State Regulatory Developments

Montana Enacts Comprehensive Consumer Data Privacy Law

Montana recently enacted a comprehensive data privacy law entitled the “Consumer Data Privacy Act” (the Act), following other states like Tennessee, Iowa, Virginia, California, Colorado, Utah, and Connecticut.  The Act goes into effect on October 1, 2024.

Scope

The Act applies to persons (referred to as “controllers”) that conduct business in Montana or produce products or services targeted to Montana residents and that either: (i) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (ii) control or process the personal data of not less than 25,000 consumers if more than 25% of the person’s gross revenue is derived from the sale of personal data.  “Personal data” is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual,” but excludes “deidentified data or publicly available information.” 

The Act does not apply to: (i) financial institutions or their affiliates that are governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of GLBA; (ii) state bodies/agencies; (iii) nonprofit organizations; (iv) institutions of higher education; (v) national securities associations registered with the SEC; and (vi) covered entities or business associates as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  Among other exclusions, the Act also does not apply to the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under FCRA.

Consumer Rights

The Act grants Montana consumers certain rights with respect to their personal data.  Under the Act, consumers generally have the right to: (i) confirm whether a controller is processing the consumer’s personal data and to access such data; (ii) correct inaccuracies in the consumer’s personal data; (iii) delete personal data about the consumer; (iv) obtain a “readily usable” copy of the consumer’s personal data previously provided to the controller; and (v) opt out of the processing of the consumer’s personal data for certain purposes, including for targeted advertising.  Following states such as California and Connecticut, the Act requires controllers to recognize universal opt-out mechanisms.

The controller must reply to a consumer’s request without undue delay, but, generally, not later than 45 days after receipt of the request.  The controller may extend the response period by 45 additional days, if reasonably necessary and the consumer is informed of the extension within the original 45-day response period.  Responses to a consumer’s reasonable requests are typically required to be provided for free once for each consumer during any 12-month period.

Notice Requirements and Other Obligations

Among other duties under the Act, the controller must provide a reasonably accessible, clear, and meaningful privacy notice that includes certain information, such as the categories of personal data that it processes, the purpose for processing personal data, and the categories of personal data that are shared with third parties, if any.  Additionally, the Act imposes certain requirements on contracts between controllers and processors.

Enforcement

There is no private right of action in the Act.  The Montana Attorney General has exclusive enforcement authority.