political partisanship or political ideology in search results.”
- If controllers sell biometric data, the FDBR requires the following language in the controller’s privacy notice: “NOTICE: This website may sell your biometric personal data.” Similarly, if a controller sells sensitive data,5 it must include the following language in its privacy notice: “NOTICE: This website may sell your sensitive personal data.”
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and will monitor state attorney general guidance, enforcement, and litigation in order to assist clients with compliance with the InCDPA, MCDPA, TIPA, FDBR, and other potential new state comprehensive consumer privacy laws. For more information, please contact Eddie Holman, Maneesha Mithal, Tracy Shapiro, Roger Li, or another member of the firm’s privacy and cybersecurity practice.
The FDBR defines sensitive data to include the following categories of data: personal data revealing an individual’s racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status; genetic or biometric data processed for the purpose of uniquely identifying a natural person; personal data collected from a known child; and precise geolocation data.