The wave of comprehensive state privacy legislation in the US continues to grow, with Montana and Tennessee passing their respective bills on 21 April, joining Indiana and Iowa which also passed similar acts earlier this year. Montana’s new privacy act will enter into force on 1 October 2024, while Tennessee’s will follow on 1 July 2025.

Following is a summary of the key points addressed by the acts:

Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act aligns with other US state privacy acts (most closely with the last year’s Connecticut Data Privacy Act) and provides standard rights to data subjects such as the right to know, access, correction, deletion, data portability, and the right to opt-out of sale. The deadline for responding to consumers’ requests to exercise their rights is 45 days, with an option for a 45-day extension.

The act also imposes common controller obligations such as data minimization and purpose limitation, establishing security measures, obtaining opt-in consent for processing sensitive personal information, and providing a clear and meaningful privacy notice to consumers.

Due to Montana’s relatively small population (roughly 1.1M), the new act sets a lower threshold for applicability compared to the other recently enacted US state privacy laws, and will apply to any person who does business in the State of Montana or that produce products or services that are targeted to Montana residents and:

• controls or processed the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Another unique nuance of the Montana act, which can currently be found only in the privacy law of California and Connecticut, is the requirement for opt-in consent for targeted advertising or sale of personal information of children in the ages of 13-15, which substantially enhances the protection of children’s data.

In addition, the new act requires data controllers to recognize universal opt-out mechanisms which allow consumers to express their privacy preferences across multiple websites, apps, or online services at once. Universal opt-out mechanisms are also recognized in California and Colorado.

The new act will be enforced by the Montana Attorney General, with a 60-day cure period which will sunset on 1 April 2026.

Tennessee Information Protection Act

The Tennessee Information Protection Act will apply to businesses that exceed $25,000,000 in revenue, do business in Tennessee, or target products or services to Tennessee consumers and meet one of the following criteria:

• Control or process personal information of at least 175,000 consumers; or
• Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal information.

One unique feature of Tennessee’s new act is that businesses can voluntarily create and maintain a written privacy program in line with the National Institute of Standards and Technology’s (NIST) Privacy Framework, which can be used as an affirmative defense against a cause of action for violations of the law.

The act provides similar data subject rights and controllers obligations as can be found in the other privacy acts enacted in US states. Here too, businesses must respond to consumer requests within 45 days, with the possibility of a 45-day extension.

Data protection assessments are specifically required for certain processing activities, including targeted advertising, sale of personal information, processing of sensitive data, and activities that present a heightened risk of harm to consumers.

Tennessee’s act will be enforced by the Tennessee Attorney General, with a 60-day cure period for controllers found to be in violation of the law. Civil penalties of up to $7,500 per violation may be imposed on controllers who fail to remediate violations within 60 days. There is no private right of action.

Tennessee and Montana are the 8th and 9th US states to enact comprehensive privacy laws. For your convenience, following is a list of all state privacy laws which have passed so far, the effective dates of each respective act, as well as links for our previous updates regarding each:

• California’s Consumer Privacy Act (CCPA) is already in force, after being further amended by the California Privacy Rights Act which was entered into force on 1 January 2023. In our CPRA vs. CCPA playbookwe provided some comparative practical guidance on the changes.
• The Virginia Consumer Data Protection Act is also in force since 1 January 2023.
• Colorado’s Privacy Act will enter into force on 1 July 2023.
• Connecticut’s Act Concerning Personal Data Privacy’s effective date is also 1 July 2023.
• Utah’s Consumer Privacy Act will enter into force on 31 December 2023.
• As mentioned, Montana’s new act will apply from 1 October 2024.
• Act Relating to Consumer Data Protection in Iowa will take effect on 1 January 2025.
• Tennessee’s Information Protection Act’s starting date in, as mentioned, 1 July 2025.
• And Indiana’s Consumer Data Protection Actwill start to apply on 1 January 2026.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in Tennessee and Montana. Feel free to contact us if you have any questions regarding the new acts ‎and their practical implications.