Each of Montana and Tennessee legislatures passed a privacy bill and delivered it to their respective governors for signature in late April. Enactment of the bills would accelerate the growing state effort to regulate the privacy of consumer data.
Why It Matters
Two important things come out of these bills:
- Montana would require compliance with a universal opt-out mechanism, such as a browser setting; such tools are designed to signal websites not to sell use data or use it for targeted advertising.
- Although there are such settings available (including GPC, or Global Privacy Control), they are not yet widely implemented.
- California issued a privacy ruling last year that appeared to require recognition of GPC, and Colorado and Connecticut will have privacy laws taking effect this year that require recognition of GPC.
- More interestingly, Tennessee's bill explicitly adopts the NIST privacy framework as the governing standard for privacy compliance in Tennessee. This is a set of comprehensive privacy recommendations released in 2020 by the National Institute of Standards and Technology.
The significance of these two bills in this regard cannot be understated: it is clear that state legislatures are increasingly willing to prescribe explicit external standards of compliance rather than leave the rules somewhat open to interpretation. These may require implementing a written privacy program, conducting impact assessments, updating privacy policies, and enacting internal tools and processes on the back end that enable technological and operational compliance with consumer requests.