Legislators in 2 States Support Revising Comprehensive Privacy Laws
The Montana Senate could soon vote on a bill broadening how many businesses are covered by the state's comprehensive privacy law. Meanwhile, in Kentucky, a House panel advanced a bill tweaking healthcare exemptions in that state's data privacy law.
Sign up for a free preview to unlock the rest of this article
At a hearing livestreamed Wednesday, the Senate Judiciary Committee voted unanimously by voice to advance SB-297 by Sen. Daniel Zolnikov (R), who was the author of the Montana Consumer Data Privacy Act. The bill will go to the Senate floor next, Zolnikov confirmed.
The committee approved by voice vote an amendment to reduce the law’s application threshold to say it applies to for-profit entities that control or process personal data of at least 25,000 Montana consumers or control or process data of at least 15,000 consumers and derive more than 25% of its revenue from selling personal data. Current law uses the figures 50,000 and 25,000, respectively. Zolnikov told us last week that he planned to file the amendment (see 2502130054).
Accounting for Montana's small population, the proposed new thresholds provide a better balance of capturing larger companies without acting as a barrier to new entrants, said Zolnikov. "Big guys have to comply. New guys don't comply until they become big enough."
Zolnikov highlighted another change that aims to close a loophole for financial institutions. The previous entity-based exemption “was so loose that a lot of entities were claiming that exemption to not comply with the law,” he said. SB-297 would also add child protections and cut in half the comprehensive privacy law’s 60-day right to cure, among other changes. Montana's comprehensive law took effect last October.
No witnesses appeared at the hearing in support of or in opposition to SB-297.
On the same day at a Kentucky House Small Business Committee livestreamed hearing, there was similarly no opposition to proposed changes to that state's comprehensive privacy law. HB-473 cleans the Kentucky Consumer Data Protection Act, said sponsor Rep. Joshua Branscum (R).
The Kentucky legislature passed the comprehensive law last year; it takes effect Jan. 1, 2026. The bill incorporates changes suggested by the health technology industry and small telephone companies, said Branscum. Its proposed edits to healthcare language would align Kentucky with other states, he added.
HB-473 would flesh out an exemption for data subject to the Health Insurance Portability and Accountability Act (HIPPA). The exemption would now cover information “collected by a health care provider who is a covered entity that maintains protected health information in accordance with HIPAA and related regulations” and information “included in a limited data set as described in” Section 164.514(e) of the federal code “to the extent the information is used, disclosed, and maintained as specified in” that section.