In a remarkable turn of events, the anticipated wave of comprehensive state privacy legislation in the United States has become a reality within a single calendar year. Montana and Tennessee recently achieved a significant milestone on April 21st, as their respective state legislatures successfully cleared comprehensive privacy bills, marking the first time two state privacy bills have achieved same-day passage. These states now join Indiana and Iowa as pioneers in completing privacy legislation this year.
While bearing similarities to existing state privacy laws, both bills exhibit distinct elements that set them apart. Montana's Senate Bill 384 aligns exclusively with the provisions outlined in the Connecticut Data Privacy Act, following unexpected amendments made during the cross-chamber process. Meanwhile, Tennessee's bill introduces unique provisions, including enforcement mechanisms that hinge on the adoption of the Privacy Framework established by the U.S. National Institute of Standards and Technology.
These momentous advancements in privacy legislation underscore the growing importance and urgency surrounding data protection at the state level.
Herbert Slatery, the Attorney General of Tennessee, has been dedicated to serving the people of his state since 2014. Unlike many of his counterparts in other states who are elected by voters, Slatery and his predecessors were appointed by the Tennessee Supreme Court to serve an eight-year term. His expertise and reputation extend beyond Tennessee, as he is widely respected by fellow attorneys general throughout the United States. Slatery frequently collaborates on bipartisan, multi-state investigations dealing with critical national issues such as opiate addiction and competition within the technology sector.
As the primary law enforcement officer in Tennessee, he places significant emphasis on consumer protection, including matters related to consumer privacy and cybersecurity. Safeguarding the privacy of Tennessee citizens and businesses remains one of his top priorities.
In a recent interview with IAPP, Slatery provides insights into various privacy-related topics, including the state-level approach to privacy, the potential for standardizing privacy regulations at the federal level, and the proactive measures taken by states to address concerns related to data collection and the (mis)use of personal information during the transitional period.
According to a report from Fox 17 News, the Tennessee Department of Safety and Homeland Security has been involved in selling the personal information of approximately 7.2 million drivers to five different companies. This practice is carried out under the authority provided by the Federal Driver Privacy Protection Act of 1994 and the Tennessee Uniform Motor Vehicle Records Disclosure Act, as stated by Wes Moster, the Director of Communications. These regulations grant the department the ability to sell bulk data pertaining to "all drivers in Tennessee."
The bulk data being sold includes various categories of driver information such as valid, revoked, and suspended driver's licenses.
In a significant development, Tennessee has introduced crucial revisions to its breach notification statute through the signing of S.B. 2005 by Governor Bill Haslam, as reported by The National Law Review. This amendment eliminates the previous provision that mandated notice only in the event of a breach involving unencrypted personal information. As a result, Tennessee becomes the first state in the nation to require notification of any breach, regardless of whether the compromised information was encrypted or not.
The revised law includes additional changes such as the mandatory requirement to notify affected residents of a data breach within 45 days.