Articles

Discover the Montana Consumer Data Privacy Act—Your Guide to the MTCDPA 

Written by Matt Davis, CIPM (IAPP) | November 14, 2023

On May 19, 2023, Montana officially became the ninth state to approve a state-level consumer data privacy law, joining the trend of states opting not to wait for a federal privacy law to mandate the protection of its residents’ data.  

The Montana Consumer Data Privacy Act (MTCDPA) became law when Gov. Greg Gianforte signed Senate Bill 384. The Montana regulation does not stray much from state data privacy laws that came before it, and fortunately, legislators provided ample time for businesses to become acclimated to the new law—it doesn’t go into effect until Oct. 1, 2024.  

While this means it shouldn't be too challenging for businesses to learn the ins and outs of the MTCDPA, it still has its own nuances. Let’s dive into the MTCDPA, which closely resembles many other state laws, in particular, the data privacy act of its immediate predecessor, Indiana.  

What Is the Montana Consumer Data Protection Act?

Montana's legal framework applies to both consumers and businesses engaged in activities within the state involving the handling of personal data. Like most state data privacy laws already in the books, the MTCDPA defines “controllers” as entities that determine the purpose and means of collection of processing personal data. “Processors” are any entity that processes data on behalf of a controller.  

Here's the breakdown of who the law applies to: 

  • Any data controller that handles the personal data of at least 50,000 Montana residents, except for data used exclusively for payment transactions, falls under this law.  
  • Controllers that manage personal data from at least 25,000 consumers and derive more than 25 percent of their revenue from selling personal data also must comply with the law. 

Unlike California's law, Montana's privacy law doesn't depend solely on a revenue limit. The MTCDPA is more similar to laws in states such as Indiana where controllers have to follow the rules, even if their annual gross revenues are below a certain limit, as long as they process the data of a specific number of consumers. However, in Montana, the threshold for the number of residents that triggers the law is lower.  

Many other state laws apply to businesses handling the personal data of 100,000 or more residents, while Montana's law sets the bar lower at 50,000, primarily due to Montana’s relatively low population. Delaware’s law also has a low threshold, at 35,000.  

What Entities and Data Are Exempt Under the Montana Privacy Law? 

MTCDPA primarily focuses on safeguarding personal data—information that can be directly linked or reasonably associated with an identifiable individual. Like in other state privacy laws, there are exemptions, including data protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and other federal statutes. 

In this context, a "protected consumer" is an individual residing in Montana, but this definition excludes individuals acting in a commercial or employment capacity, as well as employees, owners, directors, officers, or contractors of various business structures, including partnerships, sole proprietorships, nonprofits, or government agencies. 

The following entities and agencies are exempt from the MTCDPA: 

  • State authorities, boards, commissions, and political subdivisions. 
  • Nonprofit organizations. 
  • Higher education institutions. 
  • National securities associations registered under the federal Securities Exchange Act of 1934. 
  • Financial institutions and their affiliates governed by Title V of the Gramm-Leach-Bliley Act. 
  • Entities subject to the federal HIPAA. 

Consumer Consent, Opt-Outs, and Security Exemptions  

User consent to collect and process most information is not required under the MTCDPA, similar to data privacy laws in Indiana, Virginia, Colorado, and Connecticut 

Like the other state privacy laws, Montana subscribes to the "opt-out" model (except in the case of children). Also similar to other state laws, there are exceptions, including the requirement that consent be obtained before collecting or processing sensitive personal information 

The MTCDPA aligns with the federal Children’s Online Privacy Protection Act (COPPA) in mandating that prior to processing any personal data of a user known to be under 13 years of age, consent from the child's parent or guardian must be secured. This applies to all personal data of children, as Montana's data privacy regulations automatically categorize data of children under 13 as sensitive. 

Montana's law provides additional safeguards for children between the ages of 13 and 16. In those cases, their consent must be obtained before processing their personal data for purposes such as sale or targeted advertising.  

Targeted advertising involves showing ads to a person based on their data collected from their online activities over time on different websites and apps that aren't connected, with the aim of guessing what that person is interested in and serving related ads. 

What Rights Do Consumers Have Under the MTCDPA? 

The Montana Consumer Data Privacy Act grants consumers several key rights when it comes to their personal information. These rights have been the standard among data privacy laws enacted in other states. 

Businesses must give consumers a way to opt out of data collection and processing. Controllers and processors must also implement reasonable security and protections to safeguard data collected. 

Here's a breakdown of these rights: 

  1. Right to Opt Out: Consumers can opt out of the sale of their personal data, targeted advertising, or profiling that leads to automated decisions with significant legal consequences. 

  2. Right to Access: Consumers have the right to know if a controller is processing their personal information and access to that data, with a few exceptions. 

  3. Right to Correction: Consumers can request corrections to any inaccurate or outdated information that a controller has about them, especially if it was provided by the consumer. 

  4. Right to Delete: Consumers have the right to ask a controller to delete any personal data they have about them, with some exceptions. 

  5. Right to Portability: Consumers can obtain a copy of their personal data that they previously provided to the controller in a user-friendly format, again with certain exceptions. 

  6. Right Not to Be Discriminated Against: Controllers are prohibited from discriminating against consumers for exercising their rights. Discrimination includes any unfair treatment related to these rights. 

Note: Parents or guardians can also exercise these rights on behalf of children.  

One right not included? The ability for consumers to sue a business in case of a violation, also known as a private right of action—California is the only state that provides this as a right in its data privacy law. 

What Are the Consequences for Violating the Montana Data Protection Law?  

In Montana, the Attorney General holds exclusive authority for enforcing the MTCDPA. While consumers can't file private lawsuits, they can report potential violations or complaints to the Attorney General's office. When there's an alleged violation, the Attorney General must send a written notice listing the violations to the parties involved. 

Controllers are required to respond to a consumer rights request within 45 days after receipt of the request. The request is subject to a 45-day extension when “reasonably necessary.” 

Cure Period and Controller Actions 

Montana’s privacy law provides a 60-day cure period, during which organizations can fix the issues and take preventive measures to prevent recurrence. Cure periods in other state-level data privacy laws range from 30 to 90 days. In the case of the MTCDPA, the right to cure ends on April 1, 2026. Organizations found in violation must also inform the Attorney General when they have taken these corrective actions and confirm that no further violations will occur. 

Fines and Penalties  

If the controller or any of their data processors remain in violation after the cure period or after submitting their statement, the Attorney General can initiate investigative actions.  

Unlike many other state-level data privacy laws, the MTCDPA doesn't specify a particular dollar amount for fines or other statutory damages for breaking the law. It simply states that the Attorney General can take legal action. 

Data Protection Assessments 

The MTCDPA requires controllers to conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer, including processing personal data for targeted advertising, the sale of personal data or if it presents certain risks such as unfair or deceptive treatment; financial, physical or reputational injury; or an intrusion on the solitude or seclusion of a person considered “offensive” to a reasonable person. 

How to Comply With the MTCDPA 

The Montana data privacy law aligns with other state privacy laws, so businesses don't need to deviate from their existing preparations for state data laws if they’re already in compliance.  

Montana’s Privacy Law can be described as business-friendly, much like laws in Virginia and Indiana. Montana legislators have provided controllers with more than one year to achieve compliance by developing formal policies and procedures for data collection and processing in Montana.  

That gives businesses ample time to become familiar with the law, conduct risk assessments, and establish a framework for promptly responding to consumers' requests; and companies can educate and train their staff to be aware of the tenets of the legislation.  

With the growing number of privacy laws taking effect, businesses may want to consider a Data Privacy Platform, like Osano, which can help manage opt-out requests, manage data subject rights requests, differentiate between the nuances of each state, and more. 

Frequently Asked Questions (FAQs) 

When does the MTCDPA take effect? 

The Montana Consumer Data Privacy Act goes into effect on October 1, 2024.

How does the MTCDPA define sensitive data or exemptions? 

Montana’s privacy law primarily focuses on safeguarding personal data, and it shares exemptions with federal statutes such as the HIPAA, FERPA, and others. It defines a "protected consumer" as a Montana resident, excluding individuals in commercial or employment roles, as well as various business structures' employees and officers. 

What does the law say about deidentified data?  

Controllers must take reasonable measures to ensure deidentified data can’t be associated with an individual, publicly commit to maintaining and using this data without attempting to re-identify the data, and contractually obligate recipients to comply with the regulations.  

What does the MTCDPA say about Global Privacy Control?  

The Montana privacy law mandates that by January 1, 2025, consumers must be able to “opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data through an opt-out preference signal sent with the consumer’s consent,” also known as universal opt-out or global privacy control (GPC). 

What is the cure period in the MTCDPA? 

The MTCDPA allows a 60-day cure period for organizations to rectify issues and take preventive measures. The right to cure sunsets April 1, 2026. Organizations found in violation must inform the Attorney General when they have taken corrective actions and confirm that no further violations will occur. 

What are the consequences for violating the Montana data protection law? 

Unlike many other state-level data privacy laws, the MTCDPA doesn't specify a particular dollar amount for fines or statutory damages but allows the Attorney General to take legal action. 

How does the Montana Data Privacy Law handle the privacy of children's data? 

The MTCDPA aligns with the federal Children’s Online Privacy Protection Act (COPPA) mandating that consent from a child's parent or guardian must be secured prior to processing any personal data of a user known to be under 13 years of age.  

How does Montana's law provide additional safeguards for children between the ages of 13 and 16? 

If a user is at least 13 years old, but younger than 16, their consent must be obtained before their personal data can be processed for targeted advertising or for the purpose of selling their data. 

Who enforces the MTCDPA? 

The Montana Attorney General holds exclusive authority for enforcing the MTCDPA. While consumers can't file private lawsuits, they can report potential violations or complaints to the Attorney General's office.