explore.spirion.com Open in urlscan Pro
54.152.56.148  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Thumbnails Document Outline Attachments Layers

Current Outline Item


Previous

Next
Highlight All Match Case
Match Diacritics Whole Words

Color
Size
Color
Thickness
Opacity
Presentation Mode Open Print Download Current View

Go to First Page Go to Last Page

Rotate Clockwise Rotate Counterclockwise

Text Selection Tool Hand Tool

Page Scrolling Vertical Scrolling Horizontal Scrolling Wrapped Scrolling

No Spreads Odd Spreads Even Spreads

Document Properties…
Toggle Sidebar

Find
Previous

Next
of 3
Presentation Mode Open Print Download Current View

FreeText Annotation Ink Annotation

Tools
Zoom Out

Zoom In
Automatic Zoom Actual Size Page Fit Page Width 50% 75% 100% 125% 150% 200% 300%
400%

July 1, 2024 October 1, 202411 January 1, 2025 January 1, 2025 January 1, 2026In
Force ››
TENNESSEE
TIPA9
MONTANA
CDPA10
DELAWARE
DPDPA12
IOWA
IOWA CDPA13
INDIANA
INDIANA CDPA14
Extraterritorial scope I § 47-18-3202 I § 3 I § 12D-103(a) I § 2 [§ 715D.2] I
Ch. 1, § 1(a)
Applies to Government
Agencies and Non-Profits N §§ 47-18-3210(a)(1), (5) N §4(a), (b) L § 12D-103(b)
N § 2 [§ 715D.2(b)(2)] N Ch. 1, §§ 1(b)(1), (4)
Addresses "special"
or "sensitive" personal
information?
Y § 47-18-3201(25) Y § 2(24) Y § 12D-102(30) Y § 1 [715D.1(26)] Y Ch. 2, § 28
Applies to employee/HR
data? N But see § 47-18-3201(16)
(B)(ix) N § 2(6)(b) N § 12D-102(8) N § 1 [715D.1(7)] N Ch. 2, § 8(b)
Applicability
Personal Data /
Personal
Information
New State Privacy Laws Enforceable in 2024-2026, Part 2
2023 has proven to be a watershed year for consumer privacy at the
U.S. state level. Ten new statutes addressing consumer privacy were
passed into law, eight of which are considered to be “comprehensive,” i.e.,
generally applicable, and two directed at healthcare information. These
new laws appear against a backdrop of greatly expanded state legislative
activity with respect to privacy. According to the National Conference
of State Legislatures, at least forty states (plus Puerto Rico) introduced
at least 350 consumer privacy bills in their respective legislatures during
the 2023 session. These ten new laws will go into force during a roughly
22-month period from March 2024 to January 2026, bringing the number
of comprehensive state laws to thirteen and the number of new healthcare
data privacy laws to three.
While none of them match California’s CCPA/CPRA in scope, they all
mandate the implementation of cybersecurity controls, transparency of
privacy practices, collection of personal data only to the extent that it’s
necessary, and special rules for data processors. Overall, businesses that
target residents of these states will likely need to conduct a complete
review of their data protection programs.
Likely the biggest challenge that data controllers will find in complying
with them is identifying personal data, especially sensitive data; their
definitions are relatively broad and, in some cases, exceptionally so.
The requirement for a DPIA or similar assessment is relatively common
among state privacy laws, and given that a distinct one is required for
each system or application processing personal data that also involves an
elevated risk, controllers would do well to begin planning for them as soon
as possible. Rounding out the list of high-priority tasks for controllers is
the review of agreements with their data processors; every one of the
new laws mandates such an agreement and some of them are particularly
prescriptive as to its terms.
Did we miss something? Do you have comments or questions about
this document? Send them to: data.protection@spirion.com
© 2023-2024 SPIRION, LLC. ALL RIGHTS RESERVED

2DATA PROTECTION LAWS - PART 2
© 2023-2024 SPIRION, LLC. ALL RIGHTS RESERVED
July 1, 2024 October 1, 202411 January 1, 2025 January 1, 2025 January 1, 2026In
Force ››
TENNESSEE
TIPA9
MONTANA
CDPA10
DELAWARE
DPDPA12
IOWA
IOWA CDPA13
INDIANA
INDIANA CDPA14
Special rules for children? Y § 47-18-3204(a)(6) Y § 7(2)(b) Y § 12D-106(a)(4) Y
§ 4 [§ 715D.4(2)] Y Ch. 3, § (1)(a); Ch. 4, § 1(5)
Can machine-readable
data be considered
personal?
Y § 47-18-3201(16)(B)(vi) I § 2(16) I § 12D-102(22) I § 1 [§ 715D.1(14)] I Ch.
2, § 20(a)
"Opt out" or "opt in" for
marketing?
Opt
Out
§ 47-18-3203(a)(2)(f); §
47-18-3204(c)(6)
Opt
Out § 5(1)(e) Opt
Out § 12D-104(a)(6) Opt
Out § 3 [§ 715D.3(1)(d)] Opt
Out Ch. 3, § (1)(b)(5)
Special rules for cookies or
other tracking tools? N N N N N
Honor browser "Global
Privacy Control" signals? N Y § 6(3)(b) Y § 12D-106(e)(1)(a)(2) N N
Mandates information
security? Y § 47-18-3204(a)(3); See
also § 47-18-3208(f)(2) Y §7(b); See also § 11(6)(b) Y § 12D-106(a)(3); See also
§ 12D-110(f) Y § 4 [§ 715D.4(1)] Y Ch. 4, § (1)(3); Ch. 8, §
7(b)(2)
Mandates risk
assessments? Y § 47-18-3206 Y § 9 Y § 12D-108 I § 4 [§ 715D.4(1)] Y Ch. 6
Mandates breach
notification for data
owners?
N But see TN Code § 47-
18-2107 I See MCA §30-14-1704 N But see 6 DE Code §
12B-101(1) N But see IN Code § 24-
4.9-3-1 N But see IC § 24-4.9
Mandates breach
notification for processors
/ service providers?
N But see § 47-18-3205(a) Y § 8(b) Y § 12D-107(a)(2) Y § 5 [§ 715D.5(1)(b)] Y
Ch. 5, § 1(2)(B)
Privacy by Design? N N N N N
Mandates data quality? N N N N N
Mandates data
minimization? N I But see § 11(6)(b) N N N
Right to access personal
information Y §§ 47-18-3203(a)(2)
(A), (D) Y § 5(a), (d) Y § 12D-104(a)(1), (4) Y § 3 [§ 715D.3(1)(a), (c)] Y Ch.
3, § (1)(b)(1), (4)
Right to amend/ correct
personal information? Y § 47-18-3203(a)(2)(B) Y § 5(b) Y § 12D-104(a)(2) N Y Ch.
3, § (1)(b)(2)
Right to erasure / deletion? Y § 47-18-3203(a)(2)(C) Y § 5(c) Y § 12D-104(a)(3)
Y § 3 [§ 715D.3(1)(b)] Y Ch. 3, § (1)(b)(3)
Marketing /
Advertising
Information Security
and Integrity
Individual
Rights
Personal Data /
Personal
Information

12212023 DPLAWS-23-001
Spirion has relentlessly solved real data protection problems since 2006 with
accurate, contextual discovery of structured and unstructured
data; purposeful classification; automated real-time risk remediation; and
powerful analytics and dashboards to give organizations greater
visibility into their most at-risk data and assets. Visit us at spirion.comTalk
to a Spirion data security and compliance expert today: expert@spirion.com
3DATA PROTECTION LAWS - PART 2
© 2023-2024 SPIRION, LLC. ALL RIGHTS RESERVED
Y = Yes
N = No
I = Implied
L = Limited Applicability
9 Tennessee Information Protection Act, S.B. 73, TENN. CODE ANN. §§ 47-18-3201
to -3213.
10 Montana Consumer Data Privacy Act of 2023, S.B. 384, MONT. CODE ANN. § 30-14.
11 Applicability to Global Privacy Controls on January 1, 2026.
12 Delaware Personal Data Privacy Act, H.B. 154.
13 Iowa Consumer Data Protection Act of 2023, S.F. 242, IOWA CODE § 715D.1-9
(2023).
14 Indiana Consumer Data Protection Act of 2023, S.B. 5, IND. CODE § 24-15
(2023).
Legal basis required
for collecting personal
information?
N But see § 47-18-3204(a)
(6) N But see §§ 7(2)(a), (b), (d) N But see §§ 12D-106(a)
(4), (7) N N But see Ch. 4, § 1(2)
Transparency of privacy
practices? Y § 47-18-3204(e) Y § 7(6)(a) Y § 12D-106(c) Y § 4 [§ 715D.4(5)] Y
Ch. 4, § 3
Collect, process, and
retain only data that is
necessary?
Y § 47-18-3208(f)(1) Y § 7(a); § 11(6)(a) Y § 12D-106(a)(1) Y § 7 [§§
715D.7(6)(a), (b)] Y Ch. 4, § 1(1); Ch. 8, § 7(a)
(1)
Special rules for data
processors / service
providers?
Y § 47-18-3205(a) Y § 11 Y § 12D-107 Y § 5 [§ 715D.5(1)(b)] Y Ch. 5, § 1
Restrictions on cross-
border transfers? N N N N N
Data Controller /
Business Mandates
July 1, 2024 October 1, 202411 January 1, 2025 January 1, 2025 January 1, 2026In
Force ››
TENNESSEE
TIPA9
MONTANA
CDPA10
DELAWARE
DPDPA12
IOWA
IOWA CDPA13
INDIANA
INDIANA CDPA14


More Information Less Information
Close

Enter the password to open this PDF file.

Cancel OK
File name:

-

File size:

-


Title:

-

Author:

-

Subject:

-

Keywords:

-

Creation Date:

-

Modification Date:

-

Creator:

-


PDF Producer:

-

PDF Version:

-

Page Count:

-

Page Size:

-


Fast Web View:

-

Close
Preparing document for printing…
0%
Cancel


This site uses cookies to provide a personalized content experience and track
visitor engagement.

Learn More
AcceptDecline
Next 
Next 

Privacy-Grade™ Checklist
Use this checklist to develop and enforce better data protection practices
associated with collecting, storing, and sharing personal and regulated data
throughout the data life cycle.
LinkedIn LinkTwitter LinkEmail LinkDownload Link
Watch a Demo
video:10 New U.S. State Privacy Laws: Your Questions Answered
pdf:New State Privacy Laws Enforceable in 2024-2026 Part 1
pdf:New State Privacy Laws Enforceable in 2024-2026 Part 2
pdf:Privacy-Grade™ Checklist
webpage:3 must-have standards of privacy-grade data protection
pdf:Spirion & Microsoft Purview integration
video:Spirion & Microsoft Purview integration demo
video:Spirion & Cyberhaven integration demo
pdf:How to use Spirion to implement the NIST Privacy Framework