On May 19, 2023, Montana Governor Greg Gianforte signed into law Senate Bill 384 ("Montana Consumer Data Privacy Act"), Montana's new state consumer privacy law, which will become effective October 1, 2024. Montana now joins California, Utah, Colorado, Connecticut, Virginia, Iowa, Indiana, and Tennessee (together, "US State Data Privacy Laws") as states with their own consumer privacy laws. Many state legislatures have been quite active in enacting state data privacy laws this year. Of note, the Montana Consumer Data Privacy Act does not stand out from the group of existing US State Data Privacy Laws in its requirements, so controllers should have little difficulty adapting their existing data privacy compliance program to the Montana Consumer Data Privacy Act. Similar to our other articles on US State Data Privacy Laws, we summarize the key components of the Montana Consumer Data Privacy Act below.
Who does the Montana Consumer Data Privacy Act apply to?
The Montana Consumer Data Privacy Act imposes transparency and disclosure obligations on a "controller" (an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data) who either:
- conducts business in Montana; or
- produces products or services that are targeted to the residents of Montana;
- controls or processes personal data of not less than 50,000 Montana residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controls or processes personal data of not less than 25,000 Montana residents and derives more than 25 percent of its gross revenue from the sale of personal data.
Notably, the Montana Consumer Data Privacy Act does not have a revenue threshold for entities to be subject to privacy obligations. In addition, the Montana Consumer Data Privacy Act does not generally apply to government entities, nonprofits, institutions of higher education, HIPAA-covered entities and business associates, and Gramm-Leach-Bliley Act-regulated entities and data. The Montana Consumer Data Privacy Act also does not generally apply to certain classes of data including health records, scientific research data, consumer credit-reporting data, data regulated by the Family Educational Rights and Privacy Act or federal Farm Credit Act, and employment-related information.
What rights does the Montana Consumer Data Privacy Act grant consumers?
The Montana Consumer Data Privacy Act grants Montana residents acting in an individual context, and not in a commercial or employment context ("consumers"), certain access and control rights concerning their personal data. A consumer may submit authenticated requests to a controller to:
- confirm whether the controller is processing the consumer's data and provide access to the consumer's data;
- correct inaccurate personal data of the consumer;
- delete personal data about the consumer;
- obtain a copy of the consumer's personal data (i.e., data portability); and
- opt out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
A controller must respond to consumer requests to exercise their rights granted by the statute within 45 days, though that time period may be extended for an additional 45 days when reasonably necessary considering the complexity and number of the consumer's requests. The Montana Consumer Data Privacy Act also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights. A controller must respond to an appeal in writing within 60 days and, if the appeal is denied, the controller must provide the consumer with a method for contacting the Montana Attorney General.
What obligations does the Montana Consumer Data Privacy Act impose on controllers?
The Montana Consumer Data Privacy Act applies to "personal data." Personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable individual.
The definition of personal data notably excludes de-identified data or publicly available information.
The Montana Consumer Data Privacy Act requires controllers to:
- Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the disclosed purposes for which the personal data is processed.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of consumers' personal data.
- Process consumers' sensitive data only after obtaining the consumer's consent. Sensitive data is defined to include genetic or biometric data for the purpose of uniquely identifying an individual, precise geolocation data, personal data collected from a known child, and personal information revealing racial or ethnic origin, religious beliefs, and health status.
- Refrain from discriminating against consumers who exercise the rights granted by the statute.
- Clearly and conspicuously disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out.
- By no later than January 1, 2025, allow consumers to opt out of the selling or processing of their personal data for the purposes of targeted advertising through an opt-out preference signal.
- Conduct a data protection impact assessment on the processing of personal data that presents a heightened risk of harm to a consumer, including targeted advertising, the sale of personal data, the processing of sensitive data, and profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of or unlawful disparate impact on consumers, financial, physical, or reputational injury to consumers, a physical or other form of intrusion on private affairs, in which the intrusion would be offensive to a reasonable person.
- When in possession of de-identified data, take reasonable measures to ensure that the data cannot be associated with an individual, commit publicly to maintaining and using data as de-identified data, and contractually obligate any recipients of the data to comply with the Montana Consumer Data Privacy Act.
The Montana Consumer Data Privacy Act imposes additional requirement on processors (an individual or legal entity that processes personal data on behalf of a controller). Processors must assist the controller in meeting its obligations under the act, including its obligations regarding consumer rights requests and security of data processing. The Montana Consumer Data Privacy Act also requires that all processing be governed by a contract between the controller and processor that outlines relevant consumer privacy provisions.
Key Aspects of the Montana Consumer Data Privacy Act
- Right for Consumers to Opt Out: The Montana Consumer Data Privacy Act permits consumers to opt out of the processing of personal data for the sale of personal data, profiling, or for targeted advertisements.
- Processing Agreement Required between Controllers and Service Providers: Like certain other US State Data Privacy Laws, the Montana Consumer Data Privacy Act requires controllers to enter into contracts with processors that regulate how processors process data. Contracts under the Montana Consumer Data Privacy Act must clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the parties' rights and obligations. The contracts also must include a duty of confidentiality and must require that processors only engage subcontractors pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data. The Montana Consumer Data Privacy Act also requires processors to delete or return personal data upon the controller's request.
- Attorney General Investigations and Enforcement: Like most of the US State Data Privacy Laws, the Montana Consumer Data Privacy Act does not provide for a private right of action. The Montana Office of the Attorney General has exclusive authority to enforce violations. However, the Montana Attorney General must issue a notice of violation to the controller prior to initiating any action. A controller will then have 60 days to correct the noticed violation and to provide the Montana Attorney General an express written statement that the alleged violations have been corrected and that no such further violations will occur. Importantly, the cure provision will terminate on April 1, 2026, eighteen months after the law becomes effective. Unlike certain other US State Data Privacy Laws, the Montana Consumer Data Privacy Act does not specify a civil penalty amount.
While the Montana Consumer Data Privacy Act is not significantly distinguishable in substance from other US State Data Privacy Laws, businesses should not overlook the law, especially with the uncertainty regarding the civil penalties that may be levied or other remedies available to the state Attorney General.
White & Case's Data, Privacy and Cybersecurity team will continue to provide updates as these laws and regulations emerge. Please reference our US Data Privacy Guide and other client alerts for general steps to take to comply with US data privacy laws.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP