The data privacy law of Montana, Montana Consumer Data Privacy Act (MCDPA) or SB0384 endeavors to protect the data privacy of its residents. MCDPA lays down the rights of consumers, the responsibilities of businesses, and other privacy-related rules. If you are a business that caters to the residents of Montana, this article will back you up.

Effective date: October 1, 2024

Official legal text: Senate Bill No. 384

What is the Montana Consumer Data Privacy Act (MCDPA)?

Akin to other US privacy laws, MCDPA also guarantees digital privacy to individuals. Along with conferring rights to consumers, it also enumerates the data processing tenets that businesses should follow.

The MCDPA legislation designates the Attorney General as its enforcement agency. However, it does not mention the extent of penalty that can be imposed for violations. 

MCDPA expressly prohibits the use of dark patterns to obtain consent from consumers. The law also requires businesses to obtain consent from parents/legal guardians before processing the personal data of a child between 13 to 16 years of age for sale, profiling, and targeted advertising. Businesses will initially get a 60-day notice period to cure the violation.

Who does the MCDPA apply to?

The applicability of Montana’s data privacy law is not based on a monetary threshold like CCPA.

MCDPA applies to for-profit businesses based in Montana or businesses elsewhere that target the residents of Montana and:

  • Controls/ processes the personal data of at least 50,000 consumers except to complete a payment transaction; or
  • Controls/ processes personal data of at least 25,000 consumers and gains 25% or more of its gross revenue from the sale of personal data.

Who is a consumer under Montana privacy law?

A consumer is a resident of Montana who does not act in a commercial or employment context. 

In addition, any employee, director, owner, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency is not a consumer if the communication/transactions with the controller/business occur within the context of their role.

What are the exemptions to MCDPA?

The law provides exemptions similar to those enumerated under other US privacy laws. For instance, the entities covered under the HIPAA and Gramm-Leach-Bliley Act, public bodies, national securities associations, institutions providing higher education, and non-profit entities. 

In addition to these entities, certain types of information are also excluded like the information covered under HIPAA, Health Care Quality Improvement Act, Fair Credit Reporting Act,  Farm Credit Act, Driver’s Privacy Protection Act, Family Educational Rights and Privacy Act, COPPA, Airline Deregulation Act, etc.

It also exempts Health-related information covered by other laws, patient-identifying information, information related to human subject research, data maintained for emergency purposes, etc

What does personal data mean under MCDPA?

Personal data is any information that can potentially identify an individual.

The act defines “personal data” as any information that is linked or reasonably linkable to an identified or identifiable individual. Phone numbers, email addresses, IP addresses, cookie IDs, etc might come under the category of personal data. 

De-identified data and publicly available information are not personal data under MCDPA

What is de-identified data?

A form of data maintained in such a way that it cannot be traced back to or used to identify an individual if proper measures are taken by businesses/ controllers to not attempt to reidentify the data and also obligates all parties involved in the processing to adhere to these standards.

What is publicly available information?

Information published through government records or mass media and those publicized by the consumer himself to the general public is not considered publicly available information.

What is sensitive data under MCDPA?

Most privacy laws extend enhanced protection to sensitive data, therefore businesses must be cautious while processing it. Let us look at the types of data that are included as sensitive data under Montana’s privacy act.

Sensitive data under MCDPA includes:

  • Any data that reveals a person’s
    • racial/ethnic origin
    • religious beliefs
    • mental/physical health conditions or diagnosis
    • sexual life
    • Sexual orientation
    • citizenship/immigration status
  • Processing biometric/genetic data to identify an individual
  • Personal data of a child below 13 years of age if the business is aware of the age (Known child)
  • Precise geolocation data

What are the obligations/limitations of businesses under MCDPA?

Let’s look at the obligations/limitations of businesses under the Act.

Data minimization

Do not collect more personal data than what is reasonable or adequate for the purpose for which it was obtained from consumers. Unnecessary collection of personal data is a potential liability. Therefore, stick to the data minimization principle.

Purpose limitation

Just like data minimization, purpose limitation is also a significant duty of businesses. Always limit the processing of personal data to what is required for the specific purpose disclosed to the consumers. Remember, transparency is the key. Do not process additional personal data without obtaining affirmative consent from the consumers.

Security safeguards

When you are involved in the processing of personal data you are inherently under an obligation to implement reasonable security measures to prevent any unauthorized access or violations regarding the data collected. Therefore establish proportional technical, administrative, and physical data security safeguards to protect the confidentiality of the data handled.

Sensitive data

Do not process sensitive data without obtaining consent from the consumer. To process the sensitive data of a child who is known to be under 13 years old, obtain verifiable consent from parents/legal guardians. For this purpose, be in confirmation with the Children’s Online Privacy Protection Act.

Non-discrimination

Do not discriminate among the consumers based on the exercise of their rights. This means that businesses cannot deny goods/services, reduce the quality of the products/services offered, or increase their prices. 

The following acts are not discrimination under the act:

  • Denying a product/service if the personal data required for that purpose is not collected/maintained by the business.
  • Varying the price, quality, selection, rate, and level of goods/services depending on the opt-outs made by the consumer.
  • Varying the price, quality, selection, rate, and level of goods/services based on their participation in loyalty, discount, rewards, or club card programs and premium versions offered.

Also, adhere to the federal and state laws that prohibit unlawful discrimination.

Consent

Businesses are required to obtain consent from the consumers for the following purposes:

  • Processing sensitive data
  • Processing personal data of children between 13-16 years of age for sale and targeted advertising if the business is aware of the age.

Consent withdrawal 

Provide the consumers with an easy method to withdraw their consent. Once a consumer revokes consent, Stop processing his personal data within 45 days.

Opt-out mechanisms

Businesses must reveal whether they will sell the personal data or use it for targeted advertising. Provide methods to opt out of sales, targeted advertising, and profiling. Recognize verifiable opt-out signals from authorized agents including the global opt-out mechanisms.

January 1, 2025, is the deadline to allow consumers to opt out of targeted advertising and sale of their personal data using opt-out signals. 

Privacy notice

Provide an accessible privacy notice to your consumers. It should be legible and meaningful. We will discuss the detailed privacy policy requirements subsequently.

Response plan

Craft a handy response plan for your business. Do not take more than 45 days to respond to and deliver the consumer request. If necessary, it can be extended to 90 days.

Notify the declinal of consumer requests, if any within 45 days.

Provide the method to appeal conspicuously and respond to appeals within 60 days. Also, mention how they can contact the attorney general in the event of denial of appeal.

Businesses are required to deliver the request for free once a year if it can be given without much hassles.

Contractual relationship

The law requires processors to abide by the directions of controllers. Processors are those who process personal data on behalf of controllers like businesses. Therefore, have a contractual relationship with data processors.

Determine the rights and obligations of each party, duration of the processing, types of data involved, nature and purpose of processing, etc in the contract. Also, ensure the processor’s compliance with the law, and require them to maintain the confidentiality and integrity of the data.

Data protection assessments

Regularly conduct assessments regarding the processing of data that poses a high risk like sensitive data, and personal data used for targeted advertising, sale, and profiling.

Data protection assessments must be documented and kept confidential. They come under the attorney-client privilege.

Data breach notifications

The rules under computer security breach require businesses to give notification regarding breaches to consumers without undue delay. The Attorney general should also be notified of the breach.

What are the rights of consumers under MCDPA?

Like other US privacy acts, MCDPA also grants consumers certain rights over their data:

Right to confirm

Consumers have the right to confirm whether businesses are processing their data. They can also request to access such personal data, except for anything that reveals a trade secret.

Right to correct

Consumers can request businesses to correct any inaccurate information maintained by the businesses.

Right to delete

Consumers can request businesses to delete any personal data that is being processed by them. This includes the personal data provided by the consumers and those obtained from other sources.

Right to portability

If any consumer wishes to obtain a copy of their personal data maintained by businesses, they can request the same. They also have the right to receive the copy in a portable and readable format. This enables them to transfer the data conveniently.

Right to opt-out

Consumers can opt out of targeted advertising, sale of their personal data, and profiling at any time. They can also delegate this right to an authorized agent using technology including global opt-out mechanisms.

Consent Requirements under MCDPA

Consent is an important basis for processing personal data. Therefore, it is significant to understand what constitutes a valid consent.

What constitutes a valid consent?

  • It should be an affirmative action and not given passively.
  • Given freely and without any coercive efforts from businesses.
  • Informed of what they are consenting to
  • Specifically given 
  • Unambigously agree to the processing.

The following are not consent:

  • Acceptance of general terms flooded with information instead of the specific purpose for which the consent is required.
  • Hovering over, muting, pausing, or closing a given piece of content.

Manage cookie consent
without any hassle

Add a cookie consent banner and manage cookie consent to comply with Montana Privacy Law

Try for free

14-day free trialCancel anytime

 

Privacy notice requirements under MCDPA

A privacy notice informs consumers about the data handling practices of your business. The law requires controllers to provide a well-drafted privacy notice to the consumers. 

The following elements are mandatory in a privacy notice:

  • The categories of personal data processed by the business/controller.
  • The specific purpose for which the personal data is processed.
  • The categories of personal data shared with third parties, if any.
  • The categories of third parties involved, if any.
  • An active email address/ contact information of the business/controller.
  • One or more methods to exercise consumer rights.
  • Procedure for appeal against the denial of consumer request.

What is the penalty for violating MCDPA?

The Montana privacy law takes a unique approach by not prescribing penalties in the act.

The law requires the attorney to give a 60-day notice for the businesses in violation to cure it. This notice period is only available until April 1, 2026. Later on, the attorney can initiate an action without giving a cure period.

There is no private right of action under MCDPA. This means that the exclusive enforcement power is with the attorney general.

It designates the Attorney General as the enforcement authority.

 CCPA vs MCDPA [Infographic]

Checklist for MCDPA compliance

  • Only collect personal data required for the disclosed purpose.
  • Limit the processing to what is required to fulfill the specific purpose.
  • Obtain consent to process sensitive data.
  • Obtain consent for the sale and targeted advertising of the personal data of a known child.
  • Provide a convenient consent withdrawal mechanism.
  • Provide an unambiguous and legible privacy notice.
  • Implement security safeguards.
  • Provide opt-out mechanisms.
  • Recognize global opt-out signals.
  • Do not discriminate among consumers based on the exercise of rights.
  • Create and implement a response plan for consumer requests.
  • Have a contractual relationship with processors.
  • Conduct regular data protection assessments.

FAQ on Montana Consumer Data Privacy Act

Does Montana have a privacy law?

Yes. Montana Consumer Data Privacy Act (SB0384) is the privacy law of Montana. It becomes effective on October 1, 2024. Businesses that cater to the residents of Montana might have to be compliant with the law.

What is the penalty for the Montana Consumer Data Privacy Act?

The act does not specifically prescribe the penalties for violations. But it appoints the attorney general as the enforcement agency. 

What constitutes the sale of personal data under MCDPA?

Exchange of personal data to third parties for monetary or any other valuable consideration constitutes a sale.

Is there a cure period under MCDPA?

Businesses will get a 60-day cure period until April 1, 2026. Later on, the enforcement agency can initiate legal actions without giving notice.