Several state legislatures in the US are quite active in enacting comprehensive data privacy laws now. On May 19, the Montana State Governor signed the Montana Consumer Data Privacy Act, making it the 9th state privacy law in the US. The law is scheduled to take effect from October 1, 2024, looking a lot like the Connecticut State Privacy Law.

Giving businesses less than a year to prepare for compliance, here’s what the law has to offer to its consumers and businesses.

Scope

The MCDPA does not include any revenue thresholds for entities to be subject to the law. The law applies to an individual or legal entity determining the purpose and means of processing personal data who either has their business in Montana or provides products and services to the state residents. With the lowest application threshold compared to most other state privacy laws in the US, the MCDPA applies to businesses that control and process:

• Personal data of not less than 50 thousand consumers, except for the data processed solely for payment transactions.

• Personal data of not less than 25 thousand consumers and derives more than 25 percent of the revenue in gross through personal data sale.

Exemptions

The law stays consistent with most other state privacy laws in the US and does not apply to non-profits, government entities, and institutes of higher education. The MCDPA also doesn’t apply to entities covered under the HIPPA and Gramm-Leach-Bliley Act.

Employment-related information, scientific research data, health records, and consumer credit-reporting data also have an exemption from the law. Apart from these, data regulated by the Farm Credit Act and Family Educational Rights and Privacy Act are not applicable.

Rights to Consumers

Under the law, a consumer is a state resident acting as an individual for any purpose apart from commercial and employment contexts. Like most other state privacy laws, the Montana Consumer Data Privacy Act grants the following rights to its consumers:

• Confirm if a controller is processing their personal data.

• Access personal data obtained/ collected and processed by a controller.

• Delete their personal data.

• Correct the inaccuracies in their personal data.

• Request for a copy of their personal data being used by the controller.

The MCDPA also provides opt-out rights to the consumers, through which they can opt out of data processing for target advertising, profiling, or sale of their personal data.

Like other state privacy laws, the MCDPA provides 45 days for the controllers to respond to consumer requests. A 45-day extension can be applicable if reasonable, considering the complexity and number of requests placed by the consumer.

The law also provides the right to appeal to the controller’s refusal to exercise consumer rights. The controllers have 60 days to respond to such appeals and are required to provide the consumer with a method to contact the Attorney General, just like Virginia’s state privacy law.

Obligations for Businesses

The MCDPA imposes obligations to businesses and applicable entities like most other states, closely aligning with Virginia, Colorado, and Connecticut’s state privacy laws. Montana State Privacy Law requires controllers to:

• Limit the processing of personal data to what is relevant, adequate, and necessary.

• Implement and maintain reasonable physical, technical, and administrative security measures to protect the accessibility, confidentiality, and integrity of the consumers’ personal data.

• Obtain consent from the consumer before processing their sensitive data.

• Refrain from discrimination against consumers exercising their rights.

• Provide a clear, reasonable, and meaningful policy to the consumers covering the different categories and purposes of their personal information being processed.

Other business obligations from this law include:

DPAs – Conduct data protection impact assessments when personal data processing presents a heightened risk of harm to the consumers.

Processor Agreements – Enter contracts with processors to regulate data processing. Such contracts must contain clear instructions for personal data processing, nature and purpose of data processing, its duration, and the type of data being processed. The law also requires the processors to delete or return the personal data at the controller’s request.

Consent Revocation – Provide a mechanism for the consumers to revoke their consent for processing their personal data. Within 45 days of revocation, controllers are required to cease personal data processing.

Enforcement

Like other state privacy laws in the US, Montana’s CDPA doesn’t provide a private right of action. The Montana Attorney General holds the authority to enforce the law and issue a notice to the controllers before acting against violations. Unlike some state privacy laws, the MCDPA doesn’t include any civil penalty amount for law violations.

The Montana Attorney General must issue a notice of violation to the controller prior to initiating any action. The controllers will have 60 days to cure the violation and provide an express written statement to the Attorney General stating that the violations are corrected. However, the right to cure is only applicable until 1st April 2026.

Conclusion

Montana’s State Privacy Law is not significantly different from other US state privacy laws, helping businesses have a lighter lift