Montana and Tennessee state legislators have now passed their own versions of comprehensive privacy laws.
While the Montana Consumer Data Protection Act (MCDPA) tracks closely to Connecticut law, it does have some interesting features. Some of the key features includes:
- Recognition of universal opt-out mechanisms (like the GPC signal)
- 60 day right to cure violations (which ends on April 1, 2026)
- The scope threshold is one of the lowest in the country, at only 50K Montana consumers (similar to California under the CCPA, but that was updated to 100K and further limited under the CPRA)
- Requirements for standard consumer rights
- Data protection assessments
- Enhanced privacy for children less than 16 years old
If passed, the MCDPA would go into effect on October 1, 2024.
The Tennessee Information Privacy Act (TIPA), on the other hand, has some rather unique provisions. Like other states, if passed the TIPA would apply to companies that control the personal information of 100K Tennessee consumers or derive 50% or more of their revenue from the sale of data of more than 25K Tennessee consumers. The law also applies to organizations that process personal information. The TIPA further includes a requirement to conduct data protection impact assessments (DPIA) and contains a 60 day right to cure violations.
A unique provision of TIPA is that organizations must have a written privacy program that "reasonably conforms" with the NIST Privacy Framework, and they have 1 year to update their privacy program to account for any revisions to the NIST Privacy Framework. This appears to be the first time that any state legislature has pointed to a national standard for guidelines and controls instead of the fuzzy "reasonable" security measures or practices. Following the NIST Privacy Framework provides an affirmative defense for any alleged violations.
If passed, the TIPA would go into effect July 1, 2024. Businesses that may be subject to the TIPA should consider developing internal policies and procedures based on the NIST Privacy Framework to prepare.
/Passle/63109459f636e905f41c4854/SearchServiceImages/2024-04-16-11-46-04-305-661e64fc344c3be38356fa4c.jpg)
/Passle/63109459f636e905f41c4854/SearchServiceImages/2024-04-16-01-54-51-994-661dda6b631126c32d23b18c.jpg)
/Passle/63109459f636e905f41c4854/SearchServiceImages/2024-04-11-23-00-11-483-66186b7b107637cec4ac91d6.jpg)
/Passle/63109459f636e905f41c4854/MediaLibrary/Images/2024-04-05-22-29-11-715-66107b37d735467f41f26be5.png)