This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

More Comprehensive State Privacy Laws Coming -- Will Include External Standards

Each of Montana and Tennessee legislatures passed a privacy bill and delivered it to their respective governors for signature in late April. Enactment of the bills would accelerate the growing state effort to regulate the privacy of consumer data.  

Why It Matters

Two important things come out of these bills:

  • Montana would require compliance with a universal opt-out mechanism, such as a browser setting; such tools are designed to signal websites not to sell use data or use it for targeted advertising. 
    • Although there are such settings available (including GPC, or Global Privacy Control), they are not yet widely implemented.  
    • California issued a privacy ruling last year that appeared to require recognition of GPC, and Colorado and Connecticut will have privacy laws taking effect this year that require recognition of GPC.  
  • More interestingly, Tennessee's bill explicitly adopts the NIST privacy framework as the governing standard for privacy compliance in Tennessee. This is a set of comprehensive privacy recommendations released in 2020 by the National Institute of Standards and Technology.

The significance of these two bills in this regard cannot be understated: it is clear that state legislatures are increasingly willing to prescribe explicit external standards of compliance rather than leave the rules somewhat open to interpretation. These may require implementing a written privacy program, conducting impact assessments, updating privacy policies, and enacting internal tools and processes on the back end that enable technological and operational compliance with consumer requests.  

Before this year, the network of U.S. comprehensive state privacy law had been slow to grow despite increasing legislative ambitions dating back to 2021. Privacy professionals had become accustomed to a new state law or two passing annually. The current frenzy never appeared feasible given state-to-state legislative complexity and nuance.


data security and privacy, hill_mitzi, insights