The comprehensive state privacy law trend (and the related trend of enhanced job security for privacy professionals) shows no sign of slowing. Last month the Montana legislature passed the Montana Consumer Data Privacy Act (“MCDPA”) and the Tennessee legislature passed the Tennessee Information Protection Act (“TIPA”). For those keeping count, enactment of those laws would make those states the eighth and ninth with comprehensive privacy laws following California, Virginia, Colorado, Utah, Connecticut, Iowa, and Indiana.

The Montana and Tennessee bills are similar in structure, scope, and substance to the models adopted in states other than California, with some minor variations. But the TIPA includes a unique outlier—a provision that establishes an affirmative defense for controllers and processors that “create, maintain and comply with a written privacy program that reasonably conforms” with a National Institute of Standards and Technology (“NIST”) privacy framework.

In this post, we’ll cut to the chase and start by examining the unique TIPA affirmative defense. The bills also include some other notable variations from other state laws, so continue reading for a summary of those items.

The TIPA’s NIST “Safe Harbor” 

The TIPA would provide an affirmative defense against enforcement actions by the Tennessee attorney general to controllers and processors that (i) “create, maintain, and comply with a written privacy program that reasonably conforms to the [NIST] privacy framework entitled ‘A Tool for Improving Privacy through Enterprise Risk Management Version 1.0’” and (ii) provide consumers the substantive rights required by the TIPA.

The NIST Privacy Framework, first published in 2020, contains a comprehensive list of privacy program measures and considerations. Structurally, the framework identifies five general functions (“Identify,” “Govern,” “Control,” “Communicate,” and “Protect”) as foundational to privacy risk management.  Those functions are then broken into more specific profiles, which are in turn divided into detailed implementation measures. The “Identity” function, for example, contains an “inventory and mapping” profile that includes implementation measures for specifically identifying (i) data elements processed, (ii) processing actions, and (iii) the purposes for those actions, among other measures.

Organizations will have flexibility to tailor their implementation of NIST framework control measures based on the nature of their operations: the framework expressly provides that it is intended to be “flexible” and present a “risk-based approach” such that “organizations may not need to achieve every outcome or activity reflected” in the framework document.

TIPA also expressly provides that the organization’s size and complexity, the nature and scope of its activities, sensitivity of personal information processed, the cost and availability of relevant tools, and compliance with comparable federal and state laws should be considered in assessing whether an organization’s privacy program qualifies for the affirmative defense.  To that end, the TIPA also provides that a controller’s certification “pursuant to the Asia Pacific Economic Cooperation’s Cross Border Privacy Rules system” or a processor’s certification “pursuant to the Asia Pacific Economic Cooperation’s Privacy Recognition for Processors system” should also be considered.

Reasonably conforming to the NIST privacy framework may largely be a documentation exercise for organizations that already maintain mature privacy programs. But for organizations without a such programs, it will likely be a more involved and resource-intensive documentation and implementation effort. That effort could have significant upside though if the Tennessee attorney general actively enforces the statute.

MCDPA and TIPA scope and application

The MCDPA’s application provision is similar to the Virginia, Colorado, Connecticut, Iowa, and Indiana statutes, but with lower thresholds for application. The MCDPA applies to persons that conduct business in Montana or that produce products or services that are targeted to residents of this state and: (1) control or process the personal data of at least 50,000 Montana residents, with an exclusion for personal data controlled or processed solely for the purpose of completing a payment transaction, or (2) control or process the personal data of at least 25,000 Montana residents and derive more than 25% of gross revenue from the sale of personal data.

The TIPA’s application provision is more similar to California and Utah’s because it incorporates a revenue threshold. The TIPA applies to persons that conduct business in Tennessee producing products or services targeting Tennessee residents and that exceed $25 million in revenue, and either (1) during a calendar year, control, or process personal information of at least 175,000 Tennessee residents, or (2) control or process personal information of at least 25,000 Tennessee residents and derive more than fifty percent (50%) of gross revenue from the sale of personal information.

Both bills also include now-familiar broad entity-level exceptions for financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education and contain provisions limiting application to individuals acting in their personal capacity—as opposed to a commercial or employment capacity.

Both bills also exclude deidentified and publicly available information from the definitions of personal data and personal information. But note that, unlike other non-California laws, the TIPA’s definition of personal information includes CCPA-style descriptions of categories. Those categories could affect how personal information categories are described in TIPA privacy notices and other disclosures.

Requirements for consumer rights, notices, and processor contracts are familiar, but with some notable deviations

The MCDPA would provide Montana residents rights to (1) confirm the processing of and access their personal data, (2) correct inaccuracies, (3) deletion of personal data, (4) obtain a copy of their data in portable and readily-usable format, (5) opt out of targeted advertising, (6) opt out of “sales” of their personal data (a term broadly defined to include exchanges for both money and other valuable consideration), and (6) profiling based on automated decision-making that produces legally significant effects. Additionally, by January 1, 2025 controllers must allow Montana residents to opt out of sales or targeted advertising through opt-out preference signals.

The TIPA would provide Tennessee residents a similar set of rights, but omits requirements regarding opt-out preference signals and adds a right to request that a controller that sold personal information disclose (1) the categories of data sold, (2) the categories of third parties to which the data is sold, and (3) the categories of business information disclosed for a business purpose. Both laws allow 45 days to respond to consumer rights requests, with the potential for a further 45-day extension.

The MCDPA’s consumer notice requirements generally track those of the other non-California state laws. Controllers are required to make disclosures about the categories of personal data processed and disclosed to third parties, personal data processing purposes, how consumers can exercise their rights and appeal a controller’s decision, and the categories of third parties who receive personal data. The bill would also mandate that the notice include an active email address or other mechanism to contact the controller.

The TIPA’s privacy notice provisions are unique. One provision for instance, requires controllers to provide a privacy notice “[u]pon receipt of an authenticated consumer request.” The required content for that notice includes the categories of personal information processed and the purposes for processing. The notice must also disclose the rights for sale opt-outs, deletion, and correction and how to exercise consumer rights and appeal controller decisions generally. If applicable, the notice must also identify the categories of personal information it has sold and the categories of third parties to whom it sold personal information.

Other TIPA provisions require a controller to (1) generally disclose whether it sells or processes personal information for targeted advertising and how to opt out if so and (2) generally provide and describe in a privacy notice at least one of the following methods to exercise consumer rights: (A) a toll-free telephone number, (b) an email address, (c) a web form, or (d) a clear and conspicuous link on the controller’s homepage.

Both the MCDPA and TIPA would also require an opt-in for sensitive data processing.

Like other non-California laws, both bills would also require that processor contracts contain GDPR-style processing details, and provide that the processor will ensure each person processing personal data is subject to a duty of confidentiality, flow contractual obligations down to its subcontractors, return and delete all personal data, provide information necessary to demonstrate the processor’s compliance, and allow and cooperate with assessments by the controller.

Both bills would require data protection assessments to support certain data processing activities.

Both bills would generally require controllers to perform and document data protection assessments for activities that pose “a heightened risk of harm to a consumer,” targeted advertising processing, sales, profiling where the profiling presents certain reasonably foreseeable risks, and processing of sensitive data. Each state’s attorney general could require controllers to disclose data protection assessments to the attorney general.

 The state attorney general would have exclusive enforcement authority with no private right of action.

Neither bill provides a private right of action and both solely provide for enforcement by the state attorney general. Both bills also allow a 60-day notice-and-cure period prior to an enforcement action, though Montana’s notice-and-cure provision will expire on April 1, 2026.

Under the TIPA, the attorney general can bring enforcement actions for declaratory and injunctive relief, attorney’s fees and investigative costs, and civil penalties up to USD 7,500 per violation. The MCDPA does not provide specific remedies or penalties.

The MCDPA would take effect October 1, 2024 and the TIPA would take effect July 1, 2025.

Organizations will have at least a year to address these requirements if enacted.