USA LAW AND PRACTICE Contributed by: Nancy Libin, David Rice, Spencer Persson, Michael Borgia, Robert Stankey, Kara Trowell and Alexander Sisto, Davis Wright Tremaine LLP
Similarly, controllers that sell biometric personal data must provide the following: “NOTICE: We may sell your biometric personal data.” Montana The Montana Consumer Data Privacy Act (MCD - PA) prohibits the sale of personal data of con - sumers who the controller has actual knowledge of being under 16 and the use of their personal information for targeted advertising without con - sent (parental consent is required for consumers under 13 years of age). Minnesota (effective 31 July 2025 generally, and 31 July 2029 for post-secondary institutions) The Minnesota Consumer Data Privacy Act (MCDPA) is like the Colorado law, but gives broader rights to consumers who are subject to profiling by automated decision-making technol - ogy in certain circumstances. Such consumers have the right to: • challenge the result of such profiling; • be informed of the reasons for the decision; • learn what the consumer could have done or could do in the future to achieve a different result; and • review the information used in the profiling, with possible rights of correction and re- evaluation. The MCDPA, like the Oregon law, also gives con - sumers the right to a list of specific third parties to whom the controller has disclosed their per - sonal information, or a list of all specific parties to which the controller has disclosed personal information generally. Indiana (effective 1 January 2026) The Indiana Consumer Data Protection Act (INCDPA) is similar to the Virginia law and defines
a data sale as the exchange of personal data for monetary consideration only. Kentucky (effective 1 January 2026) The Kentucky Consumer Data Protection Act (KCDPA) also resembles the Virginia law. The KCDPA provides a right to cure, does not require controllers to recognise browser opt-out signals, and defines a “sale” as the exchange of personal data for monetary consideration only. Tennessee (effective 1 July 2025) The Tennessee Information Protection Act (TIPA) largely resembles the Virginia law by, among other things, adopting the narrow definition of a data sale as the exchange of data for “valuable monetary consideration”. The TIPA is unique in allowing controllers and processors to assert an affirmative defence to claims that their data practices are inadequate if they adopt and com - ply with a written privacy programme that “rea - sonably conforms” to the National Institute of Standards and Technology privacy framework or a similar framework. Rhode Island (effective 1 January 2026) The Rhode Island Data Transparency and Priva - cy Protection Act (RI-DTPPA) has the same gen - eral applicability threshold as Delaware (35,000 consumers). Maryland (effective 1 October 2025) The Maryland Online Data Privacy Act (MODPA) has the same low applicability thresholds as Del - aware and similar consumer rights and control - ler obligations, but it also includes some unique provisions that make compliance more difficult – for example, as follows. • Biometric data means data generated by automatic measurements of biological char -
529 CHAMBERS.COM
Powered by FlippingBook