Our May Madness series is getting you caught up on comprehensive privacy legislation passing state legislatures across the nation. In April, governors signed legislation in Tennessee and Indiana, and this month ahead of their summer recess lawmakers in Florida and Texas passed bills that we’ll be covering in this series over the next two weeks.
In Montana, Governor Greg Gianforte signed the Montana’s Consumer Data Privacy Act (S.B. 384) (“MCDPA”) on May 19, 2023 – one of the strongest privacy bills signed in a red state. Montana now becomes the ninth state to enact a comprehensive consumer data privacy law.
Montana’s legislature chose to build its statute on models passed in states like Virginia two years ago and in Connecticut in 2022, with a few interesting distinctions noted in bold in this article. This direction follows the trend we have been seeing in other states joining the fray recently (Tennessee and Indiana) and may be indicative of a growing consensus across the country that the more business-friendly frameworks adopted by Virginia and Connecticut lawmakers are preferred to some of the sweeping and onerous requirements imposed on businesses by California’s privacy laws.
The MCDPA applies to persons that conduct business in Montana or that produce products or services that are targeted to Montana residents and (i) control or process personal data of at least 50,000 consumers; or (ii) control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from the sale of personal data. Given Montana’s relatively small population, these thresholds in the MCDPA are generally lower than in other states that have recently passed their privacy laws. It could be that businesses with expansive national operations may become subject to the Montana law sooner than they might in other states with similar statutes.
“Consumer” means an individual who is a resident of Montana and does not include an individual acting in a commercial or employment context.
There are several exemptions under the MCDPA. For example, the MCDPA does not apply to:
- Certain government organizations
- Nonprofit organizations
- Institutions of higher education
- Financial institutions and affiliates, or data subject to the federal GLBA
- Covered entities or business associates governed by certain rules under HIPAA
- Certain research data or employment-related information; and information governed by laws such as HIPAA, the Fair Credit Reporting Act or the Farm Credit Act.
Consumers who are Montana residents will be able to exercise the following rights under the MCDPA:
- Right to confirm whether or not their personal data is processed
- Right to access their personal data
- Right to correct inaccuracies in their personal data
- Right to deletion of their personal data
- Right to portability of their personal data
- Right to opt-out of the processing of their personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer
Business Obligations to Consumers
Businesses subject to the MCDPA will have new compliance obligations, including:
- Responding to consumer requests under the MCDPA within 45 days of receipt (may be extended an additional 45 days, when reasonably necessary, but must inform consumer of the extension within the initial 45-day response period and provide a reason)
- Providing required information to consumers free of charge, up to once per year
- Authenticating requests using commercially reasonable efforts
- Establishing a process for consumers to appeal any refusal to take action on a consumer request
- Providing a reason, in cases where a consumer request is denied, no later than 45 days from the date of the request
Required Notices to Consumers
- Businesses must also provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that meets requirements under the MCDPA, including how consumers may submit requests to exercise their privacy rights
- Businesses are required to “clearly and conspicuously” disclose processing of personal data for targeted advertising (and how to opt-out of such processing)
Other Business Obligations
- Conduct and document data protection assessments for data processing activities created or generated on or after January 1, 2025, which include extensive requirements and an obligation to provide assessments to the attorney general upon request
- Limit collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which such data is processed
- Process personal data solely for disclosed purposes or purposes compatible with disclosures, unless the consumer consents
- Establish, implement, and maintain data security practices to protect the confidentiality, integrity, and accessibility of consumer’s personal data
- Obtain consent before selling or using data from users between 13 and 15 years old for targeted advertising (Note that Governor Gianforte also recently signed a statewide ban on Tik Tok)
The Do Not’s:
- Do not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers
- Do not discriminate against a consumer for exercising any consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods and services to consumers
- Do not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child (under the age of 13), without processing such data in accordance with the federal Children's Online Privacy Protection Act
“Sensitive data” includes (1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying an individual; (3) personal data collected from a known child (under the age of 13); or (4) precise geolocation data (identifying a location within a radius of 1,750 feet).
Impacts on Data Processors (Vendors)
Vendors that are data processors have direct obligations under the MCDPA, such as adhering to instructions from data controllers, assisting data controllers with their own compliance obligations, assisting data controllers with data protection assessments, and required subcontractor flow-down obligations.
The MCDPA also contains specific requirements that must be included in data processing agreements between data controllers and data processors.
No Private Right of Action
The MCDPA does not provide for a private right of action. The MCDPA will be enforced exclusively by the Montana Attorney General and, before initiating an enforcement action, the AG must provide 60 days’ prior written notice of an alleged violation and an opportunity to cure the violation.
The MDCPA includes an explicit sunset provision on the notice and cure period required by the MCDPA for AG enforcement of alleged violations. The procedural notice and cure period will sunset on April 1, 2026, after which the AG can simply initiate an action for a violation of the MCDPA without 60-day notification hurdles.
Fines and Penalties for Violations
The MCDPA does not establish dollar amounts for penalties associated with violations.
Effective Date for MCDPA
If enacted, the MCDPA will become effective on October 1, 2024. This is sooner than in other states such as Tennessee and Indiana.