On May 19th, the Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (“Montana CDPA”). The Montana CDPA was chaptered into Montana law on May 22nd. Montana is the fifth state to pass a comprehensive privacy law this year, following Iowa, Indiana, Tennessee and Florida, and the tenth state overall, following the “first five” states of California, Colorado, Connecticut, Utah and Virginia (described here)
Following are some FAQs about the Montana CDPA:
When is the Montana CDPA in effect?
The Montana CDPA is in force as of October 1, 2024. It is effective before the new privacy law in Iowa, which is effective January 1, 2025, Indiana, which is effective January 1, 2026 and Tennessee which is effective July 1, 2025. Only Florida’s new privacy law is effective earlier, on July 1, 2024.
Who are “consumers” in the Montana CDPA?
A consumer is a Montana resident acting in an individual capacity.
Consumers are not Montana residents acting in a commercial or employment context, or otherwise in a business-to-business or government agency context, e.g., employee, owner, director, officer, or contractor.
What organizations are subject to the Montana CDPA?
Montana CDPA applies to any “person” (which means a natural person or legal entity, subject to the exceptions described below) that:
- conducts business in Montana or produce products or services that are targeted to residents of Montana (“consumers”) and
- either (i) controls or processes the personal data of 50,000 or more consumers (but excluding personal data processed solely for completing a payment transaction) or (ii) processes the personal data of at least 25,000 consumers and derives 25% or more of gross revenue from the sale of personal data.
The Montana CDPA follows the same role-based processing model as the other state privacy laws, A controller determines the purpose and means of processing personal data and processors to assist controllers in meeting their obligations and requiring a controller to have a contract with its processors.
What organizations are not subject to the Montana CDPA?
The Montana CDPA does not apply to non-profit organizations, financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA), national securities associations under the Securities Exchange Act, or to HIPAA covered entities and protected health information (among other exclusions).
What rights are available for consumers under the Montana CDPA?
The Montana CDPA grants the following rights to consumers:
- Right to confirm processing and access personal data
- Right to correct inaccuracies in the consumer’s personal data
- Right to delete personal data about the consumer
- Right to obtain a copy of the personal data previously provided by the consumer
- Right to opt-out of the processing of the consumer’s personal data for the purposes of:
- targeted advertising,
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Consumers can designate an authorized agent to exercise the rights of the consumer to opt out of targeted advertising, sale, and profiling.
What obligations apply to businesses under the Montana CDPA?
Responding to Consumer Rights. A covered business acting as a controller:
- must respond to consumer rights requests within 45-days after receipt of the request, subject to a 45-day extension when “reasonably necessary”.
- establish a process for a consumer to appeal the controller’s refusal to act on a consumer rights request.
- within sixty days after receipt of the appeal, the controller must inform the consumer in writing of any action taken or not taken, including an explanation of the reasons for that decision. If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method through which the consumer can contact the Montana Attorney General to submit a complaint.
Special Requirements for Opt-out Requests relating to Targeted Advertising and Personal Data Sale: by January 1, 2025 (three months after Montana DCPA is in force), a controller must allow consumers to opt out of targeted advertising or sale of their personal data through an opt-out preference signal. The consumer’s chosen opt-out preference signal must be easy to use, not unfairly disadvantage another controller, require the consumer to make an affirmative choice to opt out (i.e., not a default setting), and allow the controller to accurately determine whether the consumer is a Montana resident.
Data Minimization: A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which it is processed.
Revocation of Consent: Controllers must provide a mechanism for consumers to revoke their consent that is as easy as the mechanism by which the consumer provided their consent. Within 45 days of the revocation, the controller must cease to process the consumer’s personal data.
Sensitive Data Processing: Controller cannot process sensitive data concerning a consumer without obtaining the consumer’s consent.
Minors: Controllers may not process the personal data of a consumer for the purposes of targeted advertising or sale without the consumer’s consent when a controller has actual knowledge that the consumer is at least 13-years old, but younger than 16-years old.
Data Protection Assessments: A controller is obligated to conduct and document a data protection assessment for each of the controller’s processing activities created or generated after January 1, 2025 that present a heightened risk of harm to a consumer, including (1) processing personal data for targeted advertising, (2) selling personal data, (3) processing sensitive data, and (4) processing personal data for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment, financial, physical or reputational injury to consumers, intrusion on the solitude or seclusion or the private affairs of consumers, or other substantial injury. Data protection assessments must generally identify and weigh the benefits and risks of the processing, as mitigated by safeguards that may be employed. These requirements generally track the data protection requirements in Virginia’s, Connecticut’s, and Indiana’s laws.
What are the consequences of not complying with the Montana CDPA?
Montana CDPA does not have a private right of action and is enforceable only by the Montana Attorney General. The Montana AG may bring an action if, after notice of a violation, the controller fails to cure the violation within a sixty-day cure period. The cure period expires on April 1, 2026.
Are regulations forthcoming under the Montana CDPA?
The Montana CDPA does not provide for future rulemaking. .
2024 and 2025 promise to be busy years for privacy professionals with five new privacy laws coming into effect and likely more on the way. Businesses that already have built compliance programs for one of more of the “first five” state privacy laws will, however, have a much lighter lift.
Privacy World will continue to cover updates in Montana, as well as other state and federal privacy legislation. Please contact the authors or your relationship partner at SPB for more information.