Two new states have joined the list of jurisdictions with comprehensive privacy laws. On April 21, 2023, Montana and Tennessee both passed their respective bills. The bills now await pending governor’s signature.
The Montana Consumer Data Protection Act (“MCDPA”) applies to businesses that conduct business in Montana or produce products or services that are targeted to Montana residents and: (a) that control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (b) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data. If enacted, the MCDPA will take force on October 1, 2024 and carries standard privacy rights similar to those set out in the Connecticut privacy law, including consumer rights to know, access, correct, and delete data. It would also grant consumers the right to opt out of processing for the purposes of targeted advertising, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Controllers must also conduct and document a data protection impact assessment for activities that present a heightened risk of harm to consumers. Controllers are also required to honor opt out preference signals by January 1, 2025. There is a 60 day right to cure, set to sunset on April 1, 2026. There is no private right of action.
As with the Connecticut bill, the MCDPA requires controllers to comply with an opt-out request sent via opt-out preference signals. Such preference signals may not unfairly disadvantage another controller, may not make use of a default setting, must be consumer-friendly, must be consistent with laws and regulations, and must allow the controller to accurately determine whether the consumer is a resident of the state and has made a legitimate request to opt out of sales or targeted advertising. The MCDPA also requires data processing agreements between controllers and processors. Several exemptions apply, including for non-profit organizations, institutions of higher education, covered entities under HIPAA, and financial institutions covered under Gramm-Leach-Bliely.
The Tennessee Information Protection Act (“TIPA”) would take effect on July 1, 2025 and has some similar provisions to the MCDPA, such as required data protection assessments and consumer rights of access, correction, and deletion. With a narrower applicability threshold, the bill applies to persons that conduct business in Tennessee or produce products or services that are targeted to residents of the state and that exceed $25 million in revenue and either: (i) control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information; or (ii) control or process the personal information of at least 175,000 consumers. As with the MCDPA, there are several exemptions, and enforcement is exclusively through action by the Attorney General.
The TIPA also requires businesses to create, maintain, and comply with a written privacy program that conforms to the National Institute of Standards and Technology (“NIST”) framework. When a NIST framework revision is published, the business must conform its privacy program to such revision.