Personal Data Laws Gain Ground: Four States Add New Laws

Posted by


As was predicted, 2023 continues to be the year of data privacy as four states adopt (or will adopt) their own personal data laws. Specifically, at the time of this writing, the governors of the states of Indiana, Montana, Tennessee, and Texas have either signed bills to create their own states’ data privacy laws or have bills that are awaiting their signatures. Once completed, this would bring the total number of data privacy laws in the United States to ten. Each of these laws are called the following:

  • Indiana – Indiana Consumer Data Protection Act (“ICDPA,” Senate Bill 5)
  • Montana – Montana Consumer Data Privacy Act (“MCDPA,” Senate Bill 384)
  • Tennessee – Tennessee Information Protection Act (“TIPA,” House Bill 1181)
  • Texas – Texas Data Privacy and Security Act (“TDPSA,” House Bill 4)

In an attempt to not bore you with the details, we will take this opportunity to discuss each of these new laws in very broad strokes. Specifically, we will touch on what new requirements are placed on Controllers (i.e. “Dealers”), what new rights are afforded to consumers, the penalties for violating these laws, and their respective effective dates.

As each of these dates draws nearer, we will take a deeper dive in each of the laws so that you will be well prepared to take on these new consumer protection laws. Rest assured, ComplyAuto has you completely covered in our Privacy Rights Management system which will account for the more state-specific requirements as their respective deadlines approach. It is a brave new world we live in and we can no longer stand idly by.

Controller (i.e. Dealership) Requirements:

Requirement #1: Securing Your Data by Reinforcing Cybersecurity Protocols

States recognize that dealerships collect a wealth of consumer data and have used personal data laws as an opportunity to require that businesses secure this information from unauthorized access. Dealerships in these states must establish, implement, and maintain reasonable technical and physical security practices to protect the confidentiality, integrity, and accessibility of consumer personal data. We believe the intent by the respective authors is for dealerships to adopt security measures that are similar to the data protection and cybersecurity standards as required by the Safeguards Rule. Meaning, if you fulfill the Safeguards Rule you will more than likely meet the threshold that is required by these laws.

Requirement #2: Privacy Policy and other Disclosures

Dealerships will need to update their existing privacy policies to reflect certain information in regards to the consumer personal information that it collects. Specifically, the privacy policy needs to state the following: 

  1. A description of the Data Subject Access Request (DSAR) portal – more about this below; 
  2. The categories of personal data it processes;
  3. The purpose for which the personal data is collected and processed;
  4. Instructions on how consumers may exercise their consumer rights;
  5. The categories of personal data that are shared with third parties; and
  6. The categories of third parties with whom the consumer’s personal data is shared.

Requirement #3: Cookie Consent Banner

Dealerships will also need to clearly and conspicuously disclose if it sells or uses a consumer’s personal data for “targeted advertising” and first obtain consent if the dealership is going to process the information in this fashion. In all of these laws, “targeted advertising” means displaying advertisements to consumers based on personal information obtained from that consumer’s activities over time and across non-affiliated websites or online applications to predict the consumer’s preferences or interests. 

Practically speaking, this can all be easily achieved by using a cookie consent banner that blocks very specific cookies (i.e. cross-contextual behavioral advertising cookies for targeted advertising as defined above) from loading on a consumer’s device until the consumer consents. 

Additionally, dealerships cannot collect a consumer’s “sensitive data” (i.e. geolocation data in the context of the automotive industry) without first obtaining the consumer’s consent. A cookie consent banner will also achieve this requirement. 

Requirement #4: Contracts with Data Processors

All of a dealership’s processors must sign a binding contract with the dealership that provides for each of the following:

  1. instructions for processing personal data, 
  2. the nature and purpose for processing personal data, 
  3. the type of personal data subject to processing; 
  4. the duration of processing; 
  5. the rights and obligations of both parties;
  6. reasonable risk assessments; and 
  7. contractually require subcontractors to meet the same obligations as the processor with respect to the personal data.

These contracts must also ensure that the processor is subject to a duty of confidentiality with respect to the personal data and, at the controller’s direction, the processor must delete or return all personal data to the dealership as requested at the end of the provision of services unless its retention is required by law.

Consumer Rights:

Types of Requests

Under each of these laws, consumers will have the right to do each of the following:

  1. confirm whether or not the dealership is processing the consumer’s personal data and access such data;
  2. request the dealership to correct inaccurate information about the consumer that was previously provided to the dealership;
  3. request the dealership to delete personal data about the consumer;
  4. request from the dealership a copy or summary the consumer’s personal data; and
  5. request to opt out of the processing of the consumer’s personal data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Time to Respond to Requests

The dealership has forty-five (45) days after the receipt of the consumer’s request to either fulfill or deny the consumer’s request. The response period may be extended by another forty-five (45) days as long as the controller informs the consumer within the initial forty-five (45) days and has a reason for the extension. The dealership must also authenticate the request using commercially reasonable efforts or it may request the consumer to provide additional information reasonably necessary to authenticate the consumer and their request. 

If the consumer’s request is denied, the dealership must provide instructions for how to appeal the decision. The appeal process must be conspicuously available and similar to the process for submitting requests.  

The most efficient way to fulfill this requirement is providing a Data Subject Access Request (DSAR) portal that not only provides solutions for each of the types of requirements but also authenticates the request to ensure that the dealership is not fulfilling fraudulent requests.

Montana: Authorized Agents

In Montana, a consumer may designate another person to serve as their authorized agent and act on their behalf to submit opt out-out requests. The dealership must comply with an authorized agent’s opt-out request as long as the dealership is able to properly verify the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf. Montana dealerships must provide a clear and conspicuous link on the dealership’s website to a web page that allows the consumer, or an authorized agent of the consumer, to submit their opt out request. 

An interesting point here is that Montana laws view a consumer’s global device settings or controls on their device as a valid opt-out request from an authorized agent that dealerships must fulfill. Meaning, dealerships’ websites must be able to respond to these universal opt-out signals accordingly. 


In each of Indiana, Montana, Tennessee, and Texas, the Attorney General maintains exclusive authority to enforce their respective personal data laws. In every state except Montana, the AG may seek an injunction against any business that violates the respective personal data law as well as levy a civil penalty of no more than $7,500 per violation.

Effective Date:

The Indiana Consumer Data Protection Act has an effective date of January 1, 2026.

The Montana Consumer Data Protection Act has an effective date of October 1, 2024.

The Tennessee Information Protection Act has an effective date of July 1, 2025.

The Texas Data Privacy and Security Act has an effective date of March 1, 2024.

This article should be used as a compliance aid only and though its accuracy has been made a priority, it is not a substitute for professional legal advice. Each dealer should rely on their own expertise when using it.

Leave a Reply

ComplyAuto and Fisher Phillips Unite Tech Innovation and World-Class Legal Talent to Simplify Compliance
Are You Updated on Workplace Violence and Active Shooter Training?

Mock OSHA Assessment


  • On-demand eight-hour assessment that imitates a real OSHA audit.
  • Conducted by an EHS Pro with OSHA-10 or OSHA-30 certification and 5+ years of experience. 
  • Simulated employee interviews
  • Issue tracking and task management
  • Detailed assessment reports after the assessment with images, videos, and recommended steps for remediation.

    Privacy & Cyber Compliance Suite


    • Custom legal policies with real-time updates, including the Information Security Program (ISP)
    • Customized Incident Response Plan (IRP)
    • Internal risk assessment tools and hands-on guidance
    • Biannual penetration testing (2) 
    • Biannual vulnerability scans (2)
    • Employee security awareness training and completion tracking
    • Extensive vendor management library – hundreds of vendor-completed GLBA contracts & risk assessments
    • Device & systems inventory automation and mapping tools
    • Unlimited industry-specific internal phishing simulations to train staff
    • Complete 50-state privacy compliance required by your state (CA, CO, CT, DE, IA, IN, MT, OR, TN, TX, UT, VA)
    • Website cookie consent banners and unique consumer privacy request portals
    • Annual report to the Board of Directors generated every year
    • Compliance Guarantee

      CPR/AED Certification


      • Instruction provided by Certified American Red Cross Instructors.
      • Practical, hands-on training sessions to practice CPR and AED techniques
      • Proper automated external defibrillator (AEDs) instruction and operation
      • American Red Cross exam and certification
      • Access to study materials, manuals, and resources for continued education and reference.
      • Available for organizations and groups, allowing for tailored training sessions.

      HR Fundamentals


      • Customized policy builder with real-time updates
      • E-sign functionality for required employee policies 
      • Online HR training with employee completion tracking
      • State-specific policies and training
      • Employee management tool
      • Training and policies include Workplace Violence, Active Shooter, IT and Electronic Device Use, Biometric Data Privacy, Sexual Harassment, and more 
      • HR Fundamentals access is included with any other ComplyAuto product

        Encrypted Messaging


        • Encrypt SMS text and email messaging among staff, clients, and customers when sending and receiving files
        • Track usage and detect violations in real-time
        • Advanced security features include auto-deletion of files, Multi-Factor Authentication protection, IP safelisting, and domain blocklisting
        • Supports compliance with various state and federal regulations and recognized industry standards: GLBA, HIPAA, SOC 2, ISO 27001, NIST, CIS Controls, SEC

          Safety Compliance Suite


          • Concierge on-site onboarding 
          • On-demand safety walkthroughs conducted by experienced EHS Pros at various intervals – once, twice, or four times per year
          • Comprehensive Online Training Library and employee progress tracking
          • Automated 50-State Legal Injury & Illness Reporting
          • Policy Builders with Automatic Updates
          • Simplified SDS Creation and Management
          • Guided risk mitigation
          • Signage builder & tracking
          • Efficient equipment inspections with QR Codes
          • Tier 1 Spill Prevention Control and Countermeasure Plan 
          • Automated Tier 2 environmental reporting for all 50 states 
          • Unlimited one-on-one support from our dedicated team
          • Workplace Violence and Active Shooter Policy and Training
          • Unlimited one-on-one support from our dedicated team
          • Automated Tier II environmental reporting for all 50 states.

            EduTech Course 3

            Program to Fulfill AG Disciplinary Order - $299/student

            The California AG routinely penalizes facilities that violate these laws and requires them to perform specific remedies while on probation. One of these remedies requires the ARD to take a course that outlines the laws and regulations of the Automotive Repair Act. This program fulfills the requirement.


            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            EduTech Course 2

            Program to Fulfill BAR Remedial Training - $299/student

            As part of their authority to levy fines and corrective actions against repair facilities, the Bureau of Automotive Repair may direct them to take a remedial training program. This program is intended for facilities who have already been identified by the BAR as needing corrective action and have committed to taking a remedial training course in lieu of specific penalties.The California Attorney General (AG) has required violating automotive repair dealers to take a course that instructs students on the laws and regulations of the Automotive Repair Act as part of the disciplinary order.


            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            • Automated notification to the Bureau of Automotive Repair


            EduTech Course 1

            Automotive Repair Act Certification Training - $49/month per rooftop

            Provide advisors and technicians with the knowledge and tools necessary to comply with California laws and regulations and be viewed favorably by the Bureau of Automotive Repair.


            • Comprehensive online course about the Automotive Repair Act

            • Access to training materials anytime (24/7/365)

            • Comprehensive companion manual to the training material

            • Quizzes and final exam to track engagement and learning ability

            • Certificate generated upon completion

            F&I Compliance Suite

              • Precise Deal Jacket Audits to identify and address real-world F&I compliance issues accurately.
              • Focused Compliance on specific F&I compliance concerns such as Fair Lending Compliance Solutions, California Litigation, Vehicle Safety Recalls, Used Vehicle History, FTC Buyers Guide & Federal Warranty Disclosures, 
              • Automated EZ Cash Reporting & Anti-Money Laundering with IRS Reporting 
              • Spot Delivery & Unwind Management
              • Real-Time Issue Identification Quickly detect compliance gaps and issues, enabling swift corrective action and risk mitigation.
              • Online F&I Compliance Training 
              • Compliance Guarantee

                Device & Email Security


                The combined features create a dynamic defense system that adapts to evolving cybersecurity threats and secures the organization's digital ecosystem.

                • Continuous threat detection and response powered by Coro:
                  • EDR (Endpoint Detection and Response) 
                  • MDR (Managed Detection and Response) 
                  • 24/7 Security Operations Center team
                  • Swift response and alert to potential security breaches
                • Enhanced authentication and access control via Multi-factor Authentication (MFA) powered by Duo Security™
                • Advanced email security to shield e-threats such as phishing, malware, spam, and scams – integrates with Google Workspace & Microsoft Office 365.
                • Data governance and Data Loss Prevention (DLP)  detect and manage employee data-sharing practices. 
                • Device-level encryption for Windows and macOS
                • Public & unencrypted wifi blocking
                • Next-gen antivirus
                • Automated password policy and session locking enforcement