July 10, 2023

Montana Consumer Data Privacy Act

Discover the Montana Consumer Data Protection Act (MCDPA), a state law safeguarding consumer privacy. Learn about its requirements, exemptions, personal data definition, sensitive data protection, controller and processor duties, data processing agreements, privacy notice compliance, consent requirements, opt-out mechanisms, data protection assessments, consumer rights, enforcement, and fines.

Montana is among the first US states to pass a consumer privacy law, which shares many similarities with other laws in the US.

What is the Montana Consumer Data Protection Act (MCDPA)?

The Montana Consumer Data Protection Act (MCDPA) is Montana’s state law that protects consumer privacy by requiring businesses to meet specific privacy requirements and granting consumers a number of rights to hold businesses accountable. It will come into effect on October 1, 2024.

Does the MCDPA apply to your business?

The MCDPA applies to businesses that operate from Montana or target Montana consumers and meet at least one of the following requirements:

  • Controls or processes the personal data of at least 50,000 consumers, or
  • Controls or processes the personal data of at least 25,000 consumers and derives more than 25% of gross revenue from the sale of personal data.

The Montana privacy law sets a lower threshold compared to other US states, which is reasonable for a state with a population of just over 1 million people.

Are there exemptions from the MCDPA?

Similar to other state privacy laws, the MCDPA exempts certain organizations and information from its scope. The exempt organizations include:

  • Government bodies
  • Nonprofit organizations
  • Higher education institutions
  • Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
  • Entities and information regulated under Health Insurance Portability and Accountability Act (HIPAA)

The following data is also exempt:

  • Personal data that is already covered by existing federal laws such as the HIPAA, the Children's Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the Driver's Privacy Protection Act, and the Farm Credit Act
  • Health records
  • Human subjects research data covered by other laws and standards
  • Data that is processed or maintained for employment purposes.

What is personal data under the MCDPA?

MCDPA personal data is any data that could identify a person. That includes obvious information such as personal names, email addresses, and Social Security Numbers, but also includes data that could lead to a known person, such as browsing behavior, IP addresses, purchase history, etc. Deidentified data and publicly available personal information are exempt from the scope of the law.

What is sensitive personal data under the MCDPA?

The processing of sensitive data brings more risks to consumers; therefore, it is more strictly protected by the MCDPA. The expanded protection applies to the following sensitive data:

  • Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, or citizenship or immigration status
  • Genetic or biometric data that is processed to identify a person
  • Personal data of a known child
  • Precise geolocation data

What are MCDPA controllers and processors, and what are their duties?

Controllers are the companies that decide on everything about the processing activities, including what data to collect, for what purposes, where to store it, for how long to retain it, etc. Processors are the service providers. They are the companies that do that on behalf of the controllers.

For example, if you run an ecommerce store, you decide why to process data, what data you need to process, what tools to use, etc., which means that you are the data controller. The third-party tools employed for managing personal information - from email communication and displaying personalized ads on social networks to monitoring site usage - function as your data processors.

If you run a Software-as-a-Service (SaaS) business, you make decisions on processing purposes, what data to process, and so on, which makes you a data controller. You act as a data controller when you utilize data for your own enterprise, but when you do that as a service to your customers, you serve as a data processor for the businesses using your SaaS.

The duties of the controllers include:

  • Implementing technical and organizational measures for data security and confidentiality
  • Processing personal data only for reasonable purposes
  • Collecting and processing only adequate amounts and categories of data for the processing purposes
  • Serving consumers with privacy notices
  • Obtaining explicit consent for processing of sensitive data
  • Responding to valid consumer requests
  • Allowing consumers to opt-out of sharing or selling data
  • Allowing consumers to revoke consent
  • Entering into a contract with each processor

Processors’ duties include:

  • Processing data on behalf of the controller only based on a written contract
  • Assisting the controller in responding to data breaches
  • Helping the controller in conducting data protection impact assessments
  • Complying with the data processing contract with the controller

What is a Data Processing Agreement, and why do we need it?

The Data Processing Agreement is the contract between the controller and the processor that governs the data processing. It is obligatory for every relationship between the controller and processor.

The Montana privacy law requires that the contract contains at least the following:

  • Instructions for the processing
  • The nature and purpose of processing
  • Duration of the processing
  • Types of data subjects of processing
  • Rights and duties of both parties, particularly about:
    - Confidentiality of data
    - Deletion and return of data
    - Hiring subcontractors
    - Helping in assessments
    - Helping in proving compliance

What is an MCDPA-compliant privacy notice?

To comply with the MCDPA, it's important to inform your users about what you do with their personal information. This should be in your privacy policy. The MCDPA specifies that your privacy policy should include:

  • The processing purposes
  • Categories of processed data
  • Third parties with whom you share data and the categories of data you share with them
  • Details on consumer rights and how to exercise them

That’s the bare minimum you need, but you can always add more for increased transparency.

Do I need to obtain consent from consumers for data processing?

Although the Montana consumer data protection law relies on the opt-out principle, which gives you the freedom to process data without consent, there are a few cases where you must obtain explicit consumer consent:

  • To process specific categories of personal data for inadequate purposes
  • Processing sensitive data, including data of a known child
  • Processing personal data of a child between 13 and 16 years old for targeted advertising or selling data

Consent means “a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.”

The MCDPA further clarifies how not to ask for consent:

  • By using dark patterns
  • Bundling the consent with Terms of Use or a similarly broad and unrelated document
  • Hovering over, muting, pausing, or closing a given piece of content.

When it comes to a child’s data, you can obtain parental consent according to the COPPA mechanisms.

Do we need to respect universal opt-out mechanisms?

Yes, you must honor signals sent by consumers through universal opt-out mechanisms, such as the Global Privacy Controls. However, there is one caveat - the consumer must take affirmative action to set up the universal opt-out mechanism.

What is Data Protection Assessment?

Data protection assessment is a process that results in a document where you assess the risk of a specific processing activity to the personal data of your consumers. MCDPA explicitly prescribes that activities with heightened risk include:

  • Processing for targeted advertising
  • Sale of personal data
  • Profiling activities that may cause injury or harmful treatment to consumers
  • Processing of sensitive data

You need a separate data impact assessment for each activity that poses a heightened risk. The Attorney General can require you to present any data protection assessment to evaluate your compliance with the law.

What are MCDPA personal data rights and requests?

Montana consumers will have the following rights at their disposal:

  • Right to confirm processing
  • Right to access
  • Right to correction of data
  • Right to portability
  • Right to deletion
  • Right to opt out of:
    - The sale of data
    - Targeted advertising
    - Profiling for purposes that produce legal or other significant effects

Consumers can submit requests to exercise their rights. They can use any of the methods established in the privacy policy. You must respond to them within 45 days. This deadline can be prolonged to an additional 45 days in the case of more complex requests.

Who enforces the MCDPA and how much are the fines?

The Montana Attorney General will enforce the MCDPA. If their investigation finds that you are in violation, you’ll get a 60-day cure period to remedy the violations. If you fail to do so, you’ll be fined. The civil penalties can go up to $7,500 per violation.

Start your Free Trial