In recent weeks, six states, Florida (effective July 1, 2024)[1], Texas (effective July 1, 2024)[2], Montana (effective October 1, 2024)[3], Iowa (effective January 1, 2025)[4], Tennessee (effective July 1, 2025)[5] and Indiana (effective January 1, 2026)[6], have passed consumer privacy laws, adding to the growing list of states with comprehensive privacy legislation alongside California, Virginia, Colorado, Connecticut and Utah.  In the ever-changing landscape of privacy compliance, it is more critical and complicated than ever for businesses to be able to determine which state privacy laws may apply to their business.

While this article will not provide a full overview of the requirements and distinctions between each new law, we note that the newly enacted Indiana, Iowa, Montana, Tennessee and Texas laws generally share commonalities with the previously enacted state privacy schemas.  In particular, they lay out certain standards for data processors and controllers (e.g., data minimization and purpose limitation standards), require notices to consumers about specific data-related practices and give consumers specific rights with respect to their data, among other provisions.  Conversely, the Florida law introduces a more narrow scope and incorporates not only obligations on data controllers and processors related to the collection and processing of consumer personal data, but also measures specific to government-directed content moderation of social media and safeguards for the processing of children’s data.  Following this article, we have provided a chart summarizing the applicability standards and effective dates for each of the currently enacted U.S. state privacy laws.

Determining Applicability of the Newly Enacted State Privacy Laws

General Structure.  While each of the Florida, Iowa, Indiana, Montana, Tennessee and Texas laws contain nuances to determine applicability as discussed below, the laws have a number of commonalities that limit their scope.  For example, each of the newly enacted laws place focus on protecting individual consumers that are residents of the relevant state and acting in a personal or household context (therefore excluding employment and B2B (commercial) data unlike the California Consumer Privacy Act).  Additionally, each of the laws also contain a number of exemptions, including for governmental entities, nonprofits and data covered by existing federal laws such as the Gramm Leach Bliley Act and the Health Information Portability and Protection Act. 

Iowa, Indiana and Montana.  Adopting the approach outlined in the Virginia Consumer Data Protection Act, the Indiana and Iowa laws apply to any person that (i) conducts business in the relevant state or produces products or services targeted at residents of that state and (ii) either during a calendar year (a) controls or processes the personal data of 100,000 consumers or (b) controls or processes the personal data of at least 25,000 consumers and derives at least fifty percent of gross revenue from the “sale”[7] of personal data. 

The Montana law follows a similar standard, but with lower threshold amounts, applying to entities that (i) conduct business in the state or produce products or services targeted at residents of the state and (ii) either (a) control or process the personal data of at least 50,000 Montana consumers[8] or (b) control or process the personal data of at least 25,000 Montana consumers and derive more than twenty five percent of gross revenue from the “sale”[9] of personal data.[10]    None of the Iowa, Indiana or Montana laws contain minimum revenue thresholds to trigger applicability, meaning the key determination boils down to how much personal data a business is controlling or processing for residents of that state and whether revenue is derived from personal data “sales”. 

Tennessee. Taking cue from the Utah Consumer Privacy Act, the Tennessee law sets out one of the most limited and business friendly applicability tests of any state privacy law passed to date.  Specifically, in order to trigger applicability with the Tennessee law, a business must (i) conduct business in the state producing products or services that target residents of the state, (ii) either (a) during a calendar year, control or process the personal data of at least 175,000 consumers or (b) control or process the personal data of 25,000 consumers and derive more than fifty percent gross revenue from the “sale”[11] of data and (iii) exceed $25 million in revenue. 

Of note, the Tennessee law introduces a unique safe harbor which provides controllers or processors an affirmative defense to enforcement for alleged violations of the Tennessee law.  Specifically, a controller or processor is entitled to the affirmative defense if it (i) creates, maintains and complies with a written privacy policy that (a) reasonably conforms to the National Institute of Standards and Technology (“NIST”) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” or other documented policies, standards, and procedures designed to safeguard consumer privacy and (b) is updated to reasonably conform with a subsequent revision to the NIST or comparable privacy framework within two (2) years of the publication date stated in the most recent revision to the NIST or comparable privacy framework and (ii) provides persons with substantive privacy rights as required under the Tennessee law.

Texas.  Most recently, Texas enacted its own comprehensive privacy law, the Texas Data Privacy and Security Act.  Unlike other laws passed to date, the Texas law focuses applicability on the size of potentially-subject business rather than the amount of personal data it collects or processes.  Specifically, the Texas law exempts small businesses as defined by the United States Small Business Administration (though, small businesses incur some obligations to seek consumer consent before selling sensitive data), but otherwise applies to all entities that (i) conduct business in Texas or produce a product or service consumed by Texas residents and (ii) that process or “sell”[12] personal data, regardless of the number of sales or amount of processing.  The Texas law could thus be applicable to businesses that handle even de minimis amounts of consumer information so long as they do not qualify as a small business.   

Florida.  On June 6, Florida passed its own data privacy legislation into law, which introduces a more targeted framework that includes provisions on government moderation of social media and the protection of children’s online privacy, along with the “Florida Digital Bill of Rights”.  At first glance, the Florida Digital Bill of Rights appears to apply broadly—namely to any person who conducts business in Florida or produces a product or service used by Florida residents and process or “sells”[13] personal data.  However, like other state privacy laws, most of the obligations set forth in the Florida Digital Bill of Rights apply to entities referred to as data “controllers,” or the entity that determines the purposes and means of processing personal data (and any entity that controls or is controlled by such data controller).  In stark contrast to other privacy schemas, the Florida Digital Bill of Rights sets forth an extremely narrow definition of controller that limits it scope to essentially only the largest technology and online advertising businesses.  Specifically, a controller is defined to cover for-profit entities that (i) conduct business in Florida, (ii) collect personal data about consumers (which excludes individuals acting in a commercial or employment context) or is the entity on behalf of whom such data is collected, (iii) make in excess of $1 billion in global gross annual revenues and (iv) either (a) derive fifty percent or more of global gross annual revenues from the sale of advertisements online, (b) operate a consumer smart speaker and voice command component service with an integrated virtual assistant or (c) operates an app store or digital distribution platform that offers at least 250,000 different software applications.

Given the small number of businesses that will likely fall within the definition of controller, it may seem that the Florida Digital Bill of Rights will not have as wide an impact.  However, there are certain provisions, such as the requirement to receive consumer consent prior to the “sale” of sensitive data that will apply to all for-profit entities that collect personal data about consumers and do business in Florida, and therefore not just data controllers.  Similarly, the law contains requirements on data processors, such as obligations to assist controllers with consumer rights requests and to enter into data processing agreements with controllers containing certain obligations and restrictions, which will implicate another set of businesses beyond just the data controllers.  Thus, while the majority of the obligations in the Florida Digital Bill of Rights will fall on those few businesses that reach the level of controller, it will be important to consider which other sections of the Florida Digital Bill of Rights apply to businesses more broadly. 

As mentioned, in addition to the Florida Digital Bill of Rights, the Florida law includes two other frameworks: one regarding government-directed content moderation of social media platforms and one related to providing online services accessed by children.  The government-directed content moderation of social media platforms framework applies only to governmental entities, though includes public or private entities acting on behalf of governmental entities, and prohibits governmental entities from communicating with social media platforms to request removing content or accounts or maintaining agreements with social media platforms to moderate content.  The framework that governs online services provided to children (which includes restrictions on processing personal data of children, profiling children and collecting, “selling”, sharing or retaining personal data of children that is not strictly necessary to provide the service) is widely applicable to online platforms (e.g., social media or gaming platforms) that provide an online service, product, game or feature likely to be predominately accessed by children, and unlike the Florida Digital Bill of Rights, is not limited by a global revenue threshold or the amount of revenue derived from online adds.

Key Takeaways

With eleven comprehensive privacy acts now signed into law, the landscape for businesses will grow even more complicated in the coming years as more and more state privacy acts take effect.  While there are certain similarities across acts, each has a unique character that will require careful consideration by impacted businesses.  Each law has specific nuances with regards to applicability standards; for example, (i) the California law applies to employee and B2B data and can apply to even de minimis data processing if revenue thresholds are met, (ii) most provisions of the Florida law apply only to data controllers with high processing thresholds, (iii)  the Montana law does not tie personal data processing calculations to a 12-month period, which introduces ambiguity and may narrow the law’s applicability if interpreted to mean that, even if a business over the course of a year cumulatively processes personal data of 50,000 consumers, the law does not apply where the business does not retain some of that data such that at no time throughout that year it stores or processes personal data of 50,000 Montana residents, (iv) the Texas law applies to businesses that provide a product or service “consumed” by residents of Texas, which may sweep in businesses that do not conduct any business in Texas but whose products or services are still consumed by Texas residents, while in contrast, like other state privacy laws, the Indiana, Iowa and Montana laws require that a business conduct business in the state or produce products or services “targeted” to residents of the state which arguably requires the business to take affirmative steps to intentionally direct or market its products to a state’s residents and (v) the Utah and Tennessee laws contain revenue thresholds in addition to sale and processing thresholds.  These and other nuances in each state law exemplify why careful consideration is necessary to determine whether each law applies to a business. As even more states join the fray, it becomes a critical part of a businesses’ privacy practices to be able to determine and distinguish which state privacy acts may impact its operations, and ensure it reaches compliance.  A few initial questions businesses should consider and a chart that lays out the applicability standards of the currently enacted privacy laws follows.

ENACTED U.S. PRIVACY LAWS – APPLICABILITY CHART (as of June 2023)

* In California, Connecticut, Colorado, Montana, Texas and Florida, a sale is defined as the exchange of personal data for monetary or other valuable consideration by the controller (or “business”) to a third party; whereas in Virginia, Utah, Iowa, Indiana, Tennessee, sales are limited to exchanges of monetary consideration only.
** The Florida law’s provisions covering government moderation of social media take effect on July 1, 2023.

[1] The full text of the Florida Digital Bill of Rights is available here.

[2] The full text of the Texas Data Privacy and Security Act is available here.

[3] The full text of the Montana Consumer Data Privacy Act is available here.

[4] The full text of the Iowa Consumer Privacy Act is available here.

[5] The full text of the Tennessee Information Protection Act is available here.

[6] The full text of the Indiana Consumer Data Protection Act is available here

[7] Like the laws passed in Virginia and Utah, under both the Iowa and Indiana Acts, “sale” is defined narrowly as the exchange of personal data for monetary consideration by a controller to a third party.

[8] Like the Connecticut Data Privacy Act, this processing calculation excludes personal data controlled or processed solely for completing a payment transaction.

[9] Like the laws in California, Connecticut, Colorado, the Montana law defines “sale” as the exchange of personal data for monetary or other valuable consideration by a controller to a third party.

[10] Notably, the Montana law does not tie processing calculations to a 12-month period.

[11] Similar to Virginia, Utah, Iowa and Indiana, “sale” is defined as the exchange of personal data for monetary consideration by a controller to a third party.

[12] “Sale of personal data” means the sharing, disclosing or transferring of personal data for monetary or other valuable consideration by the controller to a third party.

[13] “Sale” is defined broadly as the exchange of personal data for monetary or other valuable consideration by a controller to a third party.