As of October 1, 2024, the Montana Consumer Data Privacy Act (MTCDPA) is officially in force. Montana’s new privacy law joins the growing landscape of U.S. state data privacy laws, emphasizing the need for businesses operating in or targeting Montana residents to ensure compliance. The MTCDPA’s provisions align closely with other U.S. state data privacy frameworks, making it essential for businesses to assess and potentially adjust their existing privacy programs to meet Montana’s specific requirements. Below is a summary of the key aspects of the MTCDPA and practical guidance on how businesses can satisfy these obligations.

1. Scope and Applicability

The MTCDPA applies to entities conducting business in Montana or producing products or services targeted at Montana residents if they:

• Control or process personal data of at least 50,000 Montana consumers (excluding personal data collected solely for payment transactions), or
• Control or process personal data of at least 25,000 Montana consumers and derive more than 25% of gross revenue from the sale of personal data.
•  

Notably, the MTCDPA has no general revenue threshold, which means businesses of varying sizes may fall under the law’s scope. Additionally, the MTCDPA does not apply to government entities, nonprofits, HIPAA-covered entities, or data regulated by other specified federal laws.

2. Consumer Rights

Montana residents are granted a range of rights over their personal data, closely mirroring those found in other state privacy laws. These rights include:

• Access: The right to confirm if their data is being processed and to access it.
• Correction: The ability to correct inaccuracies in their personal data.
• Deletion: The right to delete their personal data held by a business.
• Data Portability: The right to obtain a copy of their data in a portable format.
• Opt-Out: The ability to opt-out of data processing for targeted advertising, the sale of data, or profiling that leads to significant legal effects.

Businesses must respond to verified consumer requests within 45 days, with the possibility of a 45-day extension, and consumers maintain the right to appeal refusals.

3. Businesses’ Obligations

Businesses subject to the MTCDPA must comply with the following requirements:

• Transparency and Data Minimization: Businesses must provide clear and accessible privacy notices, outlining what data is collected, how it is used, and with whom it is shared. Personal data collection must be limited to what is necessary for the specified purpose.
• Data Security: Businesses are required to implement reasonable security measures to protect the confidentiality, integrity, and accessibility of consumer data.
• Sensitive Data: Processing sensitive data—such as biometric information, precise geolocation, and racial or religious data—requires prior affirmative consent from the consumer.
• Opt-Out Preference Signal: By January 1, 2025, businesses must implement an opt-out preference signal to allow consumers to opt out of the sale or use of their data for targeted advertising.
• Data Protection Impact Assessments (DPIAs): For activities that present heightened risks, such as processing sensitive data or engaging in targeted advertising, businesses must conduct and document DPIAs, which weigh the benefits of data processing against potential risks to consumers, with mitigation strategies clearly outlined.
• Enforcement: The Montana Attorney General holds exclusive enforcement authority under the MTCDPA. If a violation is detected, businesses have a 60-day cure period to rectify the issue after receiving a notice from the Attorney General. This cure period will sunset on April 1, 2026, after which enforcement actions may be taken without a preliminary notice.

Preparing for Compliance

In light of the MTCDPA becoming legally effective, businesses should consider taking the following actions to ensure compliance:

1. Assess the Applicability of the MTCDPA. Businesses should first determine whether the MTCDPA applies to their operations. As noted above, the law applies to entities that conduct business in Montana or produce products or services targeted at Montana residents, and either (1) process the personal data of at least 50,000 Montana consumers, or (2) process the personal data of at least 25,000 Montana residents and derive over 25% of gross revenue from the sale of personal data.
2. Conduct Data Mapping. Though not legally required, conducting a data mapping exercise to identify data flows will help businesses understand what types of personal data they collected, how they process this data, and who has access to it, which will streamline businesses’ compliance with consumer rights requests and other MTCDPA obligations.
3. Review and Update Privacy Disclosures. Businesses should ensure that their privacy policies are up-to-date and include all necessary disclosures required by the MTCDPA. This includes clarifying what personal data is collected, its purposes, with whom it is shared, and how consumers can exercise their rights.
4. Implement Consumer Rights Request Procedures. Businesses must establish protocols for receiving, authenticating, and responding to consumer rights requests. This includes providing a clear mechanism for consumers to access, correct or delete their personal data, and to opt out of their personal data being used for targeted advertising and data sales. Businesses engaging in the sale of personal data or targeted advertising must recognize requests sent through an opt-out preference signal by January 1, 2025.
5. Evaluate Data Protection Practices. Businesses should evaluate whether their current administrative, technical, and physical data security measures meet the MTCDPA’s standards, and ensure that data processing activities are limited to what is necessary for specified purposes.
6. Monitor for Enforcement and Updates. Businesses should remain attentive to regulatory updates and enforcement actions taken by the Montana Attorney General to understand compliance expectations. The MTCDPA’s right-to-cure provision sunsets on April 1, 2026, after which penalties may increase for non-compliance.

While the MTCDPA does not introduce radically new obligations compared to other state laws, businesses must remain diligent in their compliance efforts. The similarity of the MTCDPA with existing privacy laws offers an opportunity to streamline compliance strategies, but the nuances of each state’s law, including Montana’s, require careful attention.