ANOTHER UPDATE! State Privacy Laws and VPD

In our last state privacy law update, posted just over a month ago, we noted that “there is momentum in the data privacy space.” That may have been an understatement. Since then, governors in three states—Indiana, Montana, and Tennessee—have signed comprehensive data privacy acts into law. This brings the total number of states with such laws on the books to nine, and Texas appears poised to make the number an even ten. 

The International Association of Privacy Professionals’ State Privacy Legislation Tracker, which we have been following closely, now looks like this:

How do the three new laws address VPD? Similarly, albeit not directly. We summarize the relevant provisions below (our original chart can be found here, with the update for Iowa here).

Indiana Consumer Data Protection Act of 2023, effective January 1, 2026

The INCDPA does not specifically define “vehicle information” or include any provisions specific to VPD. “Personal data” is defined to mean “information that is linked or reasonably linkable to an identified or identifiable individual.” It does not include “de-identified data,” “aggregate data,” or “publicly available information.” S.B. 5, 123rd Gen. Assemb., First Reg. Sess., Chap. 2, § 19 (Ind. 2023).

In addition, “sensitive data” is defined to include “precise geolocation data,” which is “information derived from technology, including global positioning system level latitude and longitude coordinates, that directly identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty (1,750) feet.” S.B. 5, 123rd Gen. Assemb., First Reg. Sess., Chap. 2, §§ 20, 28 (Ind. 2023).

The INCDPA restricts processing of any personal data without consumer notice and consent. S.B. 5, 123rd Gen. Assemb., First Reg. Sess., Chap. 4, § 1(2) (Ind. 2023).

The INCDPA also covers “biometric data,” defined as data that “is generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a voiceprint, images of the retina or iris, or other unique biological patterns or characteristics” and “is used to identify a specific individual.” S.B. 5, 123rd Gen. Assemb., First Reg. Sess., Chap. 2, § 4 (Ind. 2023). Such data is included within the definition of “sensitive data” when it is “processed for the purpose of uniquely identifying a specific individual.” S.B. 5, 123rd Gen. Assemb., First Reg. Sess., Chap. 2, §§ 28(2) (Ind. 2023). While this may not have obvious implications in a discussion about VPD, as we noted in our last update, recent litigation in Illinois involving Subaru’s driver monitoring feature suggests otherwise.

The INCDPA specifically exempts from its scope “personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. 2721 et seq.).” S.B. 5, 123rd Gen. Assemb., First Reg. Sess., Chap. 1, § 2(10) (Ind. 2023).

In addition, the Act does not prohibit a controller or processor of protected data from collecting, using, or retaining data to “conduct internal research to develop, improve, or repair products, services, or technology” or to “effectuate a product recall.” S.B. 5, 123rd Gen. Assemb., First Reg. Sess., Chap. 8, § 2(1)-(2) (Ind. 2023).

Montana Consumer Data Privacy Act, effective October 1. 2024

The MTCDPA does not specifically define “vehicle information” or include any provisions specific to VPD. “Personal data” is defined to mean “any information that is linked or reasonably linkable to an identified or identifiable individual.” It does not include “de-identified data or publicly available information.” S.B. 384, 68th Legis., Reg. Sess. § 2(15) (Mont. 2023).

In addition, “sensitive data” is defined to include “precise geolocation data,” which is “information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.” S.B. 384, 68th Legis., Reg. Sess. § 2(16)(a), (24) (Mont. 2023).

The MTCDPA restricts processing of any personal data without consumer notice and consent. S.B. 384, 68th Legis., Reg. Sess. § 7(2)(a)-(b), (24) (Mont. 2023).

The MTCDPA also covers “biometric data,” defined as data that “is generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.” S.B. 384, 68th Legis., Reg. Sess. § 2(3)(a) (Mont. 2023). Such data is included within the definition of “sensitive data” when it is processed for “the purpose of uniquely identifying an individual.” S.B. 384, 68th Legis., Reg. Sess. § 2(24)(b) (Mont. 2023).

The MTCDPA specifically exempts from its scope “personal data collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act of 1994, 18 U.S.C. 2721 et seq.” S.B. 384, 68th Legis., Reg. Sess. § 4(2)(l) (Mont. 2023).

In addition, the MTCDPA does not prohibit a controller or processor of protected data from collecting, using, or retaining data “for internal use to ... conduct internal research to develop, improve, or repair products, services, or technology” or to “effectuate a product recall.” S.B. 384, 68th Legis., Reg. Sess. § 11(2)(a)-(b) (Mont. 2023).

Tennessee Information Protection Act, effective July 1, 2024

The TIPA does not specifically define “vehicle information” or include any provisions specific to VPD. It defines “personal information” as “information that identifies, relates to, or describes a particular consumer or is reasonably capable of being directly or indirectly associated or linked with, a particular consumer.” Such information includes identifiers such as name, SSN, and driver license number; associative information like addresses and insurance policy numbers; commercial information like purchases made; biometric data; “electronic network activity;” geolocation data; etc. It does not include information that is “publicly available” or “de-identified or aggregate consumer information.” H.B. 1181, 113th Gen. Assemb., Reg. Sess. § 47-18-3201(16) (Tenn. 2023).

In addition, “sensitive data” is defined as personal information that includes, among other things, “precise geolocation data,” which is “information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of one thousand seven hundred fifty feet (1,750’).” H.B. 1181, 113th Gen. Assemb., Reg. Sess. § 47-18-3201(17), (25) (Tenn. 2023).

The TIPA restricts processing of any personal data without consumer notice and consent. H.B. 1181, 113th Gen. Assemb., Reg. Sess., Part 47-18-3204(a) (Tenn. 2023).

The TIPA also covers “biometric data,” defined as data that is “generated by automatic measurement of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retina or iris, or other unique biological patterns or characteristics that are used to identify a specific individual.” H.B. 1181, 113th Gen. Assemb., Reg. Sess. § 47-18-3201(3) (Tenn. 2023). Such data is included within the definition of “sensitive data” when it is processed for “the purpose of uniquely identifying a natural person.” H.B. 1181, 113th Gen. Assemb., Reg. Sess., Part 47-18-3201(25)(B) (Tenn. 2023).

The TIPA specifically exempts from its scope “personal information collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994 (18 U.S.C. 2721 et seq.).” H.B. 1181, 113th Gen. Assemb., Reg. Sess., Part 47-18-3210(a)(17) (Tenn. 2023).

In addition, the TIPA does not prohibit a controller of processor of protected data from collecting, using, or retaining data to “conduct internal research to develop, improve, or repair products, services, or technology” or to “effectuate a product recall.” H.B. 1181, 113th Gen. Assemb., Reg. Sess., Part 47-18-3208(b) (Tenn. 2023).

Copyright Nelson Niehaus LLC

The opinions expressed in this blog are those of the author(s) and do not necessarily reflect the views of the Firm, its clients, or any of its or their respective affiliates. This blog post is for general information purposes and is not intended to be and should not be taken as legal advice.