After a slowdown in 2022 — US states are back at the drawing board of consumer privacy laws with four passing in the last month alone. Here, we breakdown what you need to know about the Montana and Tennessee bills.
In brief
The early months of 2023 have brought a bumper crop of new state privacy legislation, with Tennessee and Montana legislatures poised to become the eighth and ninth states to enact comprehensive privacy laws. The Tennessee Information Protection Act and Montana Consumer Data Privacy Act, which both passed with unanimous votes out of their respective legislatures on April 21, 2023, follow the recent passage of privacy laws in Iowa and Indiana. The bills now land on their governors’ desks for signature. While the bills hew to broad trends in state privacy laws, each contains novel provisions.
Some of their key distinguishing features include:
- The new Montana law has lower than typical data-volume thresholds of applicability and will require businesses to acknowledge opt out preference signals after a sunrise period. Though the bill doesn’t provide for private enforcement, it doesn’t specify caps for monetary penalties.
- The Tennessee law will require in-scope businesses to implement a data security program that “reasonably conforms to” the NIST Privacy Framework, and adhering to this framework can also give a business an affirmative defense to protect against claims under the new law.
If enacted, the Montana and Tennessee bills will enter into force on October 1, 2024 and July 1, 2025, respectively.
Click here to access full alert.
