On May 19, 2023, Montana’s Governor signed Senate Bill 384, the Consumer Data Privacy Act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law. The law is scheduled to take effect on October 1, 2024.
When does the law apply?
The law applies to a person who conducts business in the state of Montana and:
- Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
- Controls and processes the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
Hereafter these covered persons are referred to as controllers.
The following entities are exempt from coverage under the law:
- Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state;
- Nonprofit organization;
- Institution of higher education;
- National securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934;
- A financial institution or an affiliate of a financial institution governed by Title V of the Gramm- Leach-Bliley Act;
- Covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act (HIPAA);
Who is protected by the law?
Under the law, a protected consumer is defined as an individual who resides in the state of Montana.
However, the term consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
What data is protected by the law?
The statute protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable individual.
There are several exemptions to protected personal data, including for data protected under HIPAA and other federal statutes.
What are the rights of consumers?
Under the new law, consumers have the right to:
- Confirm whether a controller is processing the consumer’s personal data
- Access Personal Data processed by a controller
- Delete personal data
- Obtain a copy of personal data previously provided to a controller.
- Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
What obligations do businesses have?
The controller shall comply with requests by a consumer set forth in the statute without undue delay but no later than 45 days after receipt of the request.
If a controller declines to act regarding a consumer’s request, the business shall inform the consumer without undue delay, but no later than 45 days after receipt of the request, of the reason for declining.
The controller shall also conduct and document a data protection assessment for each of their processing activities that present a heightened risk of harm to a consumer.
How is the law enforced?
Under the statute, the state attorney general has exclusive authority to enforce violations of the statute. There is no private right of action under Montana’s statute.