New data privacy laws in Tennessee, Indiana, Montana, and Iowa put these states on par with Connecticut, Colorado, Virginia, Utah and Texas; all of them have new data privacy laws which, among other things, require affirmative opt-in and consent before you can use someone’s email address, such as adding it to a mailing list or using it for targeted advertising. It’s important to understand that this doesn’t just apply to businesses which are headquartered in those states; most of these state laws also apply to anyone doing business with someone in that state.
Businesses in the U.S. have been spoiled up until now, being used to collecting email addresses in a variety of ways, and doing whatever they want with them until the person at the other end of that email address cries “uncle!” But no more. Do that now and you risk emailing someone in one of the states with these new state laws, some of which are already in effect (Virginia) or will be within a week of the writing of this article (Connecticut and Colorado).
Nearly all of these laws (including, as we’ve previously written about, those of Connecticut, Colorado, Virginia, Utah, and Texas) essentially exempt small businesses inasmuch as they apply to businesses who meet a certain threshold in terms of the number of individuals for whom they collect or process personal data. For the most part these laws apply to your business if you collect or process the data of 100,000 or more individuals in a year, unless you are monetizing that personal data, in which case the threshold is lowered to 25,000 to 50,000 (depending on the state) plus a specified percentage (25% to 50%) of your total revenue coming from such sale.
That said, the Texas law, as we mention here, does it a bit differently: instead of stating a threshold, the Texas law applies to any business which does not meet the Federal definition of a small business, as defined by the Federal Small Business Administration.
Consent and Affirmative Opt-In for Email
All of these state laws require affirmative consent (i.e. opt-in) before you can use an individual’s personal data, which includes email addresses. A typical clause in these laws says that you may “not process personal information for purposes that are beyond what is reasonably necessary to and compatible with the disclosed purposes for which the personal information is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” (This language in particular is from Tennessee’s law, but they all have similar, if not identical, language.)
This means that, for example, when someone gives you their email address in the course of placing an order, you may not put that email address on an email marketing list because that is not necessary for the purposes of fulfilling the order. In order to be able to put their email address on your email marketing list you must either clearly disclose that submitting an order will also result in their email address being put on your email marketing list, or you must get their clear consent to be put on your email marketing list.
We are only touching here on the requirements for opt-in before using someone’s email address in these laws, of course there’s a lot more to each of these laws as they concern data privacy in general, such as requirements for universal opt-outs, notifications, and more. Tennessee’s law goes into effect on July 1, 2024, Montana’s law goes into effect October 1, 2024, Iowa’s on January 1, 2025, and Indiana’s on January 1, 2026.
You can read each of these laws here: