Montana now joins a growing list of states to have a comprehensive privacy law. The law was signed by the governor on May 19, 2023 and will go into effect October 24, 2024. This is before some Iowa (effective January 1, 2025) and Indiana (effective January 1, 2026), which pre-dated it in passage.
The law will apply to those that do business in Montana and either: (1) control or process personal data of at least 50,000 state residents; or (2) derive over 25% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more state residents. As with other laws (outside of California), Montana has a long list of exemptions, including entities covered by HIPAA or GLBA. It also does not cover employee information. Key provisions include:
-
Notice. Like other state laws, a company must tell consumers the categories of data it processes, the purpose, categories of data being sold or shared, and provide consumers with information about exercising their consumer rights.
-
Consumer Rights. Montana provides for similar rights that we’ve seen under other state privacy laws. Namely rights of access, correction, deletion, and portability. Like the new Tennessee law, companies need only provide portability to information the consumer provided. Consumers can have agents make rights requests on their behalf. Companies must respond to these rights requests within 45 days (extendable by 45 days). Companies also have to let consumers opt out of sale of personal data, targeted advertising and profiling. “Sale” includes “other valuable consideration” and not just a monetary exchange (as is the case in California, Connecticut, and Tennessee). Montana will also require that companies recognize opt-out preference signals (mirroring California, Colorado, and Connecticut).
-
Sensitive Personal Data. Businesses in Montana must obtain consent before processing consumer’s sensitive information, just like they do in Colorado, Connecticut, and Virginia. Sensitive information is defined as data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person’s sex life, sexual orientation, citizenship or immigration status. It also includes genetic or biometric data, precise geolocation information, and information about children.
-
Contracts. Like most other states, Montana will require contractual obligations that ensure privacy and technical safeguards are in place to protect consumer information.
-
Enforcement. There is no private right of action under the law or specific statutory damages. Before the attorney general can initiate an action, it must give companies written notice and 60 days to cure the violation. This cure period will sunsets April 1, 2026 (the sunsetting provision is similar to that of Colorado, but unlike Indiana, where the cure period does not sunset).
Putting It Into Practice: Companies now have another state’s law to add to their list for provision of privacy rights and to address from a contractual standpoint. The threshold for applicability is lower in Montana than others, something to keep in mind prior to the October 2024 effective date.
Kathryn Smith also contributed to this article.