Amid growing concerns with data security and consumer privacy, 2023 saw the addition of consumer privacy and data security legislation in multiple states. Below is a summary of the state laws aimed at protecting consumer’s private data that were enacted this past year:
- May 1, 2023 (effective January 1, 2026) – The Indiana Consumer Data Privacy Act provides limitations on the type of data that can be collected and requires entities to disclose how private data will be used. The Act does not apply to entities and data regulated by the Gramm-Leach-Bliley Act (“GLBA”).
- May 11, 2023 (effective July 1, 2025) – The Tennessee Information Protection Act limits the use of consumer data and requires entities to disclose how such information will be used. The Act only applies to entities with over $25 million in annual revenue and provides an exemption for financial institutions subject to the GLBA.
- May 19, 2023 (effective October 1, 2024) – The Montana Consumer Data Privacy Act limits the collection of personal data to information that is necessary and requires disclosure of how that information may be shared with third parties. The Act applies to an entity that controls or processes personal data of at least 50,000 Montana residents and provides an exemption for financial institutions subject to the GLBA.
- June 18, 2023 (the majority of the Act is effective July 1, 2024) – The Texas Data Privacy and Security Act requires a consumer to opt in to permit entities to process sensitive data. The Act has a broader scope than many states and applies to nearly every entity that does business in Texas. It also expands the type of data protected by including “pseudonymous data” when the data is applied with other information that reasonably links the data to an identified or identifiable individual. There is an exemption for financial institutions subject to the GLBA.
- July 8, 2023 (effective July 1, 2024) - The Oregon Consumer Privacy Act limits the use of consumer personal data and requires a privacy note be provided indicating how and when the consumer’s information will be shared. The Act applies to entities that control or process personal data of at least 100,000 Oregon residents and does not apply to financial institutions subject to the GLBA.
- September 11, 2023 (effective January 1, 2025) – The Delaware Data Privacy Act limits the use of consumer data and requires entities to disclose how such data will be shared. The Act applies to entities that controlled or processed the personal data of at least 35,000 Delaware residents and provides an exemption for financial institutions subject to the GLBA.
States with privacy protection laws in place prior to 2023 include California, Virginia, Colorado, Connecticut, Utah, and Iowa.