Montana and Tennessee join Indiana and Iowa as the Next States to Pass Comprehensive Privacy Laws

On April 21, Montana and Tennessee passed comprehensive bills in their respective state legislatures. Montana and Tennessee now join Indiana and Iowa this year to enact comprehensive state privacy laws.

The Montana Consumer Data Privacy Act closely aligns with the Connecticut Data Privacy Act. Some key takeaways from the Montana bill include:

• Applies to entities that conduct business in Montana or produce services or products targeted to Montana residents and control or process personal data of not less than: (1) 50,000 Montana residents, excluding personal data processed for the purpose of payments; or (2) 25,000 Montana residents and derive more than 25% of gross revenue from sale of personal data.
• Creates a suite of individual rights for consumers.
• There are broad exemptions for financial institutions and personal data subject to GLBA; any licensed insurance company under title 56; covered entities or business associates and personal data governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; information governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; information governed by the Farm Credit Act; and specified employee-related information. Furthermore, COPPA compliance will satisfy parental consent requirements under the Montana bill.
• Requires that controllers comply with requests to opt-out of targeted advertising or sale of personal data made via opt-out preference signals by January 1, 2025. 
• Incorporates privacy by design principles.
• Requires that controllers obtain consumer consent before processing sensitive data.
• Requires controller to conduct data protection assessment for processing activities that “[present] a heightened risk of harm to a consumer,” including processing for purposes of targeted advertising, sale of personal data, processing for purposes of profiling (where profiling presents certain specified risks), and processing of sensitive data. 

If enacted, Montana's bill will be effective from October 1, 2024 and the Montana Attorney General will have enforcement authority. There is a 60-day cure period for violators before the state Attorney General may bring an enforcement action. However, the cure period provision will sunset on April 1, 2026. 

The Tennessee Information Privacy Act on the other hand, has some unique features. If passed, some key provisions include:

• Applies to controllers or processors that conduct business in Tennessee, produce products or services that target Tennessee residents, and exceed $25 million in revenue and either control or process the personal information of: (a) at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information or (b) control or process personal information of at least 175,000 consumers during a calendar year
• Creates a suite of individual rights for consumers. 
• There are broad exemptions for financial institutions and personal data subject to GLBA; any licensed insurance company under title 56; covered entities or business associates and personal data governed by HIPAA; nonprofit organizations; institutions of higher education; information governed by FCRA; information governed by the Driver’s Privacy Protection Act; personal data governed by FERPA; information governed by the Farm Credit Act; and specified employee-related information. Furthermore, COPPA compliance will satisfy parental consent requirements under the Tennessee bill.
• Incorporates privacy by design principles. 
• Requires that controllers obtain consumer consent before processing sensitive data.
• Requires data protection assessments for the following activities: (1) the processing of information for purposes of targeted advertising; (2) the sale of personal information; (3) the processing of data for purposes of profiling if certain reasonably foreseeable risk factors are met; (4) the processing of sensitive data; and (5) any processing activities that present a heightened risk of harm.

A unique requirement in the Tennessee bill is that controllers and processors must have a written privacy program that "reasonably conforms" with the U.S. National Institute of Standards and Technology's Privacy Framework. In addition, companies will have one year to update their privacy program to achieve this and companies will have an affirmative defense to a cause of action for a violation if the controller or processor creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology Privacy Framework.

If enacted, Tennessee's bill will be effective from July 1, 2024. Enforcement will be exclusively done by the Tennessee Attorney General and Reporter. Civil penalties of up to $7,500 for each violation can be imposed. The Attorney General may also seek declaratory relief, injunctive relief, reasonable attorneys' fees, and investigative costs, or “[o]ther relief the court determines appropriate." There is a sixty-day cure period after the Attorney General provides written notice to the controller or processor. If a company cures any violations and provides the Attorney General an express written statement of the same, there will be no further action taken. 

Over a dozen states are currently considering comprehensive privacy legislation. Companies will need to closely monitor state legislation.