The wave of U.S. comprehensive state privacy legislation that few ever thought would materialize in a calendar year has revealed itself. Comprehensive bills in Montana and Tennessee cleared their respective state legislatures 21 April — the first same-day passage for two state privacy bills — to join Indiana and Iowa among states to reach the finish line this year.
Both bills, which now await enactment pending governor's signature, carry likeness to existing state privacy laws with some originality.
Montana Senate Bill 384 aligns exclusively with the Connecticut Data Privacy Act after surprise amendments during the cross-chamber process. Tennessee's bill brings the most unique provisions, including enforcement that hinges on adoption of the U.S. National Institute of Standards and Technology's Privacy Framework.
If enacted, Montana's bill takes force 1 Oct. 2024 while Tennessee's follows 1 July 2025.
Before this year, the network of U.S. comprehensive state privacy law had been slow to grow despite increasing legislative ambitions dating back to 2021. Privacy professionals had become accustomed to a new state law or two passing annually. The current frenzy never appeared feasible given state-to-state legislative complexity and nuance.
Each of the four states that passed laws this year are Republican-led and are not necessarily known to be technology-savvy or up on data protection issues.
"I think we have to consider the politics and lobbying involved in the legislative process. When tech companies and their employees are some of your largest constituents, regulating those companies becomes more complicated," Loeb & Loeb Partner Jessica Lee, CIPP/E, CIPP/US, CIPM, said. "Keep in mind that the California Consumer Privacy Act is a compromise that started with a ballot initiative and the stronger protections that appear in the (California Privacy Rights Act) are also a result of a ballot-initiative."
Montana flips and moves
A noted trend with state privacy legislation is for bills to start with the strongest framework under the likelihood it will be lobbied down in some fashion through the legislative process. State Sen. Daniel Zolnikov, R-Mont., was inclined to do the opposite with the Montana Consumer Data Protection Act.
The lobbying efforts in negotiations spurred Zolnikov to amend the Senate-approved bill in a way that balanced consumer and industry considerations. Changes included recognition of universal opt-out mechanisms, an 1 April 2026 sunset on the 60-day right to cure, and lowered coverage thresholds from 100,000 data subjects to 50,000. The bill also carries requirements for standard consumer privacy rights, data protection assessments and enhanced privacy requirements for children ages 13-15.
"Industry said they kind of liked the Connecticut bill but there were problems and it's really hard to implement. I kind of went at it thinking if (lobbyists) work with me then I'll work with them," Zolnikov told The Privacy Advisor. "I started to realize they were telling people different things in different states. ... That's not acceptable for me."
The amended version of SB 384 that was granted final passage received unanimity in its House floor vote and two Senate concurrence votes.
Regarding the inclusion of universal opt-out mechanisms, Zolnikov said, "People don't want to be tracked here. This isn't like other states where the top concern is the business community. The number one concern here is 'get out of my life.' ... Here you just have to click a button and nobody will follow you."
Loeb & Loeb's Lee wasn't surprised to see the inclusion of universal opt-out language. She said the desire and advocation "isn't new" and the issue around wider adoption is "alignment on how it all should work."
"Most of these laws aren’t starting from scratch," Lee said. "They are pulling concepts they like from California, from the (EU General Data Protection Regulation), and the other states that passed laws last year. If you are looking at the 'menu' of options to include in a privacy law, I can see many states finding UOOMs an attractive addition."
Tennessee's patchwork wrinkle
The Tennessee General Assembly ran companion privacy bills in its two chambers, allowing for a streamlined passage also seen in Iowa a few months prior. After a string of consideration pauses spanning several Senate floor sessions, the House version was substituted in at final Senate consideration to avoid concurrence votes.
The Tennessee Information Protection Act has familiar provisions like required data protection assessments and a 45-day data subject request response window. It also offers a nonsunsetting 60-day right to cure violations with exclusive attorney general enforcement.
"Most businesses will be able to leverage the data privacy and security programs built for other state law requirements," Baker Donelson Partner Andy Droke, CIPP/US, said. "However, for those Tennessee businesses that have not previously had to comply with other state privacy laws, this will be a significant undertaking, and they should start developing a strategy now."
There is plenty of nuance as well though. Tennessee's thresholds for covered entities are narrower than anywhere else, applying to companies that make more than USD25 million in revenue while controlling or processing data on 25,000 consumers and gross 50% revenue from data sales of more than 175,000 consumers.
Also new to Tennessee businesses and out-of-state covered entities is the NIST Privacy Framework carveout, a first-of-its-kind among state laws. Ohio tried a similar approach in recent years, but it did not get through its legislature.
Adherence to NIST's standard — and any future revisions to it — is required under Tennessee statute, which also provides affirmative defense against enforcement to controllers and processors that "creates, maintains, and complies with a written privacy program as described." While the bill names NIST explicitly it also recognizes "other documented policies, standards, and procedures designed to safeguard consumer privacy" for affirmative defense.
"Given that the NIST framework is intended to provide a flexible way for organizations to identify and manage risks within diverse environments, it is unclear what ‘reasonable conformity’ to the framework would entail or how invoking this affirmative defense would work in litigation," Future of Privacy Forum Director of U.S. Legislation Keir Lamont, CIPP/US, said. "Under a best case scenario, the availability of this affirmative defense may encourage businesses to be more proactive in thinking about data protection risks and developing their privacy programs."
BigID Chief Privacy Officer Heather Federman, CIPP/US, said the affirmative defense provision shouldn't be viewed as a safe harbor, noting many organizations are already conforming to the NIST framework.
"This is an interesting step forward, in that a state legislature is now looking to a federal agency that would provide the industry standards for organizations — rather than try to prescribe those standards themselves," Federman said. "It also recognizes that industry standards may change over time, and NIST is better equipped to do those updates than a legislative body would be."
Federman added the review and enforcement of the privacy program provision by the attorney general is made clear unless there is a "truly egregious" violation. However, Droke indicated Tennessee Attorney General Jonathan Skrmetti, R-Tenn., "was previously involved in the State’s data privacy and security enforcement activities," which shows privacy enforcement could be a priority for his office.