2023 Round-Up on State Consumer Data Privacy Laws

By Ilse P. Johnson, Michael B. Katz, Jon Taylor

Looking back sometimes means looking forward. That is absolutely the case for new comprehensive data privacy statutes enacted in a number of U.S. states during 2023, including Indiana, Tennessee, Montana, Florida, Texas and Oregon. While these states have now codified a range of consumer rights with respect to their personal data, as well as new obligations imposed on covered businesses collecting and processing that data, the new laws do not take effect until the middle of 2024 or beyond. All the same, companies who may be subject to these laws in the future should start preparing now to comply with what are becoming increasingly standardized requirements across many U.S. states.

To assist our readers become more familiar with the new laws, we have prepared a summary chart below describing key features with respect to consumer rights, business obligations, and enforcement provisions. A few things jump out – for example, the laws are strikingly similar and provide consumers with nearly identical rights to request information about personal data a business is collecting and to exercise greater control over how it will be used. Covered businesses will also have largely consistent obligations with respect to personal data they are collecting with only minor variations (e.g., how often consumers may request information about their personal data, or when data impact assessments will need to be conducted, or when consent may be required for collecting a minor’s information for targeted advertising purposes). Potential penalties vary somewhat but all of the states will rely on state attorneys general offices to enforce their statutes, rather than provide consumers with a private right of action.

For more comprehensive summaries of each statute, we invite you to review our blog posts from earlier this year by clicking the following links:  IndianaTennesseeMontanaFlorida and Texas. These articles have direct links to the laws as well. If you have any questions related to state consumer data privacy laws, please feel free to contact anyone from Mintz’s Privacy & Cybersecurity team.

Similar to existing state privacy laws, the new laws establish applicability thresholds described in the chart below for determining what are covered businesses subject to the statute.

INDIANA

Persons that conduct business in Indiana or targeting products / services to residents in Indiana, and during a calendar year the business:

  1. Control or process personal data of 100,000 or more IN consumers who are residents; or
  2. Control or process personal data of 25,000 IN consumers who are residents and derives more than 50% of gross revenue from sale of personal data.
TENNESSEE

Persons that conduct business in Tennessee or targeting products / services to residents in Tennessee, if, during a calendar year the company generates at least $25 million in gross annual revenue and must either:

  1. Control or process personal data of 170,000 or more TN consumers; or
  2. Control or process personal data of 25,000 TN consumers and derives more than 50% of gross revenue from sale of personal information.
MONTANA

Persons that conduct business in Montana or targeting products / services to residents in Montana, and during a calendar year the company:

  1. Control or process personal data of 50,000 or more MT consumers, excluding for the purpose of completing payment transactions; or
  2. Control or process personal data of 25,000 MT consumers and derives more than 25% of gross revenue from sale of personal data.
FLORIDA

Persons that generate at least $1 billion in gross revenue and must either:

  1. Derive 50% or more of its global annual revenues from targeted advertising or the sale of ads online;
  2. Operate a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud service and hands-free verbal activation, or
  3. Operate an app store that offers at least 250,000 software applications for consumers to download.
TEXAS

Persons that:

  1. Conduct business in Texas or produce products / provide services consumed by residents of Texas;
  2. Process or engage in the sale of personal data; and
  3. Do not qualify as a small business as defined by the United States Small Business Administration (with limited exceptions).
OREGON

Persons that conduct business in Oregon or that provide products / service to residents in Oregon, and during the calendar year the company:

  1. Control or process personal data of 100,000 or more OR consumers, other than for completing a payment transaction; or
  2. Control or process personal data of 25,000 OR consumers and derive 25% or more of gross revenue from sale of personal data.

In addition to the applicability requirements of each law, the chart below provides a snapshot of consumer rights, business obligations and enforcement provisions addressed by the new state consumer privacy laws passed in 2023. Please note that the consumer rights created by these new laws are not available with respect to personal data collected from individuals acting in a commercial context (i.e., B2B) or employment context.

Consumer RightsIndianaTennesseeMontanaFloridaTexasOregon
Right to knowYesYesYesYesYesYes
Right to accessYesYesYesYesYesYes
Right to correctYesYesYesYesYesYes
Right to deleteYesYesYesYesYesYes
Right to portabilityYesYesYesYesYes 
Right to opt out of targeted advertisingYesYesYesYesYesYes
Right to opt out of sale of personal data YesYesYesYesYesYes
Right to opt-out of profiling YesYesYesYesYesYes
Right to opt in for sensitive data processing YesYesYesYesYesYes
Right to opt in or out the collection of precise geolocation data or voice recognition features Yes, opt in for geolocation dataYes, opt in for geolocation dataYes, opt in for geolocation dataYes, opt out for bothYes, opt in for geolocation dataYes, opt in for both
Business ObligationsIndianaTennesseeMontanaFloridaTexasOregon
Respond to consumer requestsWithin 45 days (may be extended 45 days)Within 45 days (may be extended 45 days)Within 45 days (may be extended 45 days)Within 45 days (may be extended 45 days)Within 45 days (may be extended 45 days)Within 45 days
Provide required information to consumers free of chargeYes, up to 1x per yearYes, up to 2x per yearYes, up to 1x per yearYes, up to 2x per yearYes, up to 2x per yearYes, up to 1x per year
Authenticate requestsYesYesYesYesYesYes
Establish a process for consumers to appeal any refusal to take actionYesYesYesYesYesYes
Provide a “reasonably accessible” and clear privacy noticeYesYesYesYesYes 
 Disclose any sale of personal data or use of personal data for targeted advertising (and how to opt-out)YesYesYesYesYesYes
Conduct and document data protection impact assessments for processing activities generated: After December 31, 2025On or after July 1, 2024After January 1, 2025On or after July 1, 2023After July 1, 2024On or after July 1, 2024
Limit collection of personal data to what is adequate, relevant and reasonably necessary in relation to the disclosed purposes YesYesYesYesYesYes
Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consentsYesYesYesYesYesYes
Do not discriminate against a consumer for exercising any consumer rightsYesYesYesYesYesYes
Obtain consent before selling or using data from users between 13 and 15 years of age for targeted advertisingNoNoYesNoNoYes
EnforcementIndianaTennesseeMontanaFloridaTexasOregon
Private right of actionNoNoNoNoNoNo
EnforcementAttorney GeneralAttorney GeneralAttorney GeneralFlorida Department of Legal AffairsAttorney GeneralAttorney General
Opt-in default for sensitive data (requirement age)13 years of age13 years of age13 years of age13 years of age13 years of age13 years of age
Right-to-cure period30 days60 days60 days*45 days30 days30 days*
Max civil fine per violation$7,500$7,500None established$50,000$7,500$7,500
Effective date January 1, 2026July 1, 2025October 1, 2024July 1, 2024July 1, 2024July 1, 2024, July 1, 2025 for non-profits

*The procedural notice and cure period will sunset on April 1, 2026 for Montana and January 1, 2026 for Oregon.

We expect that 2024 will bring new state data privacy laws, in the absence of a federal omnibus privacy statute. Watch this space.

Subscribe To Viewpoints

Published

    • Viewpoint Topics

  • Privacy & Cybersecurity

    • Professionals

  • Ilse P. Johnson
  • Michael B. Katz
  • Jon Taylor

    • Related Practices

  • Privacy & Cybersecurity

    • Authors

    Ilse P. Johnson

    Associate

    Ilse P. Johnson is an Associate at Mintz who focuses her practice on corporate and securities law, real estate transactions, and general corporate matters.

    Michael B. Katz

    Associate

    Michael B. Katz is a Mintz corporate attorney who focuses on mergers & acquisitions, private equity transactions, and venture capital financings. He regularly assists clients with commercial contract negotiations, licensing agreements, and data privacy & security matters and advises startup and emerging companies.

    Jon Taylor

    Associate

    Jon S. Taylor is an Associate at Mintz who focuses on M&A, private equity deals, debt and equity financings, and general corporate matters. He advises private equity firms, financial services companies, and clients in the technology, health care, manufacturing, and retail industries.