The Montana House of Representatives passed the Consumer Data Privacy Act and returned it to the Senate on April 17, 2023, before it heads to the Governor’s office for signature.

Which businesses does this law apply to?

The law applies to companies that conduct business, or produce products or services targeted to residents in the state of Montana, and fall under the following categories:

1. Control or process the personal data of 50,000 residents or more.
2. Control of process the personal data of not less that 25,000 residents and get 25% of its revenue from selling data.

What are the key highlights of the law? 

Let’s take a look at how the Montana Consumer Data Privacy Act defines consent, sensitive data, the “sale” of personal data, consumer rights, and data protection impact assessments. 

Consent 

Under Montana’s law, consent is defined as the “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data”. It further states that the accepted mediums are a written statement, electronic statement, or any other action that qualifies as unambiguous and affirmative. 

Montana primarily operates on an opt-out mechanism regarding how data controllers need to go about obtaining consent. 

Sensitive Personal Information (SPI)

Data that falls under the following categories constitutes SPI as defined by Montana’s Consumer Data Privacy Act: 

1. Racial or ethnic origin
2. Religious beliefs
3. Health data
4. Sexual orientation
5. Citizenship status
6. Genetic / Biometric data
7. Children’s data
8. Geolocation

There is also an additional provision in the law that states that data controllers can only process a consumer’s sensitive data with additional consent around this processing use case. Controllers are also required to conduct a data protection assessment in the case of processing sensitive data.

Consumer Rights

The following privacy rights are afforded to consumers under Montana’s Consumer Data Privacy Act: 

1. Right to access – Consumers have the right to confirm that their data is being processed by the data controller and access it as well
2. Right to correction – Consumers have the right to correct any mistakes in their personal data
3. Right to deletion – Consumers have the right to delete any personal data that relates to them
4. Right to portability – Consumers have the right to obtain a copy of their data, in a portable format that is “readily usable”, allowing them to transfer this data to another controller without any issues
5. Right to opt out of targeted advertising, behavioral profiling, sale of personal data

When it comes to controllers responding to these requests, they are subject to a 45-day timeline to respond to the request. However, this can be extended for an additional 45 days if “reasonably necessary” based on the number of requests and their complexity. If the response period is extended, data controllers must inform consumers of this extension within the initial 45-day period. 

Additionally, the law states that responding to consumer requests should be completed free of charge once every 12 months. In the case of multiple requests that are deemed “unfounded, excessive, technically infeasible, or repetitive”, controllers have the right to charge consumers with reasonable fees to cover the administrative costs of fulfilling these requests. They also have the option to decline these requests that fall under that category. 

Sale of Personal Data

The sale of personal data is defined as the “exchange of personal data for monetary or other valuable consideration by the controller to a third party”, similar to the Connecticut Data Privacy Act (CTDPA). 

It differs from other privacy laws due to the language around “valuable consideration”, which expands this definition beyond just monetary exchanges for data.

Privacy Notices and Disclosures

Montana’s Consumer Data Privacy Act states that privacy notices must be “reasonably accessible, clear, and meaningful”, that answer the following questions about your business:

1. What categories of personal data are you processing?
2. Why are you processing this data (what is the purpose)?
3. What categories of personal data are being shared with third parties?
4. What categories of third-parties are you sharing personal data with?
5. How can consumers contact you (email address or phone number)?
6. How can consumers exercise their privacy rights, or appeal a decision regarding a rights request?

Data Protection Assessments (DPA)

Data controllers are required to conduct a DPA when carrying out activities that present “a heightened risk of harm” to consumers. These include the following:

1. Processing data for targeted advertising
2. The sale of personal data
3. Processing data for behavioral profiling with the risk of the following
4. Unfair or deceptive treatment of consumers
5. Financial, physical, or reputational injury to consumers
6. Intrusion to the privacy of consumers
7. Other substantial inury to consumers
8. Processing sensitive data

What does this mean for your organization? 

Montana’s Consumer Data Privacy Act is currently set to go into effect on October 1, 2024, pending signature from the Governor’s office, meaning organizations that are required to comply with the law have over a year to get acquainted with its provisions and add it to their US privacy compliance checklist. 

How can OneTrust help with compliance? 

OneTrust can help your organization introduce the right business workflows and data policies that help keep you compliant with all applicable privacy regulations. For more information on what you can do to stay on top of the US privacy landscape, take a look at how to operationalize privacy compliance, with OneTrust Privacy Management. Request a demo to see what works for your business today.