Indiana

State legislatures across the country were busy in 2023 and so far this year passing comprehensive consumer privacy laws and creating a vexing patchwork of compliance obligations.

Legislatures in Iowa, Indiana, Tennessee, Montana, Florida, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Maryland, Nebraska and Minnesota all enacted consumer privacy laws of their own with an additional consumer privacy law in Vermont awaiting action by the Governor. The fifteen laws passed in 2023 and 2024 join laws in California, Virginia, Colorado, Utah, and Connecticut which already are in effect. A chart at the end of this blog post notes each law’s effective date, three of which are effective at the end of this month.

While inspired by the EU General Data Protection Regulation and the California Consumer Privacy Act (“CCPA”), the new state consumer privacy laws take materially different approaches in many ways. States also have passed more targeted privacy laws pertaining specifically to consumer health data (beyond treating it as a category of sensitive personal data), the protection of children (beyond limiting the use of personal data), AI-specific laws (not part of a comprehensive consumer data regime) and laws regulating data brokers (typically controllers that sell personal data they do not directly collect from consumers). Congress continues to consider a federal law that would mostly preempt the state consumer privacy laws, as well as other laws specific to children’s online safety with partial preemption. In the meantime, data controllers (and to a lesser degree processors) face the challenge of determining which state consumer privacy laws apply and whether to apply applicable laws based on consumer residency or to apply a national highest standard to all consumers.

The SPB privacy team has developed a comprehensive guide on state consumer privacy laws, including comparison charts on key issues to help determine which laws apply and tips for enhancing information governance. Most of the new state consumer privacy laws require controllers to conduct and retain documentation of data privacy impact or risk assessments. Minnesota’s new consumer privacy law also requires a documented privacy compliance program reasonably designed to ensure compliance and data inventories. The most recent draft of the federal privacy law mandates privacy-by-design.

Following are some highlights of the emerging ‘high water mark’ (strictest requirement) for key aspects of consumer privacy in the United States:Continue Reading State Privacy Law Patchwork Presents Challenges

On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Data Protection Impact Assessments: Are You Ready? | Privacy World

Introducing Our AI Webinar Series | Privacy World

Scott Warren

This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023.
Continue Reading Data Protection Impact Assessments: Are You Ready?

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

New York Releases Data Security Guide to Help Businesses Protect Personal Information | Privacy World

Selfie ID Biometric Verification Vendor’s

On April 13, 2023, the Indiana legislature passed Senate Bill 5 (“SB 5”)—more commonly referred to as the Indiana Consumer Data Privacy Act or “Indiana CDPA”—sending the legislation to Governor Eric Holcomb’s desk for signature. Governor Holcomb has until Thursday, April 20 to act on the bill. The Indiana CDPA will become law either if the governor signs the bill or takes no action before the April 20 deadline.
Continue Reading Follow the Leader: Indiana Becomes Latest State to Enact Consumer Privacy Statute

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

NOW AVAILABLE: Lexis Practical Guidance Releases CPW Team Member David Oberly’s “Mitigating Legal Risks When Using Biometric Technologies” Biometric

Indiana passed HB 1351 in March 2022, amending Indiana’s data breach notification law. Indiana’s breach notification law, as currently drafted, requires entities to notify Indiana residents and the Indiana Attorney General of a breach of the security of data without unreasonable delay and consistent with any measures necessary to determine the scope of the breach