Montana Privacy Law

Montana Governor Greg Gianforte signed Senate Bill 384, the Montana Consumer Data Privacy Act (MCDPA) into law on May 19, 2023. The MCDPA’s main provisions become effective on October 1, 2024.

The Montana law creates obligations on “controllers” and “processors” of personal data; defined as the individuals or legal entities who, alone or jointly with another person, determine the purposes and means for processing personal data, and the individuals or legal entities who process personal data on behalf of a controller, respectively.

Controllers and processors subject to the MCDPA are any persons who conduct business in Montana, or who produce product or services that are targeted to Montana residents, and controls or processes the personal data of not less than: (1) 50,000 “consumers” (defined as Montana residents operating outside of an employment or commercial context), excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) 25,000 consumers, while deriving more than 25% of annual gross revenue from the sale of personal data.

Like many other states’ privacy laws, information and data exempt from the provisions of the MCDPA include, among other types, personal data subject to regulation under the FRCA, HIPAA, FERPA, and GLBA.  

Controllers have the following obligations under the MCDPA:

• Privacy Notice: controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller; the purpose for processing personal data; the categories of personal data that the controller shares with third parties, if any; the categories of third parties, if any, with which the controller shares personal data; an active email address or other mechanism that the consumer may use to contact the controller; and, how consumers may exercise their consumer rights and appeal any controller’s decision regarding a consumer’s request.
• Restraint: controllers must limit the controller’s collection of personal data to only the personal data that is adequate, relevant and reasonably necessary to serve the controller’s purposes specified in the privacy notice.
• Security: controllers must establish, implement and maintain safeguards for protecting personal information so that the controller’s safeguards protect the confidentiality, integrity and accessibility of the personal data as appropriate to the volume and nature of the personal data at issue.
• Rights Request Mechanism: controllers must provide an effective means by which a consumer may revoke the consent given to the controller’s processing of the consumer’s personal data, which must be at least as easy as the means by which the consumer provided consent.

Consumer rights under the MCDPA include the right to:

• Confirm whether a controller is processing or has processed the consumer’s personal data and allow the consumer to access that personal data, unless such confirmation or access would require the controller to reveal a trade secret;
• Require a controller to correct inaccuracies in personal data about the consumer;
• Require a controller to delete personal data about the consumer;
• Obtain a copy of the consumer’s personal data previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller; and,
• Opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling the consumer in furtherance of decisions made by the controller that produce legal effects or effects of similar significance for the consumer, such as those that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, or access to essential goods or services.

Controllers must respond to a consumer’s rights request within 45 days of receipt of the consumer’s request, with an option to extend such response by an additional 45 days with notice to the consumer.

Like most of the recent data privacy laws being enacted, the MCDPA does not provide a private right of action, with violations only enforceable by the Montana Attorney General’s office. The Montana Attorney General must issue a notice of violation to a controller prior to initiating any action for violation of the MCDPA, and if the controller fails to correct the action within 60 days of the notice, the attorney general may bring an action under the MCDPA.

Have more Questions?