Montana and Tennessee

Montana and Tennessee Pass Comprehensive Data Privacy Bills: Data Privacy Trends

“That escalated quickly” – again! Indiana just passed its data privacy bill, now Montana and Tennessee have both passed laws too!

According to the International Association of Privacy Professionals (IAPP), comprehensive bills in Montana and Tennessee cleared their respective state legislatures last Friday — the first same-day passage for two state privacy bills — to join Indiana and Iowa among states to reach the finish line this year. That’s four states in just over a month!

Both bills, which now await enactment pending governor’s signature, carry likeness to existing state privacy laws with some originality.

Montana Senate Bill 384 aligns exclusively with the Connecticut Data Privacy Act after surprise amendments during the cross-chamber process. Tennessee’s bill brings the most unique provisions, including enforcement that hinges on adoption of the U.S. National Institute of Standards and Technology’s Privacy Framework.

If enacted, Montana’s bill takes force October 1, 2024 while Tennessee’s follows July 1, 2025.

The Montana bill includes recognition of universal opt-out mechanisms, an April 2026 sunset on the 60-day right to cure, and lowered coverage thresholds from 100,000 data subjects to 50,000. The bill also carries requirements for standard consumer privacy rights, data protection assessments and enhanced privacy requirements for children ages 13-15.

The Tennessee Information Protection Act has familiar provisions like required data protection assessments and a 45-day data subject request response window. Tennessee’s thresholds for covered entities are narrower than anywhere else, applying to companies that make more than USD25 million in revenue while controlling or processing data on 25,000 consumers and gross 50% revenue from data sales of more than 175,000 consumers.

Also new to Tennessee businesses and out-of-state covered entities is the NIST Privacy Framework carveout, a first-of-its-kind among state laws. Adherence to NIST’s standard — and any future revisions to it — is required under Tennessee statute.

After Montana and Tennessee, which state will be next? Check back tomorrow! Hey, you never know! 😉

So, what do you think? Are you surprised that we’ve had so many states pass data privacy laws in the past few weeks? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply