Compliance

Montana Consumer Data Privacy Act (MTCDPA): A Crucial First Look and Overview

Montana Consumer Data Privacy Act

As consumers in the EU enjoyed the protection of the GDPR, those in Canada of PIPEDA, and so on, California only had its own comprehensive consumer data privacy law, the California Privacy Rights Act (effective from 1st January 2020).

Things are rapidly changing in 2023 as four more states - Virginia, Utah, Colorado, and Connecticut - made their privacy laws effective, and ten more signed new laws.

One of those states is Montana, and its Montana Consumer Data Privacy Act will become effective very soon, so this guide will explain what your business needs to know and do to prepare to ensure MTCDPA compliance.

Key Takeaways

  • Montana Governor Greg Gianforte signed Senate Bill 384 (Montana Consumer Data Privacy Act) on 19th May 2023.
  • This law becomes effective on 1st October 2024 and will apply to businesses that operate in Montana and offer goods and services that target Montana residents.
  • The MTCDPA does not specify the fine a business has to pay for a violation.

What is the Montana Consumer Data Privacy Act?

On 19th May 2023, Governor Greg Gianforte signed Senate Bill 384, or the Montana Consumer Data Privacy Act, which becomes effective on 1st October 2024.

The MTCPA regulates the requirements and obligations for businesses when collecting and processing consumers’ personal information and establishes consumer rights concerning how companies use their data.

Important Definitions Under MTCDPA

One of the keys to meeting any law requires understanding its terms and definitions. The Montana Data Privacy Act outlines several essential terms as well.

  • Consent: Clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.

According to the MTDCPA, “consent” does not include:

  1. General or broad terms of use that include descriptions of personal data processing along with other unrelated information;
  2. Hovering over (such as with a mouse cursor), muting, pausing, or closing a piece of content;
  3. Consent that is obtained using dark patterns.
  • Consumer: An individual who is a resident of this state (Montana).

This definition does not include someone acting in a commercial or employment context.

  • Controller: An individual who or a legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.
  • Personal data: Any information that is linked or reasonably linkable to an identified or identifiable individual.

This does not include de-identified data or publicly available information.

  • Processor: An individual who or legal entity that processes personal information on behalf of a controller.
  • Sensitive data: Personal data that includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person’s sex life, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; exact geolocation data.

Of course, more definitions exist, but we’ll discuss them as they arise.

Montana CDPA Scope

The Montana CDPA will not apply to all businesses that deal with Montanans but instead to a select few that meet a few requirements and are not subject to any exemptions.

Who Does MTCDPA Apply to?

The Montana Consumer Data Privacy Act applies to entities that either conduct business in Montana or offer products and services to the residents of this state and who:

  1. Control or process the personal data of at least 50,000 consumers or
  2. Control or process the personal data of at least 25,000 consumers and derive 25% or more of their gross revenue from the sale of personal data.

The “sale of personal data” is defined in the Act as “the exchange of personal data for monetary or other valuable consideration by the controller to the third party.”

Although this scope is very similar to other privacy laws in the United States, one of the noticeable differences between MTCDPA and, for instance, VCDPA is that Montana businesses need to derive 25% of their revenue is from the sale of personal data, while for most other states, that threshold is at 50%.

Exemptions

This Act does not apply to:

  • State agencies, authorities, boards, commissions, districts, and political subdivisions;
  • Nonprofit organizations;
  • Higher education institutions;
  • National security associations registered under the Securities Exchange Act;
  • Financial institutions and affiliates covered by Gramm-Leach-Bliley Act (GLBA) Title V: Privacy;
  • Covered entities and business associates under the Health Insurance Portability and Accountability Act (HIPAA).

Also, the following types of personal information are exempt from the MTCDPA:

  • Healthcare-related information under HIPAA;
  • Research data collected as part of human subject research;
  • Credit and consumer reporting information under the Fair Credit Reporting Act (FCRA), Farm Credit Act (FCA), and the Driver’s Privacy Protection Act (DPPA);
  • Data used as emergency contact information;
  • Information used in an employment context;
  • Etc.

Montana Data Privacy Act Consumer Rights

Under the Montana Consumer Data Privacy Act, consumers have the following rights:

  • Right to access information: Consumers can confirm if a controller is processing their data and accessing their data unless this requires the controller to reveal a trade secret.
  • Right to correct inaccuracies: Consumers can also request that the controller correct any inaccuracies in their personal information.
  • Right to delete: Consumers can request the controller to delete their personal data about them, even if they previously granted the controller their consent.
  • Right to data portability: Consumers can obtain a copy of their personal data from the controller in a portable and ready-to-use format that allows them to transmit the data to another controller.
  • Right to opt out: Consumers have the right to opt out of processing for:
  • Targeted advertising;
  • Sale of personal information;
  • Profiling.

The controller must provide the means through which consumers can exercise these rights, describe them in its privacy policy, and have 45 days to respond to consumer requests.

Consumers can send Data Subject Access Requests (DSAR) or other requests through an authorized agent, parent, or legal guardian in case of known children.

Requirements Under the MT Consumer Data Privacy Act

Data controllers and processors must adhere to specific responsibilities and obligations under the MTCDPA.

Data Controller Responsibilities

First, the controller must limit data collection to what is adequate, relevant, and reasonably necessary for the purposes disclosed to the consumer.

The controller must also set up, use, and maintain appropriate data security measures to protect the confidentiality and integrity of the consumers’ personal data.

Additionally, they must provide the means through which consumers can revoke their consent.

The controller may not process data for any purpose incompatible with the one disclosed to the consumer or is not reasonably necessary.

They cannot process sensitive data without obtaining the consumer’s explicit consent (or from the parent or legal guardian of known children).

The controller is also prohibited from processing consumer personal data if this violates federal and state laws against unlawful discrimination against consumers or for targeted advertising and personal information if the controller knows the consumer is between 13 and 16 years of age.

Data Processor Responsibilities

On their end, processors must first and foremost follow the controller’s instructions and assist them in meeting the controller’s obligations.

This includes helping the controller respond to consumer rights requests, assisting the controller regarding the security of data processing and data breach notifications, and contributing necessary information for the controller to conduct a Data Protection Assessment (DPA).

Data Protection Assessment (DPA)

If the controller’s data processing activities present an increased risk of harm to a consumer, they must conduct a Data Protection Impact Assessment (DPIA).

The DPA should be performed for the processing of targeted advertising, sale of personal data, and profiling where the processing presents a risk of financial, physical, or reputational harm to the consumer; unfair or deceptive treatment towards the consumer; other considerable damage to the consumer; or the processing of sensitive data.

Consent Requirements

Consent under the Montana Consumer Privacy Act must be freely given, informed, unambiguous, and for a specific purpose. It can be provided in writing, electronically, or through other explicit affirmative action.

For example, “affirmative action” can be clicking the “Accept” button on the cookie consent banner, ticking a particular checkbox, choosing a specific setting in an app, or signing up for a newsletter that clearly states that the company will collect personal data.

Consent may not be obtained through deceptive means, like dark patterns or implied.

Data Breach Notice Requirements

The Montana Code considers a data breach as an “unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the person or business and causes or is reasonably believed to cause loss or injury to a Montana resident.”

A controller that suffers a breach of data security must notify the affected consumers via one of the following means:

  1. In writing;
  2. Via electronic means;
  3. Through telephone;
  4. With a substitute notice, if the cost of providing a notice exceeds $250,000, more than 500,000 consumers are affected, or the controller doesn’t have sufficient contact information.

Child Data Processing Requirements

The Montana Consumer Data Privacy Act considered any person under 13 a “child.”

In the case of a known child, the controller must obtain consent from the child’s parent or legal guardian, except where the controller already fulfills the requirements of the Children’s Online Privacy Protection Act (COPPA), in which case they will be considered already compliant.

Checklist for Montana Consumer Data Privacy Act Compliance

This Act will be effective by the end of 2024 (in October), so hopefully, you will have prepared your organization for the most part. Still, here’s a checklist you can use to see if you missed anything:

Understand the MTCDPA Scope and Definitions

  • Verify that the law applies to your business (operating in Montana, processing personal data of 50,000 or more consumers, offering products and services to Montana residents, deriving 25% of gross revenue from the sale of personal information);
  • Be familiar with the law's terms and definitions (consumer, controller, personal information, sensitive data, etc.).

Data Processing and Consumer Rights

  • Understand the rights consumers have (right to access information, right to correct, data portability, to delete, to opt out of processing);
  • Establish straightforward methods for consumers to exercise their data rights;
  • Have a transparent authentication process for consumer requests;
  • Ensure you are processing sensitive data according to the law's requirements.

Data Security and Privacy Practices

  • Make sure your privacy policy meets the MTCDPA requirements;
  • Create and maintain reasonable data security measures to protect consumers’ personal data;
  • Limit data processing to what is adequate and reasonably necessary for the specific processing purpose;
  • Avoid processing personal information in a way that discriminates consumers from exercising their rights;
  • Introduce and follow an incident response plan to address data breaches and follow the Montana Code regarding data breach notifications;
  • Create privacy awareness training programs for employees to follow;
  • Regular compliance and data privacy training should be conducted for employees to help them understand the importance of the two.

Third-Party Management

  • Review your current contracts with third-party suppliers and vendors and make sure they comply with the Montana Privacy Act;
  • Ensure that third-party vendors process data only for the purposes the contract specifies.

Documentation

  • Maintain detailed records regarding your data processing activities, consumer requests, and the steps you take in response;
  • Document the efforts you make to comply with the MTCDPA.

Consult with Experts and Stay Up-to-Date

  • Be sure to consult with data privacy and compliance experts like Captain Compliance regarding your obligations;
  • Stay informed of any Montana Consumer Data Privacy Act updates and changes.

What Happens if You Fail to Comply With MTCDPA?

The attorney general enforces the Montana privacy law concerning any violations.

Before taking any action, the attorney general will issue a violation notice to the controller and give them 60 days to correct the specific violations.

Unlike other privacy laws, like the Iowa Consumer Data Protection Act, Montana does not specify the amount a business will have to pay as a fine for an MTCDPA violation. This may change, but if it does not, then it will be up to the attorney general’s sole discretion to fine you.

Frequently Asked Questions (FAQs)

What is the Montana Privacy Bill 384?

The Montana Privacy Bill 384 is a state legislation signed by Governor Greg Gianforte on 19th May 2023. This law governs how businesses operating in Montana and offering products and services to Montana residents collect and process consumers’ data. It establishes consumer rights regarding companies' processing of their personal data.

What is the Right of Privacy in Montana?

The “Right of privacy” is established in the Montana Code Declaration or Rights as:

“The right of individual privacy is essential to the well-being of a free society and shall not be infringed without showing a compelling state interest.”

What is the Invasion of Privacy Law in Montana?

According to the Montana Code, a criminal invasion of personal privacy occurs when “a person commits the offense of invasion of personal privacy if the person knowingly or purposely obtains or attempts to obtain personal or confidential information about an individual while posing as the individual.

Does Montana Have a Privacy Law?

The governor of Montana, Greg Gianforte, signed Senate Bill 384 on 19th May 2023, titled “Montana Consumer Data Privacy Act”. This makes Montana one of 15 US states with a comprehensive data privacy law.

The law will become effective on 1st October 2024.

How Can Captain Compliance Help You?

The Montana Consumer Data Privacy Act becomes effective in only a few months. If you run a business that deals with consumers in this state, time is ticking to ensure your organization fully complies.

Luckily, Captain Compliance is here to your rescue. Our team of data privacy and compliance experts have centuries of combined experience in state laws, just like the MTDCPA.

Contact us for a free consultation, and we’ll help you become MTCDPA-compliant in no time.