On May 19, 2023, Montana's Governor, Greg Gianforte, signed the Montana Consumer Data Privacy Act ("MCDPA"), making Montana the ninth state to enact a comprehensive privacy law and the fourth state to do so in the last two months. The MCDPA is substantially similar to the other state comprehensive privacy laws, but it will take effect on October 1, 2024, which is sooner than the recently-enacted laws in Indiana, Iowa, and Tennessee. Impacted businesses should consider beginning their MCDPA compliance now and integrating it into their compliance plans for the other state comprehensive privacy laws, including those still to take effect in 2023 in Colorado, Connecticut, and Utah. This could reduce overall costs of compliance.
The MCDPA will apply to persons conducting business in Montana or producing products or services that are targeted to residents of Montana and that either:
- control or process personal data of at least 50,000 consumers (defined below), excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- control or process personal data of at least 25,000 consumers and derive over 25% of their gross revenue from the sale of personal data.
The applicability thresholds under the MCDPA are unique from the other state privacy laws, but most closely align with the thresholds in Connecticut's law in that they both exclude personal data controlled or processed solely for the purpose of completing a payment transaction when calculating the amount of personal data controlled or processed. Unlike California's, Utah's, and Tennessee's privacy laws, which include a $25 million revenue threshold as part of applicability, there is no monetary threshold under the MCDPA. While many of the compliance obligations are similar under these laws, the applicability thresholds continue to have nuances, which may motivate businesses to comply with each law, even if they do not meet the applicability thresholds, because bifurcated compliance can be complicated.
Additionally, like the other state comprehensive privacy laws, the MCDPA contains exemptions for certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act, covered entities and business associates subject to HIPAA, non-profit organizations, and institutions of higher education. Further, the MCDPA also exempts certain types of information, such as protected health information under HIPAA, personal data regulated by the Family Educational Rights and Privacy Act, and data processed or maintained in the course of employment.
As is now the norm among state comprehensive privacy laws, the MCDPA uses a narrower definition of "consumer" than California's privacy law. It defines "consumer" to mean an individual who is a Montana resident, but excludes an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with a data controller occur solely within the context of that role. Therefore, employee personal information and business contact personal information fall outside the scope of the MCDPA.
With respect to consumers, the MCDPA regulates their "personal data," as well as a special category of personal data known as "sensitive data," which it defines as (i) racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying an individual; (iii) personal data collected from a known child (i.e., an individual under thirteen); or (iv) precise geolocation data. The MCDPA's definition of "sensitive data" is similar to the definitions used the other state comprehensive privacy laws, except for California's law, which uses a broader definition.
Additionally, the MCDPA defines the "sale of personal data" as exchange of personal data for monetary consideration or other valuable consideration by the controller to a third party. This is a broader definition of "sale" in comparison to the definitions used in other states that require monetary consideration only. The MCDPA also provides broad exceptions to the definition of "sale" that are similar to exceptions in other state privacy laws and should cover many ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, to a third party for the purpose of providing a product or service requested by a consumer, and to an affiliate of the controller.
The MCDPA contains compliance obligations found in all the other state comprehensive privacy laws, such as requiring controllers to provide a compliant privacy notice to consumers and to enter into agreements with processors that handle the controller's personal data. Further, like the privacy laws in Colorado, Connecticut, Virginia, Indiana, and Tennessee, the MCDPA requires controllers to undertake data protection impact assessments of processing personal data for purposes of targeted advertising, the sale of personal data, profiling (in certain instances), and the processing of sensitive data. This is unlike the recently-enacted Iowa law, which, along with California and Utah, does not currently require data protection impact assessments. Of note, the MCDPA provides that data protection assessments must apply to processing activities created or generated after January 1, 2025.
Consumer Rights and Requests
Like all of the US comprehensive privacy laws, the MCDPA grants certain rights to individuals regarding their own personal data. Specifically, the MCDPA grants consumers the right to make requests to (1) access their personal data; (2) correct their personal data; (3) delete their personal data; (4) obtain a copy of their personal data; and (5) opt out of the processing of their personal data for targeted advertising, the sale of personal data, and certain types of profiling. Additionally, with respect to sensitive data, the MCDPA requires controllers to obtain prior consent from consumers (or their parents/legal guardians if the consumers are under age 13).
A controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary upon considering the complexity and number of the consumer's requests, provided that the controller informs the consumer of the extension within the initial 45-day period. Like under the comprehensive privacy laws in Colorado, Connecticut, Virginia, Indiana, Iowa, and Tennessee, a controller must also provide consumers with an appeals process if it denies a consumer's request, and a controller has 60 days to respond to an appeal.
Importantly, the MCDPA does not have a private right of action for individuals. Rather, like the other state comprehensive privacy laws, the MCDPA is enforced exclusively by its State Attorney General. Prior to initiating an action for a violation of the MCDPA, the Montana Attorney General must first give violators an opportunity to cure violations within 60 days of receiving notice of a violation. However, this right to cure ends on April 1, 2026.
The passage of the MCDPA is just another log on the fire of the state privacy law movement in the U.S., which is continuing to blaze. Especially given that the MCDPA will take effect in 2024, businesses should consider the benefits of a universal approach to privacy compliance and work on their compliance efforts now.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.