Montana’s Consumer Data Privacy Act is now in effect

Application

The MCDPA applies to any persons who conduct business in Montana or produce products or services targeting residents in Montana and who

• Control or process the personal data of more than 50,000 consumers, except for personal data controlled or processed for payment transaction purposes; or  
• Control or process the personal data of more than 25,000 consumers and derive more than 25 percent of their gross revenue through the sale of personal data.

Exemptions

The following entities are exempt from the MCDPA:

• Any Montana body, authority, board, bureau, commission, district, agency or, political subdivision.
• Non-profit organizations.
• Institutions of higher education.
• National securities associations registered under the federal Securities Exchange Act of 1934.
• Financial institutions and their affiliates governed by Title V of the Gramm-Leach-Bliley Act.
• Covered entities and business associates subject to the federal Health Insurance Portability and Accountability Act of 1996.
• Controllers or processors that comply with parental consent requirements of the Children’s Online Privacy Protection Act of 1998.

The following data are exempt from the MCDPA, among others:

• Protected health information.
• Patient-identifying information protected under the regulations governing the confidentiality of substance use disorder patient records.
• Information that is maintained by a covered entity or business associate that is treated in the same manner under HIPAA or the substance abuse confidentiality regulations.
• Information that is derived from health-care-related information that is de-identified and included in a limited data set.
• Business-to-business information based on the definition of “consumer.”
• Information collected, processed, sold, or disclosed in compliance with the Driver’s Privacy Protection Act.
• Information collected, processed sold or disclosed in compliance with Farm Credit Act of 1993.
• Information collected, processed sold or disclosed in relation to price, route, or service in compliance with the Airline Deregulation Act of 1978.
• Personal information collected, maintained, sold, disclosed, communicated, or used by a (1) consumer reporting agency or (2) user or furnisher of a consumer report or data regulated by and authorized under the Fair Credit Reporting Act.
• Information regulated by the Family Education Rights and Privacy Act.
• Data collected, processed, sold, or disclosed in accordance with Gramm-Leach-Bliley.
• Employment-related information, including the following:
  • Information maintained by an individual applying for employment with, employed by, or acting as an agent or independent contractor of, a controller, processor, or third party if the data is collected and used within the scope of the individual’s role.
  • Emergency contact information.
  • Information that is necessary to retain in order to administer benefits for another individual.

The MCDPA also exempts de-identified data, but there are several conditions that must be met for the data to be exempt. For example, controllers that possess de-identified data must publicly commit to maintaining and using de-identified data without attempting to reidentify the de-identified data.

Consumer rights

 Under the MCDPA, Montana consumers have the following rights:

• To confirm that a controller is processing their personal data unless the confirmation or access would violate a trade secret.
• To correct inaccuracies in their personal data, under certain circumstances that consider the nature and purpose of processing that data.
• To delete personal data.
• To request a copy of their personal data under certain circumstances.
• To opt out of the sale of their personal data, targeted advertising, or profiling for automated decision-making purposes with legal or significant impact.
• To designate an authorized agent to submit opt-out requests.
• To appeal a controller’s refusal to act on a request within a reasonable amount of time.

Controller “musts” and prohibitions

The law requires controllers to do the following:

• Limit the collection of personal data, and process data only for purposes that are reasonably necessary for, or compatible with, the purposes disclosed to consumers at the point of collection unless the controller gets the consumer’s consent.
• Maintain administrative, technical, and physical data security practices.
• Conduct data protection assessments for targeted advertising, sale of personal data, and processing of personal data for purposes of profiling that presents a heightened risk of harm to the consumer in certain circumstances.
• Clearly disclose the sale of personal data or any processing of personal data for targeted advertising purposes.
• Obtain the consumer’s consent before processing sensitive data about a consumer.
• Provide a consumer “opt-out” mechanism that is as easy to use as the consumer “consent” mechanism.
• By January 1, 2025, allow a consumer to opt out of processing for targeted advertising or sales of personal data through a universal opt-out mechanism. 
• Post privacy notices with certain content requirements.
• Respond to consumer data requests within 45 days, with an extension of up to 45 days.
• Inform the consumer within the same 45-day timeframe if the controller declines to act.
• Respond to authenticated requests from consumers, or provide notice to consumers stating that they are unable to respond until the consumer provides information that is reasonably necessary for authentication.
• Respond within 60 days to appeals from consumers regarding the controller’s refusal to act on a request.
• Enter into contracts with specific terms that regulate how processors process personal data.  
• Comply with the Children’s Online Privacy Protection Act of 1998.

The law prohibits controllers from doing the following:

• Charging a consumer for the first request in a 12-month period. (A controller may charge the consumer for manifestly excessive, unfounded, technically infeasible, or repetitive requests.)
• Requiring authentication for opt-out requests. (A controller may deny a request that it reasonably believes is fraudulent. In that event, the individual making the request must be notified.)
• Discriminating against consumers for exercising their personal data rights.

Processors must adhere to the instructions of a controller or be subject to the requirements of a controller, and may be subject to enforcement actions. Subcontractors have the same obligations as processors with respect to personal data.

Enforcement

Montana’s new law does not provide for a private right of action, meaning that individuals cannot sue for violations. The Montana Office of the Attorney General has enforcement authority and can issue a notice of violation to the controller. For the next 18 months, there is a cure provision for controllers who receive violation notices. During this “grace period,” the controller will have 60 days to correct the violation and must provide the state attorney general with a written statement that the alleged violations have been corrected and that there will be no further violations. The cure provision will terminate on April 1, 2026. Unlike California and other states, Montana does not specify a civil penalty amount. Businesses should take this into account when reviewing their compliance posture.