Tennessee and Montana Pass Privacy Laws

Tennessee and Montana are the latest states to pass their own privacy laws, joining Iowa and Indiana as states to pass laws in 2023. The Montana Consumer Data Privacy Act (MCDPA) and the Tennessee Information Protection Act (TIPA) are similar to the state privacy laws that are already in place throughout the country.

Here’s a summary of the Tennessee and Montana laws in terms of consumer rights, business requirements, and enforcement.

Montana Consumer Data Privacy Act

The Montana law applies to entities that process the personal data of at least 50,000 state residents, or that process the data of 25,000 Montana residents and derive more than 25% of gross revenue from the sale of personal data. Data and entities covered by HIPAA and the GLBA are exempt from the MCDPA.

The MCDPA goes into effect on October 1, 2024.

MCDPA Consumer Rights

The Montana law gives consumers the right to:

• Confirm their data is being processed and access their data
• Correct inaccurate data
• Have data deleted
• Obtain a copy of the data in a portable and readily usable format
• Opt out of the selling of personal information
• Learn the categories of information sold and the third parties who purchased the data

The MCDPA gives organizations 45 days to respond to consumer requests.

MCDPA Business Requirements

Requirements for businesses that are covered by the MCDPA include:

• Provide a privacy notice
• Limit the collection of personal data to what is reasonably necessary for the purposes that the personal data is processed
• Implement reasonable data security practices
• Establish a secure and reliable means for consumers to exercise their privacy rights
• Obtain consent to process sensitive data
• Include privacy requirements in contracts with processors
• Conduct data protection assessments
• Have a non-retaliation policy for consumers who exercise their privacy rights

MCDPA Enforcement

This law contains no private right of action, all enforcement will come from the Attorney General’s office. There is a 60-day right to cure that expires on April 1, 2026. The law does not specify a maximum penalty or fine.

Tennessee Information Protection Act

The Tennessee law applies to entities that process the personal data of at least 100,000 state residents, or that process the data of 25,000 Tennesseans and derive more than 50% of gross revenue from the sale of personal data. Data and entities covered by HIPAA and the GLBA are exempt.

The TIPA goes into effect on July 1, 2024.

TIPA Consumer Rights

The Tennessee law gives consumers the right to:

• Confirm their data is being processed and access their data
• Correct inaccurate data
• Have personal data deleted (exemptions for de-identified data)
• Obtain a copy of the data in a portable and readily usable format
• Opt out of the selling of personal information
• Learn the categories of information sold and the third parties who purchased the data

Under the TIPA, organizations have 45 days to respond to consumer requests.

TIPA Business Requirements

A unique element of the TIPA is it requires covered businesses to “reasonably conform” with the NIST Privacy Framework. Organizations that maintain NIST compliance have an affirmative defense to a cause action for a violation.

 The TIPA also requires covered entities to:

• Provide a privacy notice
• Limit the collection and processing of personal data to what is reasonably necessary
• Establish a secure and reliable means for consumers to exercise their privacy rights
• Obtain consent to process sensitive data
• Include privacy requirements in contracts with processors
• Conduct data protection assessments
• Refrain from retaliating against consumers who exercise their privacy rights

TIPA Enforcement

The Tennessee law also has no private right of action and is enforced by the Attorney General. There is a 60-day right to cure that does not have a sunset date. Penalties can be as high as $15,000 per violation.

CompliancePoint has the experience and knowledge to help your organization establish and maintain compliance with all state privacy laws, including the CCPA, and GDPR. Reach out to us at connect@compliancepoint.com to learn more.