Author: Dr. Scott Allendevaux
We hear you loud and clear--yet another state privacy law to wrap your head around, right? Just when you've barely caught up with the previous eight, Montana marches in with its own version--the Montana Consumer Data Privacy Act (MTCDPA). We get it... it feels like you're constantly playing catch-up in this fast-paced world of data privacy legislation. But don't worry, we've got you covered. In this article, we're going to break down the MTCDPA in the simplest way possible, drawing on its similarities and differences to other recent laws, and hopefully, making it a little less of a headache for you. Stick around, you might even find it interesting.
Montana Enacts New Privacy Law
On 19 May 2023, Montana's Governor, Greg Gianforte, signed into law the Montana Consumer Data Privacy Act (MTCDPA), a broad-sweeping state privacy law that heralds a new era for data privacy protection in Montana. The law, slated to take effect on 1 October 2024, makes Montana the ninth state to adopt such comprehensive consumer data privacy legislation. It follows the path charted by other states, including California, Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, and Tennessee. Interestingly, Montana is also the first state to implement a controversial TikTok ban.
Similarities Between Montana and Connecticut
The MTCDPA closely mirrors the Connecticut Data Privacy Act (CTDPA) in several ways, such as providing consumers the right to revoke their consent to data processing, requiring businesses to recognize universal opt-out mechanisms, and allowing consumers to request the deletion of all their personal data held by a business. Unique among these provisions is the enhanced privacy protections for minors between the ages of 13 and 16 where the processing of personal data requires consent. This provision is only seen in California and Connecticut's privacy laws.
Scope of Applicability
The scope of the MTCDPA is expansive, applying to companies that do business in Montana or target products or services at its residents, and either control or process the personal data of no less than 50,000 state residents, or control or process the personal data of at least 25,000 state residents and derive more than 25 percent of gross revenue from the sale of personal data. This is the lowest applicability threshold among the nine states with comprehensive data privacy laws, likely reflecting Montana's smaller population.
Consistent with most state data privacy laws, the MTCDPA contains several entity-level, data-specific, and employment-related exemptions. For instance, government entities, nonprofit organizations, higher education institutions, registered securities associations, financial institutions covered by the Gramm-Leach-Bliley Act, and entities under the Health Insurance Portability and Accountability Act are all exempted from the law.
Decision Flow Qualifiers:
While this article and the decision flow provided does not consist legal advice, and while not every scenario can be explored here, this general decision flow may be helpful to determine if this law is applicable to your organization.
Step 1: Does your organization collect and process personal data?
If no, then the MTCDPA does not apply.
If yes, proceed to Step 2.
Step 2: Does your organization conduct business in Montana or target products or services to Montana residents?
If no, then the MTCDPA does not apply.
If yes, proceed to Step 3.
Step 3: Does your organization control or process the personal data of not less than 50,000 Montana residents (excluding personal data controlled or processed solely for purposes of completing a payment transaction)?
If no, proceed to Step 3a.
If yes, then the MTCDPA applies to your organization.
Step 3a: Does your organization control or process the personal data of not less than 25,000 Montana residents and derive more than 25 percent of gross revenue from the sale of personal data?
If no, then the MTCDPA does not apply.
If yes, then the MTCDPA applies to your organization.
Step 4 (for organizations to which the MTCDPA applies): Is your organization exempted from the MTCDPA as per the following categories?
Government entities, nonprofit organizations, higher education institutions, registered securities associations, financial institutions covered by the Gramm-Leach-Bliley Act (GLBA), and "covered entities" under the Health Insurance Portability and Accountability Act (HIPAA).
If yes, then the MTCDPA does not apply.
If no, then your organization is subject to the MTCDPA.
This decision flow can help your organization get a quick understanding of potential obligations under the MTCDPA.
Website Privacy Notices
The MTCDPA provides detailed instructions for privacy notices, requiring them to be accessible, clear, and meaningful. The notices must include categories of personal information processed, the purpose for processing, third-party sharing details, contact mechanisms, and how consumers may exercise their rights.
Data Subject Rights
Controllers are also required to establish secure and reliable means for consumers to submit requests to exercise their consumer rights, including the right to opt out of the sale of personal information and the right to request deletion or correction of personal data.
The MTCDPA also provides a range of consumer rights, including the rights to confirm the processing of, and access to, their personal data; request correction of inaccuracies; delete personal data; and obtain a copy of the data in a portable and readily usable format. Controllers must respond to such requests within 45 days, with a possible 45-day extension if reasonably necessary. In cases where a consumer's request is denied, they have the right to appeal, with an appeal response due from the controller within 60 days. If the appeal is denied, the consumer has the right to contact the attorney general to submit a complaint, similar to Virginia's law.
The MTCDPA mandates controllers to recognize universal opt-out mechanisms for sales of personal data and targeted advertising. By January 1, 2025, companies must process opt-out requests submitted via these consumer-friendly mechanisms accurately.
MTCDPA Definitions
The MTCDPA defines "sensitive data" as personal data revealing aspects like racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship and immigration status, genetic and biometric data, precise geolocation data, and personal data collected from a known child. Like the laws in Virginia, Connecticut, and Colorado, businesses are prohibited from processing such sensitive data without the consumer's consent.
Under the MTCDPA, the "sale of personal data" is defined as the exchange of personal data for "monetary or other valuable consideration" by the controller to a third party, with some exceptions. Similar to other states adopting this broader definition of "sale," consumers may opt out of disclosures to third parties for marketing, analytics, and other purposes for something of value other than monetary consideration.
In defining "consent", the MTCDPA aligns with California and Colorado's laws, stating that consent must be a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to the processing of personal data. The Act prohibits the use of deceptive "dark patterns" to obtain consent from a consumer.
Data Protection Impact Assessments
In alignment with laws in Virginia, Connecticut, and Colorado, the MTCDPA requires data protection impact assessments for each of the controller's processing activities that present a heightened risk of harm. The assessments must weigh the benefits to the controllers against the risks to consumers' rights as mitigated by any safeguards. Assessments in accordance with other state laws that are "reasonably similar in scope and effect" will comply with the MTCDPA. The Act mandates prospective impact assessments for processing activities "created or generated" after 1 January 2025.
Data Privacy Roles of the Parties
The MTCDPA utilizes a controller-processor framework and mandates the contractual memorialization of the relationship between the two entities. Contracts must allow for and cooperate with reasonable assessments of the processor by the controller or its agent.
Private Right of Action and Enforceability
The MTCDPA does not provide a private right of action for consumers for violations; it is enforceable only by the state attorney general's office. The Montana attorney general is obliged to give businesses notice and an opportunity to correct any alleged violation within 60 days of receiving the notice. After 1 April 2026, however, this right to cure will sunset, and the attorney general can then pursue enforcement action without providing notice or waiting for the violation to be corrected.
Conclusion
In conclusion, the Montana Consumer Data Privacy Act adds to the growing patchwork of state privacy laws in the United States, bearing several similarities to other state laws, while also offering some unique provisions. Its impact on businesses operating in Montana will be significant, as they will need to understand and adhere to these new obligations to protect consumer data. The MTCDPA also amplifies the call for a comprehensive federal data privacy law that would provide a uniform standard across all states.