In the first half of 2023, state legislatures continued the trend of enacting comprehensive privacy laws, with Iowa, Indiana, Tennessee, Montana, Texas, and Oregon joining the list of states with comprehensive privacy laws. These states followed California, Colorado, Connecticut, Utah, and Virginia, which enacted comprehensive privacy laws in prior years.
This is a general overview of the common concepts in each law.
Like current state privacy laws, the privacy laws in Indiana, Iowa, Montana, Oregon, Tennessee, and Texas apply to controllers and processors of personal data, provided that the entity in question meets specific triggering requirements.
The Iowa, Indiana, and Tennessee laws have substantially similar scope requirements. Using the Iowa law as an example, the law applies to a person conducting business in the state or producing products or services targeted to consumers who are residents of the state . During a calendar year, the law applies if the person either (a) Controls or processes personal data of at least 100,000 consumers; or (b) Controls or processes personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
Indiana and Tennessee have almost identical scope requirements.
The Montana law has a slightly broader scope requirement.
The Texas law has a unique applicability section. T he law applies to a person that: (1) conducts business in Texas or produces a product or service consumed by residents of this state; (2) processes or engages in the sale of personal data; and (3) is not a small business as defined by the United States Small Business Administration, except to the extent that the prohibition on the sale of sensitive personal data without prior consent applies.
As in most other state privacy laws, the entity subject to each of these laws is called a controller or processor of personal data. A controller is someone who, alone or jointly with others, determines the purpose and means of processing personal data.
A processor generally refers to a person who processes personal data on behalf of a controller. Processing includes any operation or set of operations performed, whether by manual or automated means, on personal data or sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
Each of these laws also generally provides a similar definition for personal data and defines it to essentially mean information that is linked to or reasonably linkable to an identified individual or consumer, but excluding certain information such as de-identified data, publicly available information, and, in some states, aggregate data.
Exemptions
The 2023 state privacy laws all include a comprehensive list of persons and data types that are not subject to the respective law. Most of these state laws provide some form of an exemption for financial institutions governed by or data subject to the Gramm-Leach-Bliley Act (GLBA).
The Iowa, Indiana, and Tennessee laws exempt financial institutions and affiliates under the GLBA or data subject to the GLBA. Similarly, the Texas DPSA exempts a financial institution or data subject to the GLBA but does not expressly exempt affiliates of financial institutions.
While the Montana law exempts financial institutions and affiliates governed by the GLBA, the data-level exemption only relates to personal data collected, processed, sold, or disclosed in accordance with the GLBA.
Oregon provides a narrower exemption for financial institutions. Concerning financial data, the Oregon law does not apply to information collected, processed, sold, or disclosed under and by the GLBA. This financial institution exemption is more limited because it only exempts a financial institution as defined in state law or a financial institution’s affiliate or subsidiary that is only and directly engaged in financial activities.
Under the Oregon CPA, essentially only depository institutions insured by the FDIC and state or federal credit unions would be exempt from the law as a financial institution. This is a much narrower grouping of entities than entities under the GLBA exemption in most states.
Among other exemptions listed in these statutes, notable exemptions under the laws include governmental entities; a nonprofit corporation or institution of higher education; protected health information under the Health Insurance Portability and Accountability Act; certain types of data subject to regulation under the Fair Credit Reporting Act; and data processed or maintained in the context of employment purposes for purposes such as maintaining emergency contact information or to administer benefits.
Consumer Personal Data Rights
The laws in Indiana, Montana, Oregon, Tennessee, and Texas establish the following rights for consumers:
Confirm whether a controller is processing the consumer’s data and the right to access the consumer’s data;
correct inaccuracies in a consumer’s data that the consumer provided to the controller; the right to delete the consumer’s data;
obtain a copy of the consumer’s data;
opt out of the processing of the consumer’s data for specific purposes, including targeted advertising or the sale of personal data.
Iowa law does not include the right to correct inaccuracies.
These rights generally follow the rights established in previously enacted state privacy laws.
Exercising Consumer Rights and Responding to Requests
A consumer may exercise a right by submitting a request to a controller specifying the rights the consumer intends to exercise.
The process for responding to a consumer request is very similar between the laws in each of these states. As a general rule, the controller must take action and respond to a consumer’s request without undue delay but no later than forty-five days after receipt of the consumer’s request.
Iowa provides the controller with an initial ninety-day window to respond to the request.
The controller may extend the initial forty-five-day period by an additional forty-five days (or ninety days in Iowa) if reasonably necessary due to the amount or complexity of requests.
If the controller has grounds to extend the initial forty-five-day period, the controller must inform the consumer before the initial forty-five-day period expires of the length of the extension and the reasons for the extension.
If a controller declines to take action in response to a request, the controller must inform the consumer of the reasons for not taking action without undue delay, which generally means within forty-five days after receipt of the request.
If the controller fails to take action under the respective state privacy laws, in addition to informing the consumer of the reasons for not taking action, the controller must inform the consumer in writing with information regarding how to appeal the decision. That is done through an internal process the controller is required to establish.
If an appeal is denied, the controller must also provide the consumer information regarding how to contact the state attorney general to submit a complaint and provide an online mechanism to submit a complaint to the attorney general.
Controller Duties
Each of the new laws generally provides similar duties for controllers. Among other duties specified under each law, typical duties include:
Limiting collection of data to what is adequate, relevant, and necessary with respect to the processing purposes as disclosed to the consumer;
implementing security practices and safeguards to protect the confidentiality, integrity, and accessibility of personal data;
not process personal data in violation of state or federal laws prohibiting discrimination unless a statutory exception applies;
not process sensitive data about a consumer without obtaining the consumer’s consent, with additional requirements applying for processing sensitive data regarding a known child.
Controllers also must provide consumers with a reasonably accessible, transparent, and meaningful privacy notice that includes certain required content.
Enforcement
Under all of the new 2023 privacy laws, the state attorney general has exclusive authority to enforce the law. None has a private right of action.
Each law requires the attorney general to provide a controller or processor with a written notice identifying each alleged violation of the law prior to bringing an action and allow for a specified time to cure the violation.
In Iowa, Indiana, Texas, and Oregon, the attorney general may recover a civil penalty of up to $7,500 per violation. Tennessee allows for a penalty of up to $15,000 per violation. Montana does not provide a specific monetary penalty amount.
Commentaires