Montana and Tennessee Poised to Enact Nation’s Eighth and Ninth State Comprehensive Privacy Laws

Ali Jessani, Samuel Kane, Kirk Nahra, Genesis Ruano
WilmerHale
Contact
LinkedIn
Facebook
X
Send
Embed

On Friday, April 21, the Montana and Tennessee state legislatures approved comprehensive privacy law proposals. In Montana, the state senate passed an amended version of the Montana Consumer Data Privacy Act (SB 384) in a unanimous 50-0 vote. Meanwhile, the Tennessee state senate passed the Tennessee Information Protection Act (HB 1181) in a similarly unanimous 29-0 vote. Both bills will now move to their respective governors’ desks for signature.

If enacted, the Montana and Tennessee bills would become the nation’s eighth and ninth state comprehensive privacy laws (joining California, Colorado, Virginia, Utah, Connecticut, Iowa, and Indiana). The imminent passage of these bills continues what has been a notably busy year for legislation. In addition to Montana and Tennessee, Iowa and Indiana have passed their own comprehensive privacy laws this year. Washington state also passed a privacy law that, while technically only applicable to “health” information, has definitions broad enough to apply to other categories of data, as well (that are not traditionally thought of as health data). 

Overall, the Montana and Tennessee bills continue a trend — also on display in the recent Iowa and Indiana bills — of state comprehensive privacy laws that generally follow the models set forth by Virginia and Connecticut, particularly in terms of having limited enforcement mechanisms. Neither bill contains a private right of action (both laws can only be enforced by each state’s attorney general’s (AG) office), and both bills contain a 60-day cure period for violators. In addition, neither bill includes provisions allowing for AG rulemaking or the creation of a separate privacy enforcement entity (a la the California Privacy Protection Agency). That said, the two bills do contain a few provisions that businesses should pay close attention to. For example, the Tennessee bill requires that businesses implement a privacy program compliant with the National Institute of Standards and Technology (NIST) privacy framework (and provides a corresponding safe harbor for companies that adhere to this requirement). In addition, the Montana bill will require businesses to recognize opt-out preference signals by January 2025. 

In this post, we summarize key takeaways from the pending enactment of the Montana and Tennessee bills, in particular highlighting notable distinctions between the two pieces of legislation. We also provide a general summary of each bill’s key provisions. We are happy to answer any questions you have about these two bills and their implications for your company’s privacy compliance program.

KEY TAKEAWAYS

The two bills share many similarities, including similar provisions as to, for example, consumer data rights, privacy notices, data protection assessments, and exemptions. However, the bills do diverge in a few notable ways, including: 

  • NIST Privacy Framework Requirement and Affirmative Defense: The Tennessee bill uniquely requires that entities develop a privacy program that complies with the National Institute of Standards and Technology (NIST) privacy framework (“A Tool for Improving Privacy through Enterprise Risk Management”). Entities that comply with this requirement are entitled to an affirmative defense in any action brought pursuant to a violation of the Act.
  • Applicability Thresholds: The Montana bill — likely in recognition of Montana’s smaller population — has a lower applicability threshold. Notably, the Montana bill applies to entities that process the personal data of at least 50,000 Montana residents, whereas the Tennessee bill only covers entities that process the personal data of at least 100,000 Tennessee residents. 
  • Opt-Out Preference Signals: The Montana bill requires that entities comply with opt-out preference signals by January 2025. The Tennessee bill imposes no such requirement. 
  • Exclusive AG Enforcement and Cure Period: Neither bill creates a private right of action, instead relying solely on state AG enforcement. In addition, both bills contain a 60-day cure period for violations. However, Montana’s cure period will sunset in April 2026.
  • Effective Dates: The Tennessee bill will go into effect slightly earlier than Montana’s bill. Specifically, Tennessee’s bill will enter into effect on July 1, 2024, while Montana’s bill becomes effective on October 1, 2024. 

KEY PROVISIONS – MONTANA CONSUMER DATA PRIVACY ACT

Key provisions of the Montana Consumer Data Privacy Act include the following:

  • Applicability Thresholds: Applies to entities that conduct business in Montana or produce services or products targeted to Montana residents and control or process personal data of not less than: (1) 50,000 Montana residents, excluding personal data processed for the purpose of payments; or (2) 25,000 Montana residents and derive more than 25% of gross revenue from sale of personal data.
  • Broad Exemptions: Exempts various entities and information types, including state entities and political subdivisions of the state; financial institutions and data subject to GLBA; any licensed insurance company under title 56; covered entities or business associates and information governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; information governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; information governed by the Farm Credit Act; and specified employee-related information. In addition, an entity that complies with COPPA’s parental consent requirements is deemed compliant with the Act’s parental consent requirements.
  • Consumer Data Rights: Creates individual rights for consumers, including the right to confirm whether the controller is processing the consumer’s personal information and to access the personal information; the right to correct inaccuracies in the consumer’s personal information; the right to delete personal data provided by the consumer or obtained by the controller about the consumer; the right to obtain a copy of the data in a portable and readily usable format; the right to opt out of the controller’s selling personal information about the consumer; and the right to learn the categories of information sold and the third parties who purchased the personal information.
  • Privacy by Design: Incorporates privacy by design principles, such as purpose limitation and reasonable security practices. 
  • Consent for Sensitive Data Processing: Requires that controllers obtain consumer consent before processing sensitive data, which includes biometric data.
  • Privacy Notice: Upon consumer request, a controller must provide a privacy notice that describes the categories of personal information processed; the purpose of such processing; how consumers can exercise their data rights; the categories of personal information sold to third parties; and the categories of third parties to which personal information is sold. 
  • Processor Duties: Imposes a range of requirements on processors, including, among other things, requiring that a contract govern a processor’s execution of data processing activities on behalf of the controller.
  • Data Protection Assessments: Requires data protection assessments for the following activities: (1) the processing of information for purposes of targeted advertising; (2) the sale of personal information; (3) the processing of data for purposes of profiling if certain risk factors are met; (4) the processing of sensitive data; and (5) any processing activities that present a heightened risk of harm.
  • Enforcement: Violations are only enforceable by the Tennessee Attorney General and Reporter. 
  • Cure Period: Creates a sixty-day cure period after the AG provides written notice. If entity cures violation and provides AG express written statement, no action for statutory damages will be initiated.
  • Penalties: Imposes civil penalties of up to $15,000 for each violation. The AG may recover reasonable expenses incurred in investigating and preparing the case, including attorneys’ fees. Further, “appropriate relief may be awarded to each identified consumer affected by a violation of this part regardless of damages suffered.”
  • Privacy Program: Requires that a controller or processor create, maintain, and comply with a written privacy program which reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework. A violation of this provision is considered an unfair and deceptive practice, except that a consumer is not entitled to a private right of action. 
  • Affirmative Defense: Creates an affirmative defense to a cause of action for a violation if the controller or processor creates, maintains, and complies with a written privacy program (see above). 
  • Effective Date: Would go into effect on July 1, 2024.
     
Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WilmerHale | Attorney Advertising

Written by:

WilmerHale
WilmerHale
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

WilmerHale on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide