On Friday, April 21, the Montana and Tennessee state legislatures approved comprehensive privacy law proposals. In Montana, the state senate passed an amended version of the Montana Consumer Data Privacy Act (SB 384) in a unanimous 50-0 vote. Meanwhile, the Tennessee state senate passed an amended version of the Tennessee Information Protection Act (HB 1181) in a similarly unanimous 29-0 vote. Both bills will now move to their respective governors’ desks for signature.
If enacted, the Montana and Tennessee bills would become the nation’s eighth and ninth state comprehensive privacy laws (joining California, Colorado, Virginia, Utah, Connecticut, Iowa, and Indiana). The imminent passage of these bills continues what has been a notably busy year for legislation. In addition to Montana and Tennessee, Iowa and Indiana have passed their own comprehensive privacy laws this year. Washington state also passed a privacy law that, while technically only applicable to “health” information, has definitions broad enough to apply to other categories of data, as well (that are not traditionally thought of as health data).
Overall, the Montana and Tennessee bills continue a trend — also on display in the recent Iowa and Indiana bills — of state comprehensive privacy laws that generally follow the models set forth by Virginia and Connecticut, particularly in terms of having limited enforcement mechanisms. Neither bill contains a private right of action (both laws can only be enforced by each state’s attorney general’s (AG) office), and both bills contain a 60-day cure period for violators. In addition, neither bill includes provisions allowing for AG rulemaking or the creation of a separate privacy enforcement entity (a la the California Privacy Protection Agency). That said, the two bills do contain a few provisions that businesses should pay close attention to. For example, the Tennessee bill creates a safe harbor for businesses that implement a privacy program compliant that "[r]easonably confirms" with the National Institute of Standards and Technology (NIST) privacy framework. In addition, the Montana bill will require businesses to recognize opt-out preference signals by January 2025.
In this post, we summarize key takeaways from the pending enactment of the Montana and Tennessee bills, in particular highlighting notable distinctions between the two pieces of legislation. We also provide a general summary of each bill’s key provisions. We are happy to answer any questions you have about these two bills and their implications for your company’s privacy compliance program.
KEY TAKEAWAYS
The two bills share many similarities, including similar provisions as to, for example, consumer data rights, privacy notices, data protection assessments, and exemptions. However, the bills do diverge in a few notable ways, including:
- NIST Privacy Framework Safe Harbor: The Tennessee bill creates an affirmative defense for entities that develop a privacy program that "[r]easonably conforms" with the National Institute of Standards and Technology (NIST) privacy framework (“A Tool for Improving Privacy through Enterprise Risk Management”).
- Applicability Thresholds: The Montana bill — likely in recognition of Montana’s smaller population — has a lower applicability threshold. Notably, the Montana bill applies to entities that process the personal data of at least 50,000 Montana residents, whereas the Tennessee bill only covers entities that process the personal data of at least 175,000 Tennessee residents.
- Opt-Out Preference Signals: The Montana bill requires that entities comply with opt-out preference signals by January 2025. The Tennessee bill imposes no such requirement.
- Exclusive AG Enforcement and Cure Period: Neither bill creates a private right of action, instead relying solely on state AG enforcement. In addition, both bills contain a 60-day cure period for violations. However, Montana’s cure period will sunset in April 2026.
- Effective Dates: The Montana bill will go into effect earlier than Tennessee’s bill. Specifically, Montana’s bill becomes effective on October 1, 2024, while Tennessee's bill will not enter into effect until July 1, 2025.
KEY PROVISIONS – MONTANA CONSUMER DATA PRIVACY ACT
Key provisions of the Montana Consumer Data Privacy Act include the following:
- Applicability Thresholds: Applies to entities that conduct business in Montana or produce services or products targeted to Montana residents and control or process personal data of not less than: (1) 50,000 Montana residents, excluding personal data processed for the purpose of payments; or (2) 25,000 Montana residents and derive more than 25% of gross revenue from sale of personal data.
- Broad Exemptions: Exempts various entities and information types, including state and political subdivision entities, nonprofit organizations, institutions of higher education, specified national securities associations, entities and information subject to HIPAA, entities and information subject to GLBA, information subject to FCRA, information subject to FERPA, information governed by the Driver’s Privacy Protection Act, information governed by the Farm Credit Act, and certain employment-related information. In addition, an entity that complies with COPPA’s parental consent requirements is deemed compliant with the Act’s parental consent requirements.
- Consumer Data Rights: Creates individual rights for consumers, including the right to confirm whether a controller is processing personal data; the right to access personal data; the right to correct data; the right to delete data; the right to obtain a portable copy of personal data; and the right to opt out of the processing of data for purposes of targeted advertising, sale of data, and “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.”
- Opt-Out Preference Signals: Requires that controllers comply with requests to opt-out of targeted advertising or sale of personal data made via opt-out preference signals by January 1, 2025.
- Privacy By Design: Incorporates privacy by design principles, including purpose limitation and reasonable security measures.
- Consent for Sensitive Data Processing: Requires that controllers obtain consumer consent before processing sensitive data, which includes biometric data.
- Privacy Notice: Requires that controllers provide consumers with a privacy notice that describes categories of personal data processed; the purpose for such processing; the categories of personal data that the controller shares with third parties; the categories of third parties with which personal data is shared; and how consumers may exercise their data rights.
- Processor Duties: Imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s execution of data processing activities on behalf of the controller.
- Data Protection Assessments: Requires controller to conduct data protection assessment for processing activities that “present[] a heightened risk of harm to a consumer,” including processing for purposes of targeted advertising, sale of personal data, processing for purposes of profiling (where profiling presents certain specified risks), and processing of sensitive data.
- Enforcement: State AG has exclusive authority to enforce Act.
- Cure Period: Creates a 60-day cure period for violators before the state AG may bring an enforcement action. However, the cure period provision will sunset on April 1, 2026.
- Effective Date: Would go into effect on October 1, 2024.
KEY PROVISIONS – TENNESSEE INFORMATION PROTECTION ACT
Key provisions of the Tennessee Information Protection Act include the following:
- Applicability Thresholds: Applies to controllers or processors that conduct business in Tennessee, produce products or services that target Tennessee residents, and exceed $25 million in revenue and either control or process the personal information of: (a) at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information or (b) control or process personal information of at least 175,000 consumers during a calendar year.
- Broad Exemptions: Exempts various entities and information types, including state entities and political subdivisions of the state; financial institutions and data subject to GLBA; any licensed insurance company under title 56; covered entities or business associates and information governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; information governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; information governed by the Farm Credit Act; and specified employee-related information. In addition, an entity that complies with COPPA’s parental consent requirements is deemed compliant with the Act’s parental consent requirements.
- Consumer Data Rights: Creates individual rights for consumers, including the right to confirm whether the controller is processing the consumer’s personal information and to access the personal information; the right to correct inaccuracies in the consumer’s personal information; the right to delete personal data provided by the consumer or obtained by the controller about the consumer; the right to obtain a copy of the data in a portable and readily usable format; and the right to opt out of the controller’s processing of personal information for purpose of selling personal information about the consumer, targeted advertising, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
- Privacy by Design: Incorporates privacy by design principles, such as purpose limitation and reasonable security practices.
- Consent for Sensitive Data Processing: Requires that controllers obtain consumer consent before processing sensitive data, which includes biometric data.
- Privacy Notice: Requires that a controller provide a privacy notice that describes the categories of personal information processed; the purpose of such processing; how consumers can exercise their data rights; the categories of personal information sold to third parties; and the categories of third parties to which personal information is sold.
- Processor Duties: Imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s execution of data processing activities on behalf of the controller.
- Data Protection Assessments: Requires data protection assessments for the following activities: (1) the processing of information for purposes of targeted advertising; (2) the sale of personal information; (3) the processing of data for purposes of profiling if certain reasonably foreseeable risk factors are met; (4) the processing of sensitive data; and (5) any processing activities that present a heightened risk of harm.
- Enforcement: Violations are only enforceable by the Tennessee Attorney General and Reporter.
- Cure Period: Creates a sixty-day cure period after the AG provides written notice. If entity cures violation and provides AG express written statement, no action will be initiated.
- Penalties: Imposes civil penalties of up to $7,500 for each violation. The AG may also seek declaratory relief, injunctive relief, reasonable attorneys' fees, and investigative costs, or “[o]ther relief the court determines appropriate."
- Affirmative Defense: Creates an affirmative defense to a cause of action for a violation if the controller or processor creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework.
- Effective Date: Would go into effect on July 1, 2025.