What to Know About the Montana Consumer Data Privacy Act (MCDPA)
Privacy & Compliance | August 09, 2023
On May 19th, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (MCDPA) into law, making Montana the ninth state to pass a comprehensive consumer data privacy law. Montana’s law aligns closely with the legislation passed in Virginia and Connecticut, while incorporating some unique distinctions. This move reflects a trend, seen in states like Montana and Indiana, towards adopting more business-friendly data privacy frameworks as opposed to California’s more stringent regulations. The MCDPA goes into effect on October 1, 2024.
In this blog, we’ll cover the scope of the Montana Consumer Data Privacy Act (MCDPA), the rights it grants to Montana citizens, regulatory requirements for businesses, and how the law will be enforced.
For a more in-depth breakdown of state-level privacy laws, check out our new Comprehensive Guide to US Privacy Law for 2023, a free 46-page eBook that gives a comparison chart of all state-level privacy laws, as well as an in-depth breakdown of each law, the consumer rights and business requirements of each law, and best practices for compliance with the patchwork of US privacy laws.
Who does the Montana Consumer Data Privacy Act Apply to?
The MCDPA applies to persons who conduct business in Montana or persons that produce products or services that are targeted to residents of Montana and:
- Control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
However, the MCDPA makes significant exemptions for any body or political subdivision of the state, non-profit organizations, higher education institutions, and entities covered by the Federal Securities Exchange Act, Gramm-Leach-Bliley Act, or Health Insurance Portability and Accountability Act (HIPAA). Medical data, employment data, and personal data used in research are also exempt.
What Rights does the Montana Consumer Data Privacy Act provide for Montana citizens?
Montana’s privacy law grants citizens of the state several new rights, primarily based on the rights put forth by VCDPA, which in turn based its consumer rights on the EU’s General Data Protection Regulation (GDPR). Below, we examine several rights common among US data privacy laws, whether Montana’s law provides them, and the specific requirements for each right.
Right to Access
Consumers have the right to confirm whether a controller is processing the consumer’s personal data and to access that data unless such confirmation or access would require the controller to reveal a trade secret.
Right to Correction
Consumers have the right to correct inaccuracies in their personal data.
Right to Deletion
Consumers have the right to request the deletion of personal data.
Right to Data Portability
Consumers have the right to a copy of their personal information in a portable and readily usable format.
Right to Opt-Out of Data Processing
Under the MCDPA, consumers have the right to opt out of data processing for the following purposes of targeted advertising, the sale of personal information, and profiling. Consumers may also designate an authorized agent to exercise the right to opt out on their behalf. Notably, the MCDPA gives a wide berth to what may be considered an authorized agent, including, but not limited to internet links, browser settings, browser extensions, and other universal opt-out methods.
A controller may not process sensitive data concerning a consumer without first obtaining the consumer’s consent or, in the case of a known child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998.
Right to Opt-Out of Automated Decision Making
Consumers have the right to opt out of “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.”
What are the Regulatory Requirements for Businesses?
Privacy Notice Requirements
Controllers must provide a clear, meaningful, and reasonably accessible privacy notice detailing the types of personal data processed, its purpose, any third-party data sharing, and how to exercise their rights, including appealing decisions. The notice should also provide a valid contact for the controller and describe ways for consumers to exercise their rights.
Consent Management Requirements
As demonstrated by the ‘right to opt-out,’ Montana’s law follows the opt-out consent model common to US laws. However, the law follows an opt-in consent model where sensitive personal information is concerned.
Data Security Requirements
A controller is required to employ suitable administrative, technical, and physical security measures in line with the volume and nature of the personal data to safeguard its confidentiality, integrity, and accessibility. Examples of security measures are not defined.
Data Protection Assessment Requirements
Controllers must perform and document data protection assessments (DPAs) for high-risk processing activities, including targeted advertising, selling personal data, profiling, and processing sensitive data. These DPAs need to balance the potential benefits to all parties against the risks to consumer rights, considering mitigation methods, use of de-identified data, and the context of processing. These assessments can overlap with compliance efforts for other regulations and may be requested by the attorney general during inquiries. DPAs requirements apply to processes initiated after January 1st, 2025.
Data Collection and Purpose Limitation Requirements
Controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer.
Explicit consent is required for any new purpose beyond those previously disclosed.
How will the law be enforced?
The Montana Attorney General has exclusive authority to enforce the MCDPA. The law does not put forth specific fines for violations and instead stipulates that the Montana AG may file a lawsuit against perpetrators if no cure action is taken within 60 days of notice of a violation. There is no private right of action under Montana law.
Get Compliant with CHEQ Privacy
State privacy laws like this one are pressing new responsibilities—and penalties—on businesses and marketers. CHEQ Privacy offers organizations a solution to help build a fully compliant website and simplify compliance with Montana’s law, as well as the UCPA, CTCDPA, VCDPA, CCPA, CPA, GDPR, and any future privacy laws.
Request a demo to see how CHEQ can help your organization meet its compliance and consent management needs.