On May 19, 2023, Montana officially became the ninth state to approve a state-level consumer data privacy law, joining the trend of states opting not to wait for a federal privacy law to mandate the protection of its residents’ data.
The Montana Consumer Data Privacy Act (MTCDPA) became law when Gov. Greg Gianforte signed Senate Bill 384. The Montana regulation does not stray much from state data privacy laws that came before it, and fortunately, legislators provided ample time for businesses to become acclimated to the new law—it doesn’t go into effect until Oct. 1, 2024.
While this means it shouldn't be too challenging for businesses to learn the ins and outs of the MTCDPA, it still has its own nuances. Let’s dive into the MTCDPA, which closely resembles many other state laws, in particular, the data privacy act of its immediate predecessor, Indiana.
Montana's legal framework applies to both consumers and businesses engaged in activities within the state involving the handling of personal data. Like most state data privacy laws already in the books, the MTCDPA defines “controllers” as entities that determine the purpose and means of collection of processing personal data. “Processors” are any entity that processes data on behalf of a controller.
Here's the breakdown of who the law applies to:
Unlike California's law, Montana's privacy law doesn't depend solely on a revenue limit. The MTCDPA is more similar to laws in states such as Indiana where controllers have to follow the rules, even if their annual gross revenues are below a certain limit, as long as they process the data of a specific number of consumers. However, in Montana, the threshold for the number of residents that triggers the law is lower.
Many other state laws apply to businesses handling the personal data of 100,000 or more residents, while Montana's law sets the bar lower at 50,000, primarily due to Montana’s relatively low population. Delaware’s law also has a low threshold, at 35,000.
MTCDPA primarily focuses on safeguarding personal data—information that can be directly linked or reasonably associated with an identifiable individual. Like in other state privacy laws, there are exemptions, including data protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and other federal statutes.
In this context, a "protected consumer" is an individual residing in Montana, but this definition excludes individuals acting in a commercial or employment capacity, as well as employees, owners, directors, officers, or contractors of various business structures, including partnerships, sole proprietorships, nonprofits, or government agencies.
The following entities and agencies are exempt from the MTCDPA:
User consent to collect and process most information is not required under the MTCDPA, similar to data privacy laws in Indiana, Virginia, Colorado, and Connecticut.
Like the other state privacy laws, Montana subscribes to the "opt-out" model (except in the case of children). Also similar to other state laws, there are exceptions, including the requirement that consent be obtained before collecting or processing sensitive personal information.
The MTCDPA aligns with the federal Children’s Online Privacy Protection Act (COPPA) in mandating that prior to processing any personal data of a user known to be under 13 years of age, consent from the child's parent or guardian must be secured. This applies to all personal data of children, as Montana's data privacy regulations automatically categorize data of children under 13 as sensitive.
Montana's law provides additional safeguards for children between the ages of 13 and 16. In those cases, their consent must be obtained before processing their personal data for purposes such as sale or targeted advertising.
Targeted advertising involves showing ads to a person based on their data collected from their online activities over time on different websites and apps that aren't connected, with the aim of guessing what that person is interested in and serving related ads.
The Montana Consumer Data Privacy Act grants consumers several key rights when it comes to their personal information. These rights have been the standard among data privacy laws enacted in other states.
Businesses must give consumers a way to opt out of data collection and processing. Controllers and processors must also implement reasonable security and protections to safeguard data collected.
Here's a breakdown of these rights:
Right to Opt Out: Consumers can opt out of the sale of their personal data, targeted advertising, or profiling that leads to automated decisions with significant legal consequences.
Right to Access: Consumers have the right to know if a controller is processing their personal information and access to that data, with a few exceptions.
Right to Correction: Consumers can request corrections to any inaccurate or outdated information that a controller has about them, especially if it was provided by the consumer.
Right to Delete: Consumers have the right to ask a controller to delete any personal data they have about them, with some exceptions.
Right to Portability: Consumers can obtain a copy of their personal data that they previously provided to the controller in a user-friendly format, again with certain exceptions.
Right Not to Be Discriminated Against: Controllers are prohibited from discriminating against consumers for exercising their rights. Discrimination includes any unfair treatment related to these rights.
Note: Parents or guardians can also exercise these rights on behalf of children.
One right not included? The ability for consumers to sue a business in case of a violation, also known as a private right of action—California is the only state that provides this as a right in its data privacy law.
In Montana, the Attorney General holds exclusive authority for enforcing the MTCDPA. While consumers can't file private lawsuits, they can report potential violations or complaints to the Attorney General's office. When there's an alleged violation, the Attorney General must send a written notice listing the violations to the parties involved.
Controllers are required to respond to a consumer rights request within 45 days after receipt of the request. The request is subject to a 45-day extension when “reasonably necessary.”
Montana’s privacy law provides a 60-day cure period, during which organizations can fix the issues and take preventive measures to prevent recurrence. Cure periods in other state-level data privacy laws range from 30 to 90 days. In the case of the MTCDPA, the right to cure ends on April 1, 2026. Organizations found in violation must also inform the Attorney General when they have taken these corrective actions and confirm that no further violations will occur.
If the controller or any of their data processors remain in violation after the cure period or after submitting their statement, the Attorney General can initiate investigative actions.
Unlike many other state-level data privacy laws, the MTCDPA doesn't specify a particular dollar amount for fines or other statutory damages for breaking the law. It simply states that the Attorney General can take legal action.
The MTCDPA requires controllers to conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer, including processing personal data for targeted advertising, the sale of personal data or if it presents certain risks such as unfair or deceptive treatment; financial, physical or reputational injury; or an intrusion on the solitude or seclusion of a person considered “offensive” to a reasonable person.
The Montana data privacy law aligns with other state privacy laws, so businesses don't need to deviate from their existing preparations for state data laws if they’re already in compliance.
Montana’s Privacy Law can be described as business-friendly, much like laws in Virginia and Indiana. Montana legislators have provided controllers with more than one year to achieve compliance by developing formal policies and procedures for data collection and processing in Montana.
That gives businesses ample time to become familiar with the law, conduct risk assessments, and establish a framework for promptly responding to consumers' requests; and companies can educate and train their staff to be aware of the tenets of the legislation.
With the growing number of privacy laws taking effect, businesses may want to consider a Data Privacy Platform, like Osano, which can help manage opt-out requests, manage data subject rights requests, differentiate between the nuances of each state, and more.
The Montana Consumer Data Privacy Act goes into effect on October 1, 2024.
Montana’s privacy law primarily focuses on safeguarding personal data, and it shares exemptions with federal statutes such as the HIPAA, FERPA, and others. It defines a "protected consumer" as a Montana resident, excluding individuals in commercial or employment roles, as well as various business structures' employees and officers.
Controllers must take reasonable measures to ensure deidentified data can’t be associated with an individual, publicly commit to maintaining and using this data without attempting to re-identify the data, and contractually obligate recipients to comply with the regulations.
The Montana privacy law mandates that by January 1, 2025, consumers must be able to “opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data through an opt-out preference signal sent with the consumer’s consent,” also known as universal opt-out or global privacy control (GPC).
The MTCDPA allows a 60-day cure period for organizations to rectify issues and take preventive measures. The right to cure sunsets April 1, 2026. Organizations found in violation must inform the Attorney General when they have taken corrective actions and confirm that no further violations will occur.
Unlike many other state-level data privacy laws, the MTCDPA doesn't specify a particular dollar amount for fines or statutory damages but allows the Attorney General to take legal action.
The MTCDPA aligns with the federal Children’s Online Privacy Protection Act (COPPA) mandating that consent from a child's parent or guardian must be secured prior to processing any personal data of a user known to be under 13 years of age.
If a user is at least 13 years old, but younger than 16, their consent must be obtained before their personal data can be processed for targeted advertising or for the purpose of selling their data.
The Montana Attorney General holds exclusive authority for enforcing the MTCDPA. While consumers can't file private lawsuits, they can report potential violations or complaints to the Attorney General's office.