This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

Montana and Tennessee are the next states to be on the finish line to pass privacy laws

Montana and Tennessee state legislators have now passed their own versions of comprehensive privacy laws. 

While the Montana Consumer Data Protection Act (MCDPA) tracks closely to Connecticut law, it does have some interesting features. Some of the key features includes:

  • Recognition of universal opt-out mechanisms (like the GPC signal)
  • 60 day right to cure violations (which ends on April 1, 2026)
  • The scope threshold is one of the lowest in the country, at only 50K Montana consumers (similar to California under the CCPA, but that was updated to 100K and further limited under the CPRA) 
  • Requirements for standard consumer rights
  • Data protection assessments
  • Enhanced privacy for children less than 16 years old

If passed, the MCDPA would go into effect on October 1, 2024. 

The Tennessee Information Privacy Act (TIPA), on the other hand, has some rather unique provisions. Like other states, if passed the TIPA would apply to companies that control the personal information of 100K Tennessee consumers or derive 50% or more of their revenue from the sale of data of more than 25K Tennessee consumers. The law also applies to organizations that process personal information. The TIPA further includes a requirement to conduct data protection impact assessments (DPIA) and contains a 60 day right to cure violations. 

A unique provision of TIPA is that organizations must have a written privacy program that "reasonably conforms" with the NIST Privacy Framework, and they have 1 year to update their privacy program to account for any revisions to the NIST Privacy Framework. This appears to be the first time that any state legislature has pointed to a national standard for guidelines and controls instead of the fuzzy "reasonable" security measures or practices. Following the NIST Privacy Framework provides an affirmative defense for any alleged violations. 

If passed, the TIPA would go into effect July 1, 2024. Businesses that may be subject to the TIPA should consider developing internal policies and procedures based on the NIST Privacy Framework to prepare. 

The wave of U.S. comprehensive state privacy legislation that few ever thought would materialize in a calendar year has revealed itself. Comprehensive bills in Montana and Tennessee cleared their respective state legislatures 21 April — the first same-day passage for two state privacy bills — to join Indiana and Iowa among states to reach the finish line this year. Both bills, which now await enactment pending governor's signature, carry likeness to existing state privacy laws with some originality.


privacy, cpra, tennessee, montana, privacy law, patchwork laws, nist privacy framework, innovative technology