The Montana Consumer Data Privacy Act (MTCDPA): Understanding the Latest Data Privacy Law

The state of Montana is now among the US data privacy laws regulating the data privacy of consumers whose personal information is processed by businesses. This new data privacy regulation creates duties for businesses, grants rights to consumers, and tightens the data processing a bit.

It comes into effect on October 1, 2024.

Does the Montana Consumer Data Privacy Act apply to your business?

The MTCDPA, being a state privacy law, applies to companies conducting business in Montana or targeting their products and services at Montana residents, provided they fulfill at least one of these criteria:

• Controls or processes personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction, or
• Controls or processes personal data of no less than 25,000 consumers and earns over 25% of their gross revenue from selling personal data.

Montana's privacy legislation establishes a lower threshold relative to other states in the U.S., a practical approach for a state with a population slightly exceeding 1 million.

The law does not apply to:

• Nonprofit organizations
• Higher education institutions
• Government bodies
• Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA) and Federal Securities Exchange Act
• Entities and information regulated under the Health Insurance Portability and Accountability Act (HIPAA)

On top of that, it explicitly excludes from applicability the following data categories:

• information governed by and/or processed in accordance with other privacy laws, including the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, the Driver's Privacy Protection Act, the Farm Credit Act, and several others
• Health Records
• Human subjects research data covered by other laws and standards.
• Employment data

It applies to you if you are a commercial business and meet the above thresholds. Remember that it is easy to process the personal information of 50.000 Montana residents. All it takes is for them to visit your website, and you'll process their data with Google Analytics. Anyone who is not a resident of Montana is not protected by this law.

What is personal data under Montana's Data Protection Act?

Under the MTCDPA, personal data encompasses any information that can be used to identify an individual who is a Montana resident.

This not only covers clear identifiers like personal names, email addresses, and Social Security numbers but also extends to data that can be traced back to a specific person, such as online browsing habits, IP addresses, and purchase records.

However, the law does not apply to de-identified data or personal information that is publicly accessible.

What duties do businesses have under the Montana privacy law?

Businesses that must follow Montana's consumer privacy law requirements have to adhere to the following requirements:

• Process only the minimum amount of data.
• Process the data only for the purposes it has been collected for.
• Provide consumers with a privacy notice.
• Conduct risk assessments where necessary.
• Honor consumer requests.
• Have written contracts with service providers.
• Provide consumers with mechanisms to opt out of the processing of certain types of data.

Data Minimization and Purpose Limitation

Data minimization means that businesses need to process only the minimum amount of data they need for a particular purpose. For example, if you need to send an email to a subscriber, there is no need to collect their phone number as well. If you don't need the phone number, then you don't respect the data minimization principle.

Purpose limitation, on the other hand, means that you can process the data only for the purpose for which it has been collected. If you collect an email address to create a user account for a customer, you cannot use it for marketing purposes. Creating a user account and marketing are two different purposes.

Consent for the Processing of Sensitive Personal Data Under the MTCDPA

In general, processing personal information in Montana does not require obtaining consent. Businesses are free to process personal data until the consumer opts out of the processing.

When it comes to processing some data categories, however, businesses in Montana need to obtain explicit consent before processing the personal data for purposes such as sale or targeted advertising. These categories include:

• Specific categories of personal data for inadequate purposes (when you collect data for one purpose but want to process it for another purpose)
• Processing sensitive data, including the data of a known child
• Processing personal data of a child between 13 and 16 years old for targeted advertising or sale of personal data

Where children are concerned, the MTCDPA follows the federal Children’s Online Privacy Protection Act (COPPA). Moreover, the MTCDPA bans the use of dark patterns, bundling them to the Terms and Conditions, or putting a cookie wall between the user and the content. 

Privacy Notice Under the MTCDPA

You can process their personal data without getting consent, but there is one caveat: you have to show consumers a privacy notice first.

Your privacy policy can serve as a privacy notice. It should include at least:

• The processing purposes
• Categories of processed data
• Third parties with whom you share data and the categories of data you share with them
• Details on consumer rights and how to exercise them.

The Montana Consumer Data Privacy Act requires data controllers to provide users with a Privacy Policy that is clearly written, easily accessible, and contains meaningful information.

Data protection assessments

Data protection assessment involves creating a document that evaluates the risk posed by a particular processing activity to your consumers' personal data. The MTCDPA specifically requires that activities with increased risk encompass:

• Processing personal data for the purpose of targeted advertising
• Selling personal data
• Profiling activities that could lead to harm or detrimental treatment of consumers
• Handling sensitive data

For each activity that presents an elevated risk, a distinct data impact assessment is necessary. The Attorney General has the authority to request any of your data protection assessments to assess your compliance with the law.

The MTCDPA requires controllers to conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer, including processing personal data for targeted advertising, the sale of personal data or if it presents certain risks such as unfair or deceptive treatment; financial, physical or reputational injury; or an intrusion on the solitude or seclusion of a person considered “offensive” to a reasonable person. The MTCDPA also requires organizations to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

Opt-Out of the Sale of Personal Information

The user has the right to opt out of the sale of personal information. The consumer may do so by submitting an opt-out request to the business through dedicated communication channels.

Consumers can opt-out of:

• The sale of personal information
• Processing of their personal data for targeted advertising, or
• Processing for the purposes of profiling that produces legal or other significant effects.

Businesses must also honor opt-out requests made through universal opt-out mechanisms such as the Global Privacy Controls (GPC), but only if consumers take a clear affirmative act signifying the opt-out, which means setting up their browser privacy settings.

Contracts with service providers

A service provider is an entity that processes personal data on behalf of another entity. They are often called data processors under other laws. If you decide to process personal data with Google Analytics, Google is your service provider. If you install Meta Pixel on your website to retarget customers on social media, Meta is your service provider. If you sign up with a marketing agency to run your email marketing campaign with Brevo, both the marketing agency and Brevo are your service providers.

MTCDPA requires businesses to have written contracts with all the service providers where the rights and duties of each party are clearly drawn out.

What consumer rights does Montana's data protection law grant?

Montana consumers are granted the following rights:

• Right to confirm processing
• Right to access
• Right to correction of data
• Right to portability
• Right to deletion
• Right to opt out of targeted advertising, the sale of personal information, or profiling with legal or other significant effects.

Consumers exercise their rights through consumer requests.

Honoring Data Subject Requests Under the MTCDPA

Consumers have the option to exercise their rights by submitting requests through any of the methods outlined in the privacy policy. You are obligated to respond within 45 days. For more complex requests, this timeframe may be extended by an additional 45 days.

On top of that, consumers will be given additional opt-out mechanisms.

MTCDPA enforcement and penalties

The enforcement of the MTCDPA falls under the jurisdiction of the Montana Attorney General. Should their investigation reveal any non-compliance on your part, you will be granted a 60-day period to rectify the violations. Failure to correct these issues within the allotted time may result in fines. Civil penalties for each violation can reach as high as USD 7,500.

How do I comply with the MTCDPA?

The privacy regulations set forth by Montana are still pending implementation. The enactment of this law is scheduled for October 1, 2024. In anticipation of these upcoming regulations, Secure Privacy is set to offer comprehensive support and resources.

Our services are designed to ensure that you have all the essential tools at your disposal for full compliance. This includes guidance on adapting to the new legal requirements.