Indiana, Tennessee, Montana and Texas Pass Comprehensive Consumer Privacy Laws

June 5, 2023

The momentum for state-level privacy legislation continues to run strong as Indiana, Tennessee, Montana and Texas have all passed comprehensive privacy laws in April and May. With these latest additions, a total of ten states have now passed laws specifically designed to protect their citizens’ personal and sensitive data. While these four new laws carry many similarities to existing state laws, some originality is baked into each:




The Indiana Consumer Data Protection Act will go into effect in January 2026 and closely follows the requirements set forth in the Colorado, Connecticut and Virginia state laws. Covered businesses will have plenty of time to prepare. This is because the law does not go into effect for another 2.5 years. And since this law shares so many similarities with other state laws already in place, compliance shouldn’t provide many additional challenges for those already compliant. One unique caveat does exist: entities licensed as riverboat casinos using facial recognition technology are exempt from the law as long as their program is approved by the Indiana gaming commission. There is a 30-day cure period to address violations before penalties are assessed. Unlike earlier versions of the bill, the signed version does not include a sunset to the right to cure period.




The Tennessee Information Protection Act goes into effect in July 2024 and also has similar characteristics to existing state laws. However, Tennessee’s law has one of the most interesting provisions in that it requires adherence to the NIST Privacy Framework. The intent is that this framework will be applicable to many different types of businesses and industries. And as these standards change over time, the NIST Framework is the best assurance for data practices and organizations to stay up to date with compliance. This stipulation may also encourage companies to place a higher priority on further maturing their privacy and data governance programs to align with the framework.




The Montana Consumer Data Protection Act was signed into law on May 19 and will go into effect in October 2024. A key inclusion in this bill is a universal opt-out mechanism (UOOM) that allows consumers to click a single button to no longer be tracked across all websites they visit. In practice, a consumer sets an “opt-out” preference in their browser, and each website is then sent a signal to opt them out of targeted advertising and sharing of their personal data. The Montana law also offers enhanced privacy requirements for children aged 13–15 by requiring an opt-in default for the sale of their personal information.




The Texas Senate passed the Texas Data Privacy and Security Act, which will take effect in March 2024 if signed by the governor. This act was modeled after Virginia’s state law, but it differs in its definition of personal data to include pseudonymous data when used in conjunction with additional information that reasonably links the data to an identifiable individual. It also removes the revenue threshold and requires small businesses to receive consent before selling consumers’ sensitive data. The bill adds that the classification of entities that qualify as a small business be defined by the United States Small Business Administration. The Texas law designates that the Texas Department of Information Resources must oversee implementation.


Consumer Rights and Business Requirements offered by all four state laws:


Rights Available to Consumers Business Practices Required
Right to Access Opt-In by default for sale of data (based on age)
Right to Correct Privacy Notice must be available
Right to Delete Risk assessments must be conducted
Right to Opt-Out of Processing Rights request discrimination is prohibited
Right to Portability Data processing limited to specific purposes
Right to Opt-Out of Sale  
Right to Opt-In for Sensitive Data Processing  
Right prohibiting automated decision making  




This recent burst of legislation serves to highlight two trends. First, in the absence of an all-encompassing federal law, state legislatures have continued to build their own bills from the “menu” of features offered by existing state laws across the country. Second, state governments are responding to data privacy concerns at an accelerating rate – while most recent years saw only one or two pieces of privacy legislation, 2023 has seen five consumer privacy laws passed in just five months.


If you have questions about compliance with state privacy laws and how they affect your organization, click here to learn more about our offerings, or drop us a line.

TJ Carsten
TJ Carsten has over 16 years’ experience in both consulting and corporate enterprise data management. He has experience working with medium sized businesses as well as Fortune 500 corporations to build and enhance their data privacy and governance programs.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit