We said it earlier this month: With many state legislative sessions coming to an end, we were likely to see a push by states to finish up debates and votes on consumer privacy laws. Now you can count Montana (and Tennessee) among those states doing just that. The Montana Consumer Data Privacy Act (MCDPA) has passed both houses of the Montana legislature and heads to Governor Greg Gianforte’s desk. We anticipate that he will sign the bill into law. The MCDPA tracks the laws in Connecticut and Virginia, indicating that that model is becoming the basis for other state consumer privacy laws. The MCDPA will go into effect on October 1, 2024.
Below we provide an overview of some of the key aspects of Montana’s new consumer privacy law.
IN DEPTH
To Whom Does the MCDPA Apply?
The thresholds for the MCDPA are one of the most unique aspects of the bill. The MCDPA applies to companies that do business in Montana or target products or services to Montana consumers and:
-
Control or process personal data of 50,000 or more Montana consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
-
Control or process personal data of 25,000 or more Montana consumers and derive over 25% of gross revenue from the sale of that data.
Who Is a “Consumer”?
In the MCDPA, a “consumer” is a natural person who is a resident of Montana acting in a personal context. This means that employees and B2B contacts are expressly excluded from the definition of “consumer.”
What Is “Personal Data”?
“Personal Data” in the MCDPA is “information that is linked or reasonably linkable to an identified or identifiable individual.” It excludes, however, deidentified data and publicly available data. The limitations for deidentified data and publicly available data closely track those of Virginia (e.g., deidentification requires a public commitment to keep data deidentified, and public data is both from government files as well as data that is generally available through mass media sources).
Although not expressly excluded from the definition of “personal data,” just as in Virginia, companies do not need to include pseudonymous data (under certain circumstances) when responding to consumer requests under the MCDPA.
Who Can Enforce?
The Montana Attorney General has exclusive enforcement authority, and there is an express provision disclaiming any private right of action. Before initiating any enforcement proceeding, the Attorney General must give 60 days’ written notice and an opportunity to cure to the controller. This cure period, however, expires after April 1, 2026. The MCDPA does not expressly state a maximum damages amount.
Who Is Exempt?
The exemptions to the MCDPA closely mimic those of other state privacy laws. For example, personal information is covered by laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Children’s Online Privacy Protection Act (COPPA), the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, and a litany of other federal laws.
In addition, the MCDPA does not apply to government entities, nonprofit organizations or higher education institutions.
The MCDPA also exempts the use of personal data for certain specific purposes, such as compliance with the law, preventing fraud or injury to others and defending legal claims, just as in Virginia.
What Obligations Are Imposed?
Under the MCDPA, controllers must:
-
Limit the purpose of processing personal data to that which is reasonably necessary and proportional;
-
Take steps to implement reasonable safeguards for the personal data within their control;
-
Refrain from discriminating against consumers for exercising their rights and from processing personal data in violation of federal laws that prohibit discrimination;
-
Be transparent in their reasonably accessible, clear and meaningful privacy notice; and
-
Ensure contracts control relationships with their processors (note: the law itself details the minimum necessary provisions of these contracts).
What Consumer Rights Are Created by the MCDPA?
Controllers must provide a now-standard set of consumer rights to Montana consumers:
-
Opt-out rights related to the sale of personal data, targeted marketing and profiling (automated decision-making that could have significant legal effects such as related to housing, drinking water, credit, etc.);
-
Deletion rights (with respect to the data provided by or about the consumer);
-
Access rights, including a right to confirm whether the controller is processing any data at all;
-
Correction rights, but limited to data the consumer previously provided;
-
Appeal rights;
-
Opt-in rights for advertising and targeted marketing to individuals aged 13 to 16; and
-
Data portability rights, but limited to data the consumer previously provided.
Sensitive Personal Information
Under the MCDPA, “sensitive data” is considered personal data that includes information such as racial/ethnic origin, religious beliefs, mental or physical health diagnosis, information about a person’s sex life, sexual orientation, citizenship or immigration status, genetic or biometric information used to uniquely identify an individual, personal data collected from a known child (under the age of 13) and precise geolocation (location within a radius of 1,750 feet). Under the MCDPA, a controller may not process (including collection) sensitive data without obtaining the consumer’s consent or, in the case of a child, complying with COPPA.
Response to Consumer Inquiries
As has become something of a standard in state consumer privacy laws, controllers must respond to a consumer personal data request within forty-five (45) days of receipt of the request, with a forty-five (45) day extension available. If a consumer appeals a decision of the controller to deny a consumer request, the appeal response must be delivered within sixty (60) days. As in Virginia, if the appeal is denied, controllers must provide the consumer with a method for contacting the attorney general.
Data Protection Impact Assessments
Just as the laws that the MCDPA is modeled after, controllers will need to document impact assessments before they engage in a number of different processing activities, including: (i) processing for targeted marketing; (ii) sale of personal data; (iii) processing of personal data for profiling if the profiling presents a reasonably foreseeable risk of legal, deceptive, discriminatory, financial, reputational or physical harms; and (iv) processing sensitive data.
The MCDPA allows for the use of impact assessments done under other state laws to count towards the requirements of the MCDPA and does not require retroactive impact assessments for processing activities occurring prior to the effective date of the law. However, the MCDPA requires that assessments must be created or generated on or after January 1, 2025, and are not retroactive.
When Does the MCDPA Take Effect?
The MCDPA comes into effect on October 1, 2024.
***
Creating a successful and effective, comprehensive privacy program for your organization requires a thorough understanding of both the relevant legal obligations and the personal data subject to compliance. Setting up a program that is prepared to respond to various state privacy laws as they come into effect will save organizations time in the long run, especially as many of these laws reflect one another.
Peter Scheyer also contributed to this article.