On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (the “MTCDPA”) into law, becoming the ninth state to enact a comprehensive consumer privacy act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia with legislation that protects their residents’ personal data.
The MTCDPA will go into effect on October 1, 2024. In preparation for MCTDPA to be signed into law, companies doing business in Montana should start thinking of ways to incorporate the law’s requirements into their existing privacy policies and procedures.
Who Must Comply?
The MTCDPA will apply to people that conduct business in Montana or have products and services targeted to residents of the state that:
(1) control or process the personal data of no fewer than 50,000 consumers, excluding
personal data controlled or processed solely to complete a payment transaction; or
(2) control or process the personal data of no fewer than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
Like other state’s consumer privacy laws, the information and entities that are exempt from MTCDPA include, but are not limited to:
- Government entities;
- Nonprofit organizations;
- Institutions of higher education;
- Registered securities associations;
- Financial institutions in accordance with Title V of the Gramm-Leach-Bliley Act; and
- Covered entities under the Health Insurance Portability and Accountability Act (HIPAA).
What is considered personal data?
“Personal data” means any information that is linked, or reasonably linkable to an identified or identifiable individual.
The MTCDPA provides Montana residents with the rights below to their personal data:
- Confirm whether a controller is processing the consumer’s personal data;
- Access personal data processed by a controller in order to correct inaccuracies;
- Delete personal data;
- Obtain a copy of personal data previously provided to a controller; and
- Allow consumers to opt out of the processing of their personal data for the purpose of targeted advertising, the sale of their personal data, and profiling to support solely automated decisions that produce legal or similarly significant effects.
If a request is made from a consumer, data controllers must:
- Respond to the consumer within 45 days of receipt of the request (controllers may extend another 45 days if deemed “reasonably necessary”),
- Provide a justification right to consumers for the controller’s refusal to take action on a request,
- Allow consumers to appeal an adverse decision within 60 days; and
- If the appeal is denied, the controller must provide a consumer with a method for contracting the attorney general to submit a complaint.
Data Controller Responsibilities:
Under the MTCDPA, controllers have responsibilities that include, but are not limited to:
- Limiting the collection of personal data to only what is adequate, relevant, and “reasonably necessary” to process what is disclosed to the consumer;
- Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices;
- Providing an effective mechanism for consumers to opt out of their data, and upon revoking their consent, no longer process the personal data as soon as practicable (but not later than 45 days after the receipt of the request).
Data Protection Assessments:
Following the leads of other states like Connecticut and Colorado, the MTCDPA requires controllers to conduct data protection assessments for each of the controller’s processing activities that present a heightened risk of harm to a consumer. The data protection assessments must identify and weigh the benefits of processing for the controller, the consumer, other stakeholders, and the public against the potential risks to consumers’ rights as mitigated by any safeguards that the controller uses to reduce these risks. Data protection assessments will apply to processing activities that are created after January 1, 2025, and are not retroactive.
Under the MTCDPA, the attorney general has exclusive authority to enforce violations of the MTCDPA and there is no private right of action for violations. Alleged violators of the MTCDPA are given a 60-day notice of the violation and the opportunity to cure the alleged violation within the 60 days.
As more states continue to enact state privacy laws, businesses must stay vigilant in crafting strong processes and systems for data privacy and security. Taft’s Privacy and Data Security Practice is ready to assist. For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.
Taft Summer Associate Lizzy Dobbins contributed to the research and writing of this article. Lizzy attends the University of Dayton School of Law in Dayton, Ohio.