2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.
Continue Reading 2023 Privacy Compliance Year in ReviewSearch results for: iowa
Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law
Privacy teams have more to do with Gov. Abbot signing the Texas Data Privacy and Security Act, also known as TX HB 4 (the “Act”), after several last minute amendments. This is in addition to new comprehensive privacy laws from Tennessee (also amended late in the game before submission to the Governor), Indiana, Iowa, Montana and Florida that have passed this spring alone.
Importantly, there is not a minimum number of records processed or annual revenue threshold for businesses to be in the scope of the law. It has broad applicability to companies who do business in the state and who process or sell personal data. It does contain the usual entity and data level exceptions (e.g., GLBA, HIPAA, FCRA, etc.) and explicitly excludes data collected in the human resources or business-to-business context. Continue Reading Don’t Mess with Texas: The Lone Star State Enacts Comprehensive Consumer Privacy Law
Health (and Health-ish) Data and Advertising Under Scrutiny
In 2020, when the California Consumer Privacy Act (CCPA) came into effect, the privacy landscape in the US changed forever. Fast forward three years, we now have close to a dozen states that have passed consumer privacy laws, with the second generation of consumer privacy laws giving particular attention to sensitive data. In particular, there is an emerging trend, in both new legislation and enforcement of existing privacy and consumer protection regimes, towards a focus on the collection, use, and sharing or selling of health-related personal information, specifically information that is outside the scope of the federal Health Insurance Portability and Accountability Act (HIPAA).[1] The effect is a restriction on what publishers, advertisers, and other commercial enterprises can do with consumer health information, often broadly defined to include any past, present or future health status or inference regardless of sensitivity (e.g., acne or a headache). These developments include: Continue Reading Health (and Health-ish) Data and Advertising Under Scrutiny
Montana’s Comprehensive Privacy Law Signed by the Governor
On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following the “first five” states of California, Colorado, Connecticut, Utah and Virginia (described here).
Following are some FAQs about the Montana CDPA:
When is the Montana CDPA in effect?
The Montana CDPA is in force as of October 1, 2024. It is effective before the new privacy law in Iowa, which is effective January 1, 2025, Indiana, which is effective January 1, 2026 and Tennessee which is effective July 1, 2025. Only Florida’s new privacy law is effective earlier, on July 1, 2024.
Who are “consumers” in the Montana CDPA?
A consumer is a Montana resident acting in an individual capacity.
Consumers are not Montana residents acting in a commercial or employment context, or otherwise in a business-to-business or government agency context, e.g., employee, owner, director, officer, or contractor.
What organizations are subject to the Montana CDPA?
Montana CDPA applies to any “person” (which means a natural person or legal entity, subject to the exceptions described below) that:
- conducts business in Montana or produce products or services that are targeted to consumers and
- either (i) controls or processes the personal data of 50,000 or more consumers (but excluding personal data processed solely for completing a payment transaction) or (ii) processes the personal data of at least 25,000 consumers and derives 25% or more of gross revenue from the sale of personal data.
The Montana CDPA follows the same role-based processing model as the other state privacy laws; a controller determines the purpose and means of processing personal data; processors to assist controllers in meeting their obligations; and a controller must have a contract with its processors.
What organizations are not subject to the Montana CDPA?
The Montana CDPA does not apply to non-profit organizations, financial institutions regulated by the Gramm-Leach-Bliley Act, national securities associations under the Securities Exchange Act, or to HIPAA covered entities and protected health information (among other exclusions).
What rights are available for consumers under the Montana CDPA?
The Montana CDPA grants the following rights to consumers:
- Right to confirm processing and access personal data
- Right to correct inaccuracies in the consumer’s personal data
- Right to delete personal data about the consumer
- Right to obtain a copy of the personal data previously provided by the consumer
- Right to opt-out of the processing of the consumer’s personal data for the purposes of:
- targeted advertising
- sale
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer
Consumers can designate an authorized agent to exercise the rights of the consumer to opt out of targeted advertising, sale, and profiling.
What obligations apply to businesses under the Montana CDPA?
Responding to Consumer Rights. A covered business acting as a controller:
- must respond to a consumer rights request within 45-days after receipt of the request, subject to a 45-day extension when “reasonably necessary”
- establish a process for a consumer to appeal the controller’s refusal to act on a consumer rights request
- within sixty days after receipt of the appeal, the controller must inform the consumer in writing of any action taken or not taken, including an explanation of the reasons for that decision. If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method through which the consumer can contact the Montana Attorney General to submit a complaint.
Special Requirements for Opt-out Requests relating to Targeted Advertising and Personal Data Sale: by January 1, 2025 (three months after Montana DCPA is in force), a controller must allow consumers to opt out of targeted advertising or sale of their personal data through an opt-out preference signal. The consumer’s chosen opt-out preference signal must be easy to use, not unfairly disadvantage another controller, require the consumer to make an affirmative choice to opt out (i.e., not a default setting), and allow the controller to accurately determine whether the consumer is a Montana resident.
Data Minimization: A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.
Revocation of Consent: Controllers must provide a mechanism for consumers to revoke their consent that is as easy to use as the mechanism by which the consumer provided their consent. Within 45 days of the revocation, the controller must cease processing the consumer’s personal data.
Privacy Notice: A controller must make available a privacy policy that includes the categories of personal data processed by the controller, the purpose for processing personal data, the categories of personal data that the controller shares with third parties, the categories of third parties with which the controller shares personal data, the controller’s contact information, and how consumers may exercise their rights, including one or more reliable means to submit a request, and appeal a controller’s decision regarding the request.
Sensitive Data Processing: Controller cannot process sensitive data concerning a consumer without obtaining the consumer’s consent.
Minors: Controllers may not process the personal data of a consumer for the purposes of targeted advertising or sale without the consumer’s consent when a controller has actual knowledge that the consumer is at least age 13 but younger than age 16.
Data Protection Assessments: A controller is obligated to conduct and document a data protection assessment for each of the controller’s processing activities created or generated after January 1, 2025 that present a heightened risk of harm to a consumer, including (1) processing personal data for targeted advertising, (2) selling personal data, (3) processing sensitive data, and (4) processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical or reputational injury to consumers, intrusion on the solitude or seclusion or the private affairs of consumers, or other substantial injury. Data protection assessments generally must identify and weigh the benefits and risks of the processing, as mitigated by safeguards that the controller may be employ. These requirements generally track the data protection requirements in Virginia’s, Connecticut’s, and Indiana’s consumer privacy laws.
What are the consequences of not complying with the Montana CDPA?
Montana CDPA does not have a private right of action and is enforceable only by the Montana Attorney General. The Montana AG may bring an action if, after notice of a violation, the controller fails to cure the violation within a sixty-day cure period. The cure period expires on April 1, 2026.
Are regulations forthcoming under the Montana CDPA?
The Montana CDPA does not provide for future rulemaking.
2024 and 2025 promise to be busy years for privacy professionals with five new privacy laws coming into effect and likely more on the way. Businesses that already have built compliance programs for one of more of the “first five” state privacy laws will, however, have a much lighter lift.
Privacy World will continue to cover updates in Montana, as well as other state and federal privacy legislation. Please contact the authors or your relationship partner at SPB for more information.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.
Data Protection Impact Assessments: Are You Ready?
This year has widened the landscape of consumer privacy protections, with dozens of comprehensive privacy bills moving through state legislatures and becoming enacted. So far in 2023, Iowa’s Act Relating to Consumer Data Protection (“Iowa Privacy Law”) and Indiana’s Consumer Data Protection Act (“ICDPA”) were signed into law. These two laws join the Virginia Consumer Data Protection Act (“VCDPA”), California Privacy Rights Act (“CPRA”), Colorado Privacy Rights Act (“CPA”), Connecticut’s Public Act No. 22-15 (“CTPA”), and Utah Consumer Privacy Act (“UCPA”) in the state comprehensive consumer privacy law framework. The Iowa Privacy Law becomes effective on January 1, 2025, and the ICDPA becomes effective on July 1, 2026. The VCDPA and CPRA (amending the California Consumer Privacy Act or “CCPA”) went into effect on January 1, 2023, while the CPA and CTPA go into effect on July 1, 2023. The UCPA will go into effect December 31, 2023. Continue Reading Data Protection Impact Assessments: Are You Ready?
Governor Inslee Signs Washington My Health My Data Act Into Law: First-of-Its-Kind Consumer Health Data Law, Explained
Today, Governor Jay Inslee signed into law the My Health My Data Act (SB 1155) (the “Act” or “MHMD”), a first-of-its-kind consumer health data law. Passage of the Act was, in part, a direct response by Washington state lawmakers to the U.S. Supreme Court’s decision in Dobbs v. Jackson Women’s Health Org. overturning Roe v. Wade. Recognizing that the nation’s federal health law, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), has blind spots in protecting health-related information collected outside of contexts involving HIPAA covered entities (e.g., healthcare institutions), the legislature in passing MHMD sought to “close the gap” in privacy protections for health data that falls outside the scope HIPAA, including information related to reproductive health and gender-affirming care. Continue Reading Governor Inslee Signs Washington My Health My Data Act Into Law: First-of-Its-Kind Consumer Health Data Law, Explained
Montana, Tennessee or ____________?: Which State Will Pass the Next Privacy Law?
As U.S. privacy pros know, the past few years have seen many state privacy bills proposed but, as of January 1st, only five states had comprehensive privacy laws in effect. So far in 2023, Iowa approved its “Act relating to consumer data protection” (which we reported on here) and late last week, the Indiana Legislature passed the Indiana Consumer Data Privacy Act which is pending the governor’s signature (discussed here). Continue Reading Montana, Tennessee or ____________?: Which State Will Pass the Next Privacy Law?
Follow the Leader: Indiana Becomes Latest State to Enact Consumer Privacy Statute
On April 13, 2023, the Indiana legislature passed Senate Bill 5 (“SB 5”)—more commonly referred to as the Indiana Consumer Data Privacy Act or “Indiana CDPA”—sending the legislation to Governor Eric Holcomb’s desk for signature. Governor Holcomb has until Thursday, April 20 to act on the bill. The Indiana CDPA will become law either if the governor signs the bill or takes no action before the April 20 deadline. Continue Reading Follow the Leader: Indiana Becomes Latest State to Enact Consumer Privacy Statute
Privacy World Week in Review
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
Singapore Appointed as Deputy Chair of the Global Cross-Border Privacy Rules Body | Privacy World
Italian OpenAI : May (A)I? | Privacy World
Federal Privacy Legislation Moves One Step Closer to Enactment | Privacy World
Data Retention and Minimization, The Elephant in the Room | Privacy World
Orders to Progress Complaints – No Backdoor Appeal Process For ICO Decisions | Privacy World
Webinar Materials Available: China’s New Personal Data Export Restrictions | Privacy World
UK Data Protection Reform: who would want to be a “Senior Responsible Individual”? | Privacy World
Out Like a Lion: Revised CCPA Regulations and New Iowa Privacy Law | Privacy World
CFPB Issues Request for Information to Determine Data Brokers’ Compliance with FCRA | Privacy World
Privacy World Week in Review
In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.
Data Retention and Minimization, The Elephant in the Room | Privacy World
Orders to Progress Complaints – No Backdoor Appeal Process For ICO Decisions | Privacy World
Webinar Materials Available: China’s New Personal Data Export Restrictions | Privacy World
UK Data Protection Reform: who would want to be a “Senior Responsible Individual”? | Privacy World
Out Like a Lion: Revised CCPA Regulations and New Iowa Privacy Law | Privacy World
CFPB Issues Request for Information to Determine Data Brokers’ Compliance with FCRA | Privacy World
PW’s Kristin Bryan Talks with CFO Dive on Blackbaud Cyber Penalty | Privacy World