Discover the Montana Consumer Data Privacy Act (MTCDPA), its implications for businesses, criteria for applicability, rights granted to consumers, and actionable steps for compliance. Explore the obligations, exemptions, and upcoming enforcement to gear up for this state privacy law, effective from October 1, 2024.
The state of Montana is now among the US data privacy laws regulating the data privacy of consumers whose personal information is processed by businesses. This new data privacy regulation creates duties for businesses, grants rights to consumers, and tightens the data processing a bit.
It comes into effect on October 1, 2024.
Explore more privacy compliance insights and best practices
The MTCDPA, being a state privacy law, applies to companies conducting business in Montana or targeting their products and services at Montana residents, provided they fulfill at least one of these criteria:
Montana's privacy legislation establishes a lower threshold relative to other states in the U.S., a practical approach for a state with a population slightly exceeding 1 million.
The law does not apply to:
On top of that, it explicitly excludes from applicability the following data categories:
It applies to you if you are a commercial business and meet the above thresholds. Remember that it is easy to process the personal information of 50.000 Montana residents. All it takes is for them to visit your website, and you'll process their data with Google Analytics. Anyone who is not a resident of Montana is not protected by this law.
Under the MTCDPA, personal data encompasses any information that can be used to identify an individual who is a Montana resident.
This not only covers clear identifiers like personal names, email addresses, and Social Security numbers but also extends to data that can be traced back to a specific person, such as online browsing habits, IP addresses, and purchase records.
However, the law does not apply to de-identified data or personal information that is publicly accessible.
Businesses that must follow Montana's consumer privacy law requirements have to adhere to the following requirements:
Data minimization means that businesses need to process only the minimum amount of data they need for a particular purpose. For example, if you need to send an email to a subscriber, there is no need to collect their phone number as well. If you don't need the phone number, then you don't respect the data minimization principle.
Purpose limitation, on the other hand, means that you can process the data only for the purpose for which it has been collected. If you collect an email address to create a user account for a customer, you cannot use it for marketing purposes. Creating a user account and marketing are two different purposes.
In general, processing personal information in Montana does not require obtaining consent. Businesses are free to process personal data until the consumer opts out of the processing.
When it comes to processing some data categories, however, businesses in Montana need to obtain explicit consent before processing the personal data for purposes such as sale or targeted advertising. These categories include:
Where children are concerned, the MTCDPA follows the federal Children’s Online Privacy Protection Act (COPPA). Moreover, the MTCDPA bans the use of dark patterns, bundling them to the Terms and Conditions, or putting a cookie wall between the user and the content.
You can process their personal data without getting consent, but there is one caveat: you have to show consumers a privacy notice first.
Your privacy policy can serve as a privacy notice. It should include at least:
The Montana Consumer Data Privacy Act requires data controllers to provide users with a Privacy Policy that is clearly written, easily accessible, and contains meaningful information.
Data protection assessment involves creating a document that evaluates the risk posed by a particular processing activity to your consumers' personal data. The MTCDPA specifically requires that activities with increased risk encompass:
For each activity that presents an elevated risk, a distinct data impact assessment is necessary. The Attorney General has the authority to request any of your data protection assessments to assess your compliance with the law.
The MTCDPA requires controllers to conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer, including processing personal data for targeted advertising, the sale of personal data or if it presents certain risks such as unfair or deceptive treatment; financial, physical or reputational injury; or an intrusion on the solitude or seclusion of a person considered “offensive” to a reasonable person. The MTCDPA also requires organizations to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
The user has the right to opt out of the sale of personal information. The consumer may do so by submitting an opt-out request to the business through dedicated communication channels.
Consumers can opt-out of:
Businesses must also honor opt-out requests made through universal opt-out mechanisms such as the Global Privacy Controls (GPC), but only if consumers take a clear affirmative act signifying the opt-out, which means setting up their browser privacy settings.
A service provider is an entity that processes personal data on behalf of another entity. They are often called data processors under other laws. If you decide to process personal data with Google Analytics, Google is your service provider. If you install Meta Pixel on your website to retarget customers on social media, Meta is your service provider. If you sign up with a marketing agency to run your email marketing campaign with Brevo, both the marketing agency and Brevo are your service providers.
MTCDPA requires businesses to have written contracts with all the service providers where the rights and duties of each party are clearly drawn out.
Montana consumers are granted the following rights:
Consumers exercise their rights through consumer requests.
Consumers have the option to exercise their rights by submitting requests through any of the methods outlined in the privacy policy. You are obligated to respond within 45 days. For more complex requests, this timeframe may be extended by an additional 45 days.
On top of that, consumers will be given additional opt-out mechanisms.
The enforcement of the MTCDPA falls under the jurisdiction of the Montana Attorney General. Should their investigation reveal any non-compliance on your part, you will be granted a 60-day period to rectify the violations. Failure to correct these issues within the allotted time may result in fines. Civil penalties for each violation can reach as high as USD 7,500.
The privacy regulations set forth by Montana are still pending implementation. The enactment of this law is scheduled for October 1, 2024. In anticipation of these upcoming regulations, Secure Privacy is set to offer comprehensive support and resources.
Our services are designed to ensure that you have all the essential tools at your disposal for full compliance. This includes guidance on adapting to the new legal requirements.
