Listen
to
this
post
On
April
21,
2023,
the
Montana
and
Tennessee
legislatures
voted
to
enact
comprehensive
consumer
privacy
bills
in
their
respective
states.
If
signed
by
their
governors,
Montana’s
Consumer
Data
Privacy
Act
(S.B.
384)
(“MCDPA”)
and
Tennessee’s
Information
Protection
Act
(H.B.
1181)
(“TIPA”)
could
make
these
states
the
eighth
and
ninth
U.S.
states
to
enact
comprehensive
privacy
legislation.
Applicability
The
MCDPA
applies
to
persons
that
conduct
business
in
Montana
or
persons
that
produce
products
or
services
that
are
targeted
to
Montana
residents
and
(1)
control
or
process
the
personal
data
of
50,000
or
more
consumers,
excluding
personal
data
controlled
or
processed
solely
for
the
purpose
of
completing
a
payment
transaction;
or
(2)
control
or
process
the
personal
data
of
25,000
or
more
consumers
and
derive
more
than
twenty-five
percent
(25%)
of
gross
revenue
from
the
sale
of
personal
data.
“Consumer”
means
an
individual
who
is
a
Montana
resident
and
does
not
include
an
individual
acting
in
a
commercial
or
employment
context.
The
TIPA
applies
to
persons
that
conduct
business
in
Tennessee
producing
products
or
services
targeting
Tennessee
residents
and
that
exceed
$25
million
in
revenue,
and
either
(1)
during
a
calendar
year,
control
or
process
personal
information
of
at
least
175,000
consumers,
or
(2)
control
or
process
personal
information
of
at
least
25,000
consumers
and
derive
more
than
fifty
percent
(50%)
of
gross
revenue
from
the
sale
of
personal
information.
“Consumer”
means
a
natural
person
who
is
a
Tennessee
resident
“acting
only
in
a
personal
context”
and
does
not
include
a
natural
person
acting
in
a
commercial
or
employment
context.
Controller
Obligations
Among
other
obligations,
controllers
subject
to
the
MDCPA
are
required
to
(1)
provide
a
privacy
notice
with
certain
specified
content,
(2)
establish
a
secure
and
reliable
means
for
consumers
to
exercise
their
privacy
rights
under
the
law,
(3)
obtain
a
consumer’s
consent
to
process
sensitive
data,
(4)
enter
into
contracts
with
its
processors
and
(5)
conduct
and
document
data
protection
assessments.
Under
the
TIPA,
controllers
are
required
to
(1)
provide
a
privacy
notice
with
certain
specified
content,
(2)
establish
a
secure
and
reliable
means
for
consumers
to
exercise
their
privacy
rights
under
the
law,
(3)
obtain
a
consumer’s
consent
to
process
sensitive
data,
(4)
enter
into
contracts
with
its
processors
and
(5)
conduct
and
document
data
protection
assessments.
Notably,
the
TIPA
is
the
first
of
the
state
consumer
privacy
laws
to
provide
an
affirmative
defense
to
a
cause
of
action
for
a
TIPA
violation
where
a
controller
creates,
maintains
and
complies
with
a
written
privacy
policy
that
reasonably
conforms
to
the
National
Institute
of
Standards
and
Technology
(“NIST”)
privacy
framework
entitled
“A
Tool
for
Improving
Privacy
through
Enterprise
Risk
Management
Version
1.0.”
Consumer
Rights
The
MDCPA
provides
consumers
the
right
to
(1)
confirm
whether
a
controller
is
processing
the
consumer’s
personal
data
and
access
the
consumer’s
personal
data;
(2)
correct
inaccuracies
in
the
consumer’s
personal
data;
(3)
delete
personal
data
about
the
consumer;
(4)
obtain
a
copy
of
the
consumer’s
personal
data
that
the
consumer
previously
provided
to
the
controller
in
a
portable
and,
to
the
extent
technically
feasible,
readily
useable
format
that
allows
the
consumer
to
transmit
the
personal
data
to
another
controller
without
hindrance
when
the
processing
is
carried
out
by
automated
means;
and
(5)
opt
out
of
the
processing
of
the
consumer’s
personal
data
for
purposes
of
(a)
targeted
advertising,
(b)
the
sale
of
the
consumer’s
personal
data
and
(c)
profiling
in
furtherance
of
solely
automated
decisions
that
produce
legal
or
similarly
significant
effects
concerning
the
consumer.
Beginning
January
1,
2025,
controllers
must
allow
a
consumer
to
opt
out
of
targeted
advertising
and
the
sale
of
their
personal
data
through
an
opt-out
preference
signal.
The
TIPA
provides
consumers
the
right
to
(1)
confirm
whether
a
controller
is
processing
the
consumer’s
personal
information
and
access
the
personal
information;
(2)
correct
inaccuracies
in
the
consumer’s
personal
information;
(3)
delete
personal
information
provided
by
or
obtained
about
the
consumer;
(4)
obtain
a
copy
of
the
consumer’s
personal
information
that
the
consumer
previously
provided
to
the
controller
in
a
portable
and,
to
the
extent
technically
feasible,
readily
useable
format
that
allows
the
consumer
to
transmit
the
data
to
another
controller
without
hindrance,
where
the
processing
is
carried
out
by
automated
means;
and
(5)
opt
out
of
a
controller’s
processing
of
personal
information
for
purposes
of
(a)
selling
personal
information
about
the
consumer,
(b)
targeted
advertising
and
(c)
profiling
in
furtherance
of
decisions
that
produce
legal
or
similarly
significant
effects
concerning
the
consumer.
Enforcement
Neither
the
MCDPA
nor
the
TIPA
contain
a
private
right
of
action.
The
MCDPA
and
TIPA
provide
exclusive
enforcement
authority
to
the
Montana
Attorney
General
and
Tennessee
Attorney
General
&
Reporter,
respectively.
Both
bills
provide
a
right
to
cure
violations
within
60
days
of
receiving
notice
of
a
violation,
but
the
MCDPA’s
cure
period
sunsets
on
April
1,
2026.
The
MCDPA
and
TIPA
will
become
law
if
the
Montana
and
Tennessee
Governors
sign
or
allow
the
bills
to
become
law
without
their
signatures.
If
enacted,
the
MCDPA
would
take
effect
October
1,
2024
and
the
TIPA
would
take
effect
July
1,
2025.
About Author
