Montana Consumer Data Privacy Act Signed Into Law

Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (MTCDPA) on May 19, 2023, after unanimous passage through the state legislature, and the Act will go into effect October 1, 2024. Montana is now the ninth state to enact a comprehensive state privacy law, joining California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, and Tennessee, but is the first state to ban TikTok. The ban has been challenged in federal court as "a prior restraint on expression that violates the First Amendment," and it so dominated Montana news that the MTCDPA was relegated to "also-signed" status lumped in with 200 other bills.

The MTCDPA looks a lot like the Connecticut Data Privacy Act (CTDPA) in several key respects. In particular, MTCDPA resembles Connecticut in:

• Providing consumers the right to revoke their consent to data processing;[1]
• Requiring businesses to recognize universal mechanisms for opting out of sales of personal data and targeted advertising[2] without having to verify their identities;[3] and
• Permitting a consumer to request deletion of all personal data about the consumer in the possession of a business, as opposed to just personal data a business collected directly from the consumer.

Also like the Connecticut law, the MTCDPA prohibits businesses from selling personal data or processing the personal data of a consumer for the purposes of targeted advertising without consent when a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age (if data on a child under 13, compliance reverts to COPPA). Only California and Connecticut have similar provisions concerning privacy protections for a sub-set of minors.

We highlight other key provisions of the MTCDPA below.

Application Thresholds

The MTCDPA applies to companies that conduct business in Montana or target products or services to Montana residents that:

• Control or process the personal data of not less than 50,000 state residents, excluding personal data controlled or processed solely for purposes of completing a payment transaction; or
• Control or process the personal data of not less than 25,000 state residents and derive more than 25 percent of gross revenue from the sale of personal data.

The MTCDPA has the lowest applicability threshold of any of the nine comprehensive data privacy laws enacted. Most other state privacy laws apply to a business that controls or processes the personal data of 100,000 residents and the lower threshold likely accounts for Montana's smaller population.

Exemptions

Consistent with most other state data privacy laws, MTCDPA contains entity-level, data-specific, and employment-related exemptions.

Entity-level exemptions:

• government entities,
• nonprofit organizations,
• higher education institutions,
• registered securities associations,
• financial institutions covered by the Gramm-Leach-Bliley Act (GLBA), and
• "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA),

Data-specific exemptions:

• protected health information under HIPAA,
• certain other health- and patient-related information under federal regulations and state laws, and
• information governed by and/or processed in accordance with other privacy laws, including the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Driver's Privacy Protection Act, and several others.

Employment-related exemption:

• personal information relating to applicants for employment and employees whose "communications or transactions occur within the context of that individual's role" with the employer, including emergency contact information and benefits.

Processing-related exemptions:

• The MTCDPA does not restrict a controller or processor from collecting, using, or retaining personal data to:
  • Comply with federal, state, or municipal ordinances or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons, by federal, state, municipal, or other governmental authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably, and in good faith, believes may violate federal, state, or municipal ordinances or regulations;
  • Investigate, establish, exercise, prepare for, or defend legal claims;
  • Provide a product or service specifically requested by a consumer;
  • Fulfil the terms of a written warranty;
  • Conduct internal research to develop, improve, or repair products, services, or technology;
  • Effectuate a product recall;
  • Identify and repair technical errors that impair existing or intended product functionality; or
  • Perform internal operations that are reasonable based on consumer expectations or the consumer relationship.
• A controller processing data under these exemptions "bears the burden of demonstrating that the processing qualifies for the exemption," and the processing must be "reasonably necessary and proportionate to the purposes listed."

Privacy Notices

The MTCDPA requires controllers to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

• The categories of personal information processed by the controller;
• The purpose for processing personal information;
• The categories of personal data that the controller shares with third parties, if any;
• The categories of third parties, if any, with which the controller shares personal data;
• An active email address or other mechanism that the consumer may use to contact the controller; and
• How consumers may exercise their rights, including how a consumer may appeal a controller's decision with regard to the consumer's request.

In addition, the MTCDPA states that a controller shall "establish and describe" in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights, including the right to opt out of the sale of personal information to third parties and the right to request deletion or correction of certain personal information.

A controller may not require a consumer to create a new account to exercise consumer rights but may require a consumer to use an existing account.

Sensitive Data Defined

Like the Virginia, Connecticut, and Colorado laws, the MTCDPA prohibits businesses from collecting and processing "sensitive data" without obtaining the consumer's consent (or the parent's if under 13). The MTCDPA defines "sensitive data" as:

• Personal data revealing:
  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical health diagnosis;
  • Sexual orientation; or
  • Citizenship and immigration status;
• Genetic and biometric data that identifies an individual;
• Precise geolocation data (location within a radius of 1,750 feet); and
• Personal data collected from a known child (i.e., someone under the age of 13).

If the sensitive data pertains to a known child, compliance with the COPPA (verifiable parental consent) is required.

"Sale of Personal Data" Defined

The MTCDPA defines "sale of personal data" as the exchange of personal data for "monetary or other valuable consideration by the controller to a third party." The law excludes the following usual disclosures:

• To a processor that processes the personal data on behalf of the controller;
• To a third party for the purposes of providing a product or service requested by the consumer;
• To an affiliate of the controller;
• When the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
• Personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience; and
• Disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

As in other states that adopt this broader definition of "sale," consumers may opt out of disclosures to third parties for marketing, analytics, and other purposes for something of value other than monetary consideration.

Consumer Rights

As with other state privacy laws, the MTCDPA gives consumers the rights to confirm the processing of, and access to, their personal data; request that a controller correct inaccuracies in the consumer's personal data; delete personal data provided by the consumer or obtained by a controller regarding the consumer; and obtain a copy of the data in a portable and readily usable format.

As provided in other state privacy laws, controllers must respond to such requests within 45 days (with a 45-day extension available, if "reasonably necessary") and must offer consumers the right to appeal an adverse decision. The appeal response must be delivered by a controller to a consumer within 60 days, and if controllers deny an appeal, as in Virginia, controllers must provide a consumer with a method for contacting the attorney general to submit a complaint.

Required Recognition of Universal Opt-Out Mechanisms

Following California, Colorado and Connecticut, the MTCDPA requires controllers to recognize universal opt-out mechanisms for sales of personal data and targeted advertising. The MTCDPA states that, no later than January 1, 2025, covered companies must process opt-out requests submitted by consumers via universal opt-out mechanisms that are "consumer-friendly and easy to use" and "must allow the controller to accurately determine whether the consumer is a resident of the state and whether the consumer has made a legitimate request to opt out of any sale of a consumer's personal data or targeted advertising."

Data Protection Impact Assessments

Like the laws in Virginia, Connecticut, and Colorado, the MTCDPA requires controllers to conduct data protection assessments for each of the controller's processing activities that presents a heightened risk of harm prior to engaging in various processing activities, including:

• Processing personal data for targeted advertising;
• Sale of personal data;
• Processing sensitive data; and
• Processing of personal information for profiling if the profiling presents a reasonably foreseeable risk of unfair or deceptive or unlawful disparate impact on consumers, "intrusion upon seclusion," or other financial, reputational, or physical harms.

Impact assessments must weigh the benefits to the controllers against the risks to consumers' rights as mitigated by any safeguards, and assessments conducted in accordance with other state laws will comply with the MTCDPA, provided that those assessments are "reasonably similar in scope and effect" to an assessment required by the Montana law. The MTCDPA requires prospective data protection impact assessments for processing activities "created or generated" after January 1, 2025.

Processor Contracts

The MTCDPA uses a controller-processor framework and requires that controllers and processors memorialize their agreement through the usual contractual arrangements, including allowing and cooperating with reasonable assessments of the processor by the controller or its agent.

Consent Defined

"Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous affirmative action. Like California and Colorado's privacy laws, the MTCDPA prohibits the use of so-called "dark patterns" in obtaining consent from a consumer.

Enforcement

There is no private right of action afforded to consumers for violations under the MTCDPA or "any other law." The MTCDPA is only enforceable by the state attorney general's office.

Temporary Cure Period and Sunset Provision

The Montana attorney general must give businesses notice and the opportunity to cure an alleged violation within 60 days of receiving the notice. If a controller cures the alleged violation within the allotted 60-day cure period and provides an express written statement to the attorney general confirming the alleged violations were corrected, then the attorney general may not initiate an action against the controller.

However, the right to cure sunsets on April 1, 2026. After that, the attorney general will not have to give notice or wait to bring an enforcement action, and can pursue enforcement even if the violation was corrected.

Looking Ahead

DWT's Privacy & Security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.