Montana Data Privacy Law
On May 19, 2023, Montana’s governor, Governor Greg Gianforte, signed the Montana Consumer Data Privacy Act (MCDPA) into law. These are the key provisions of the act:
Applicability
Covered Entities
MCDPA applies to any person, referred to as a “Controller,” who conducts business in Montana and controls or processes the personal data of 50,000 or more consumers, “excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or controls or processes the personal data of 25,000 or more consumers and derives more than 25 percent of its gross revenue from the sale of that personal data.
However, MCDPA exempts:
● Bodies, authorities, boards, bureaus, commissions, districts, or agencies of Montana or any political subdivision in Montana
● Nonprofit organizations
● Institutions of higher education
● Registered national securities associations
● Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
● Entities governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Protected Consumers
The Act applies to all “consumers,” which under MCDPA is defined as an individual who is a resident of Montana, and is not, “an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.”
Consumer Protections
The consumer protections under MCDPA mirror those provided under the Delaware Personal Data Privacy Act (DPDPA), and various other state data privacy laws that have been passed in recent years.
Under MCDPA, Consumers have the right to:
● Confirm with a data controller that their personal data is being collected, and request access to said collected data, unless complying with this request would require the controller to “reveal a trade secret”
● Correct any inaccuracies in the consumer’s collected personal data
● Delete their personal data
● Obtain a copy of their collected personal data “in a portable and . . . readily-usable format”
● Opt-out of the processing of their personal data for the purposes of:
● Targeted advertising
● Sale to a third-party
● Profiling the consumer solely for the purpose of advancing “automated decisions that produce legal or similarly significant effects concerning the consumer”
Also similar to Delaware’s law, is MCDPA’s inclusion of a specific protection for the processing of sensitive data and the personal data of children. Sensitive data and data belonging to a “known child” must be processed with the consumer’s consent.
“Sensitive data” is defined as information that reveals, among other things, the race, ethnicity, or mental or physical health of an individual, provides the consumer’s precise geolocation data, or meets the definition of genetic or biometric data, or is derived from a known child. Notably, MCDPA does not include all of the same categories of sensitive data as Delaware’s law, which also includes any information that disclosed a consumer’s status as transgender or nonbinary.
The protections for minors under Montana’s privacy law are also distinct from Delaware’s. Under the Act, Controllers are required to obtain consumer consent to process the personal data of a consumer for the purposes of targeted advertising or selling the data between the ages of 13 and 16—rather than the 13-18 year old range afforded under the Delaware Act.
Covered Entity Responsibilities
Limitations
MCDPA places the following limitations on a Controller:
● Data collection shall be limited to that which “is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer.”
● “Reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue” shall be established, implemented, and maintained.
● Consumers must be provided with an “effective mechanism” which is “at least as easy as the mechanism by which the consumer provided the consumer's consent” for revoking their consent.
● Upon receipt of a consumer’s revocation of consent, a controller must stop processing that consumer's personal data “as soon as practicable, but not later than 45 days after the receipt of the request.” This 45-day response timeline can be extended by the controller “when reasonably necessary, considering the complexity and number of the [C]onsumer's requests,” for an additional 45-day period, so long as they provide the consumer with the reason for this extension. Likewise, if the controller declines to take action in response to a consumer request, they must inform the consumer of this decision and the basis therefore “without undue delay, but not later than 45 days after receipt of the request.”
Data Assessment
MCDPA requires controllers to conduct and document data protection assessments of processing activities performed after January 1, 2025 that present “a heightened risk of harm” to a consumer.
A “heightened risk of harm” to a Consumer includes:
● Processing a consumer’s personal data to engage in targeted advertising
● The sale of a consumer’s personal data
● Processing a consumer’s sensitive data.
● Processing a consumer’s personal data to engage in profiling that presents a “reasonably foreseeable risk” of:
● “Unfair or deceptive treatment of or unlawful disparate impact on consumers”
● “Financial, physical, or reputational injury to consumers”
● “A physical or other form of intrusion on the solitude or seclusion or the private affairs or concerns of consumers in which the intrusion would be offensive to a reasonable person”
● Other substantial injury to the consumer
These data assessments should reflect the controller’s assessment of the identified benefits that flow, both directly and indirectly, to the consumer, other stakeholders, and the public, from their processing activities as compared against the potential risks, as may be mitigated by safeguards employed by the controller. The controller must also factor in the use of the processed data and the “reasonable expectation” of the consumer.
A controller may utilize a data assessment required by other applicable laws and regulations, so long as the assessment is “reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to” MCDPA.
These data assessments may be evaluated by the Attorney General (AG) in their assessment of a controller’s compliance with MCDPA. However, the confidential nature of these data assessments shall not be destroyed or waived by disclosure to the AG.
Enforcement
The AG has exclusive authority to enforce violations under the MCDPA. The AG is required to provide a controller with notice of violation and an opportunity to cure the violation within 60 days following receipt of notice, before they can proceed with enforcement action.
If the controller corrects the noticed violation within this 60 day period and provides the AG with an express written statement that the alleged violations under MCDPA have been corrected, and that no such further violations shall occur, then the AG shall not initiate any action against the controller.
Notably, the Act does not provide consumers with a private right of action.
The Act will take effect October 1, 2024.
* * * * * * *
To read this week’s news alert, which includes Blackbaud’s legal woes, ICO’s Snapchat concerns, and new privacy features from Zendesk, click here.
This week’s breach report covers the following organizations: Sony, D.C. Board of Elections, Flagstar Bank, Prospect Medical, H&R Block, and Walmart, Inc. Click here to find out more.
Jody Westby hosts our podcast, ADCG on Privacy & Cybersecurity, bringing together leaders in the privacy and cybersecurity arenas to discuss a wide range of issues ranging from the proposed federal and state regulations to best practices and standards for compliance. Episodes can be enjoyed on many platforms including Spotify and Apple Podcasts. Don’t forget to subscribe!
Our most recently released episodes:
Guest: Donata Stroink-Skillrud, Co-Founder and President of Termageddon
100 | Looking at Cyber Risk Management: the Perspective Across the Pond
Guest: Dr. Peter Trim, Reader of Marketing and Security Management at the University of London’s Birkbeck Business School.
99 | The Power of Choice for Authentication
Guest: Sabrina Gross, regional director of strategic partners at Veridas.
98 | The Importance of Digital Asset Inventories in Incident Response
Guest: Ken Westin, Field CISO for Panther Labs.
To browse our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.