left-caret

PH Privacy

Montana and Tennessee Pass Comprehensive Privacy Laws

May 10, 2023

By Brianne B. Powers& Jeremy Berkowitz

The Montana Consumer Data Privacy Act, which would take effect October 1, 2024, and the Tennessee Information Protection Act, which would take effect July 1, 2025, continue the wave of privacy laws passed by state legislatures over the past several weeks.

Application

The Montana law applies to businesses that operate in Montana or businesses that produce products or services that are targeted to residents of Montana and (1) control or process the personal data of not less than 50,000 consumers (excluding personal data controlled or processes for the purpose of completing a payment transaction); or (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data. Like other state privacy laws, the Montana law does not apply to personal data covered by Gramm-Leach-Bliley Act (“GLBA”), entities covered under the Health Insurance Portability and Accountability Act (“HIPAA”), administrative bodies, nonprofit organization, institutes of higher education, financial institutions, and other similar exclusions.

The Tennessee law applies to businesses that operate in Tennessee or produce products or services that are targeted to residents of Tennessee and that (1) during a calendar year, control or process personal information of at least 100,000 consumers; or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information. The Tennessee law has similar exclusions for both types of businesses and types of data collected and processed.

Comparison to Other State Privacy Laws

Unlike the other state privacy laws passed recently, the Montana law aligns closely with the Connecticut Data Privacy Act including in the requirement for recognition of universal opt-out mechanisms and a lowered scope threshold from 100,000 consumers (as is seen in most state privacy laws) to 50,000 consumers.

The Tennessee law most closely aligns with the Virginia Consumer Data Protection Act, but unlike any other state privacy law to-date, requires adherence to the U.S. National Institute of Standards and Technology’s (“NIST”) Privacy Framework. More specifically, the Tennessee law requires a business to “create, maintain, and comply with a written privacy program that reasonable conforms to the [NIST] privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0’.” Businesses have 1 year to comply with any subsequent revisions to such framework. Businesses that have created, maintained, and complied with such written privacy program have an affirmative defense to a cause of action for a violation of the Tennessee law.

Like other state privacy laws, the Montana and Tennessee laws require businesses to conduct and document data protection assessments for each of the business’s processing activities that present risks to consumers. This includes the processing of personal data for the purposes of targeted advertising, the sale of personal data, and processing of sensitive personal data, among other activities. Both laws define sensitive personal data similarly as (1) data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person’s sex life, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purposes of uniquely identifying an individual; (3) personal data collected from a known child; and (4) precise geolocation data.

Finally, both laws put the state Attorney Generals in charge of enforcement and allow 60-day cure periods to correct any deficiencies. However, the 60-day cure period in Montana has an April 1, 2026 sunset.

Notice Requirements

Under both the Montana and Tennessee privacy laws, businesses shall provide consumers with a reasonably accessible, clear, and meaningful privacy notices that include (1) the categories of personal data processed by the business; (2) the purposes for processing personal data; (3) the categories of personal data that the business shares with third parties, if any; (4) the categories of third parties, if any, with which the business shares personal data; and (5) an active email address or other mechanism that the consumer may use to contact the business; and (6) how consumers may exercise their consumer rights, including how a consumer may appeal a business’s decision regarding the consumer’s request. If a business sells personal data to third parties or processes personal data for targeted advertising, this must be disclosed in the privacy notice.

Consumer Rights

The Montana and Tennessee privacy laws both provide the rights of access, deletion, correction, and portability to consumers. Consumers also have the right to opt-out of the sale of personal data as well as the processing of personal data for the purposes of targeted advertising and profiling in furtherance of decisions that produce legal or similarly significant effects.

The Montana privacy law requires consumers between the age of 13 – 16 to opt-in to the sale of personal data and targeted advertising. Under both laws, the “sale” of personal data is defined as the exchange of personal information for monetary or other valuable consideration by the business to a third party.

Preparing for Effective Date

As with the other state privacy laws passed this year (See here for details on the Iowa Privacy Law  and the Indiana Privacy Law), businesses operating in Montana and Tennessee have some time to ensure compliance requirements are implemented and will likely already have many of the requirements in place. Businesses that must meet all of the individual state privacy laws should continue to refine their processes for updating privacy policies, handling data subject requests, and updating data processing agreements.

Our Data Privacy and Cybersecurity practice regularly advises companies on how to meet the requirements of new laws like this one. If you have any questions concerning this law or any other data privacy or cybersecurity laws, please do not hesitate to contact any member of our team.

Contributors

Image: Brianne B. Powers
Brianne B. Powers

Senior Privacy Director and Chief Privacy Officer


Image: Jeremy Berkowitz
Jeremy Berkowitz

Senior Privacy Director and Deputy Chief Privacy Officer


Practice Areas

Data Privacy and Cybersecurity


For More Information

Image: Brianne B. Powers
Brianne B. Powers

Senior Privacy Director and Chief Privacy Officer

Image: Jeremy Berkowitz
Jeremy Berkowitz

Senior Privacy Director and Deputy Chief Privacy Officer