An Overview of Montana’s Consumer Data Privacy Act (MCDPA)

I. Introduction

A wave of comprehensive state privacy laws is increasingly emerging in the United States. In a growing effort to enact statewide data privacy laws, Montana introduces its Consumer Data Privacy Act.

The House unanimously approved the Montana Consumer Data Privacy Act (MCDPA) – Senate Bill 384 on April 21, 2023. The bill has been passed to Greg Gianforte, the governor of Montana, for final approval.

The MCDPA stands out as the first data privacy bill mandating controllers to give universal opt-out mechanisms in a state legislature with a Republican majority, and it is structured similarly to Connecticut's CTDPA. Organizations have until October 1, 2024, to abide by the law.

II. Who Needs to Comply with Montana’s Consumer Data Privacy Act (MCDPA)

a) Material Scope

The provisions of MCDPA apply to persons that conduct business in Montana or persons that produce products or services that are targeted to residents of Montana and:

• control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

b) Exemptions

The MCDPA exempts the following entities from its application:

• body, authority, board, bureau, commission, district, or agency or any political subdivision of the state of Montana;
• non-profit organization;
• institution of higher education;
• national securities association that is registered under the Federal Securities Exchange Act of 1934;
• financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, the Gramm-Leach-Bliley Act; or
• covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The law also does not have any application to the following types of data:

• Medical data covered under any medical laws: Many forms of health information, records, data and documents protected and covered under HIPAA, or other federal or state medical/healthcare laws;
• Personal data used for research: Identifiable private information collected, used or shared in research conducted in accordance with applicable laws;
• FCRA covered data: Any personal information of consumers collected or used for consumer credit scoring and reporting protected under the federal Fair Credit Report Act (FCRA);
• Driver data: Personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994;
• FERPA data: Personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
• FCA data: Personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (FCA);
• COPPA data: Personal data used in accordance with the federal Children’s Online Privacy Protection Act (COPPA);
• ADA Data: Personal data collected, processed, sold, or disclosed in relation to price, route, or service by an air carrier subject to the Airline Deregulation Act of 1978 (ADA).
• Employment data: Personal data maintained for employment records.

III. Definitions of Key Terms

a) Affiliate

Affiliate means a legal entity that shares common branding with another legal entity or controls, is controlled by, or is under common control with another legal entity.

b) Biometric Data

Biometric data means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.

c) Consent

Consent means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous, affirmative action.

d) Consumer

Consumer means an individual who is a resident of Montana.

e) Controller

Controller means an individual who or a legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.

f)  Dark Pattern

A dark pattern means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice

g) Personal Data

Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data or publicly available information.

h) Processor

Processor means an individual or legal entity that processes personal data on behalf of a controller.

i)  Sensitive Data

Sensitive data means personal data that includes:

• data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;
• the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
• personal data collected from a known child; or
• precise geolocation data.

j)  Third-Party

Third-party means an individual or legal entity, such as a public authority, agency, or body, other than the consumer, controller, or processor or an affiliate of the controller or processor.

IV. Obligations for Organizations Under Montana’s Consumer Data Privacy Act (MCDPA)

A. Purpose Limitation

Under the MCDPA, a controller must limit the collection of all personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data is being collected.

B.  Consent Requirements

A controller is required to provide an effective mechanism for consumers to revoke their consent for processing of personal data and on revocation of the consent, the controller must cease to process the personal data as soon as practicable, but not later than 45 days after the receipt of the request to revoke consent.

A controller must seek the consumer’s express consent for processing the personal data for a purpose that is not reasonably necessary or compatible with the purposes for which the data was originally collected.

C.  Non-discrimination

A controller is barred from discriminating against the consumers for exercising their rights under the provisions of MCDPA or processing their personal data in violation of state and federal laws that prohibit unlawful discrimination. However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

D. Privacy Notice Requirements

A controller is required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

• the categories of personal data processed by the controller;
• the purpose for processing personal data;
• the categories of personal data that the controller shares with third parties, if any;
• the categories of third parties, if any, with which the controller shares personal data; and
• an active e-mail address or other mechanisms that the consumer may use to contact the controller; and
• how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision regarding the consumer's request.

Additionally, the controller must establish and describe in the privacy notice at least one (1) or more safe and reliable means for consumers to exercise their data subject rights (DSRs).

E. Security Requirements

The MCDPA requires organizations to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

F. Data Protection Assessment

A data protection assessment (DPA) must be carried out and documented for each of the controller's processing activities that carry a heightened risk of harm to a customer, including:

1. the processing of personal data for the purposes of targeted advertising;
2. the sale of personal data;
3. the processing of personal data for the purposes of profiling in which the profiling presents a reasonably foreseeable risk of:
   • unfair or deceptive treatment of or unlawful disparate impact on consumers;
   • financial, physical, or reputational injury to consumers;
   • a physical or other forms of intrusion on the solitude or seclusion or the private affairs or concerns of consumers in which the intrusion would be offensive to a reasonable person; or
   • other substantial injuries to consumers; and
4. the processing of sensitive data.

A DPA must identify and balance potential benefits to the controller, the consumer, other stakeholders, and the public from the processing against any potential risks to the consumer's rights, as mitigated by any safeguards the controller may use to lessen these risks.

The controller must also consider the use of deidentified data, consumers' reasonable expectations, the context of the processing, and the relationship between the controller and the consumer whose personal data will be processed when conducting a DPA.

Moreover, an assessment carried out by the controller in pursuit of compliance with other regulations may also be used if the assessment has a reasonably comparable scope and effect to an assessment conducted under the MCDPA.

Any DPA that is relevant to an inquiry carried out by the attorney general may be requested to be disclosed by a controller, and the controller is required to make the assessment available to the attorney general.

Requirements for data protection assessments shall not be retroactive and must relate to processing operations started or generated after January 1, 2025.

G. De-identified Data Requirements

Any controller in possession of de-identified data must:

1. take reasonable measures to ensure that the de-identified data cannot be associated with an individual;
2. publicly commit to maintaining and using de-identified data without attempting to re-identify the deidentified data; and
3. contractually obligate any recipients of the de-identified data to comply with all provisions of the MCDPA.

A controller who discloses pseudonymous data or de-identified data must exercise reasonable oversight to ensure that any contractual obligations to which the pseudonymous data or de-identified data is subject are being met and must also take the appropriate steps if any of these obligations are violated.

V. Obligations of Processors

1. Assistance to Controller

The MCDPA requires the processors to assist the controllers by adopting appropriate technical and organizational measures to fulfill the controllers’ obligations to respond to DSR requests and to meet security and breach notification obligations with respect to the personal data processed.

The processors must also assist the controllers by providing the necessary information to conduct DPAs.

2. Processing under Contract

The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor (contract), setting forth the instruction for processing, nature, and purposes of the processing, the type of data processed, the duration of the processing and the rights and duties of both the parties. The contract shall also require the processor to:

• ensure the confidentiality of the personal data;
• delete or return the personal data to the collector on the direction of the controller, unless retention of personal data is required by the law;
• upon reasonable request from the controller, make available all the information in possession necessary to demonstrate compliance with its obligations;
• allow the controller to conduct an assessment, or arrange for a qualified and independent assessor to conduct an assessment, of the processor's policies and technical and organizational measures in support of the processor's obligations; and
• engage any subcontractor or agent through a written instrument requiring them to fulfill obligations towards the personal data.

VI. Data Subject Rights

The following data privacy rights are afforded to consumers under MCDPA:

A. Right to Access

Consumers have the right to confirm that the data controller is processing their data and the right to access the data.

B. Right to Correction

Consumers have the right to correct any mistakes in their personal data.

C. Right to Deletion

Consumers have the right to delete any personal data that relates to them.

D. Right to Portability

Consumers have the right to obtain a copy of their data, in a portable format that is readily usable, allowing the consumers to transfer the data to another controller without any issues.

E. Right to Opt-Out

Consumers have a right to opt-out of the sale of their personal data or the processing of their personal data for the purposes of targeted advertising and behavioral profiling.

F. Right to Appeal

Controllers must establish a process for consumers to appeal the controller's refusal to act on a request within a reasonable period after the consumer's receipt of the decision.

Response Period of DSR Requests

Controllers have 45 days to respond to the DSR requests after receiving them. However, if reasonably necessary and depending on the volume and complexity of requests, the response time may be extended for an additional 45 days. In case of an extension in the response period, data controllers must inform consumers within the first 45 days.

Denial of a DSR Request

If a controller declines to take any action related to the consumer's request, it must inform the consumer of such denial within the forty-five (45) day period, along with a justification for declining to take action and appropriate instructions on how to appeal the decision.

A controller must establish an appropriate process for a consumer to appeal any decision made by the controller in relation to their DSR requests within a reasonable period. The process to launch appeals must be just as easily available as the process to submit a DSR request.

A controller must inform the consumer of any action taken or not taken as a result of their appeal within sixty (60) days of receiving their appeal. If the appeal is rejected, the controller is required to provide the consumer with information on how they may contact the Attorney General to launch a complaint.

Charges for DSR Requests

Any information provided to the consumers due to a DSR request must be provided free of charge once annually. A controller may charge a reasonable fee covering administrative costs if the requests are manifestly unfounded, excessive, or repetitive. However, the controller bears the burden of demonstrating that a particular request is manifestly unfounded, excessive, or repetitive.

If a controller cannot authenticate a DSR request via commercially reasonable efforts, they may decline to take action and may request additional information from the consumer to authenticate the request.

VII. Limitations

Limiting its scope of application, the MCDPA provides that it does not restrict the ability of the controllers and the processors to do the following:

• comply with federal, state, or municipal ordinances or regulations;
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, municipal, or other government authorities;
• cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or municipal ordinances or regulations;
• investigate, establish, exercise, prepare for, or defend legal claims;
• provide a product or service specifically requested by a consumer;
• perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty;
• take steps at the request of a consumer prior to entering a contract;
• take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual and when the processing cannot be manifestly based on another legal basis;
• prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions;
• engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board that determines or similar independent oversight entities that determine:
  • whether the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller;
  • the expected benefits of the research outweigh the privacy risks;
  • whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification.
• assist another controller, processor, or third party with any of the obligations under the provisions of MCDPA; or
• process personal data for reasons of public interest in public health, community health, or population health, but solely to the extent that the processing is:
  • subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and
  • under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law.

Further, MCDPA provides that any obligations placed on a controller or processor under its provisions do not prohibit or restrict a controller or a processor from collecting, maintaining, using, or storing data to:

• Conduct internal research to develop, improve, or repair products, services, or technology;
• Effectuate a product recall;
• Identify and repair technical errors that impair existing or future functionalities;
• Perform internal operations that are:
  • Reasonably aligned with the expectations of the consumer;
  • Reasonably anticipated based on the consumer's existing relationship with the controller;
  • Reasonably compatible with the product or service specifically requested by a consumer, or parent of a child;
  • Reasonably aligned with the performances of a contract to which the consumer is a party.

Similarly, any obligations placed on a controller or a processor under MCDPA do not apply if compliance with such a requirement would violate an evidentiary privilege under Montana law.

VIII. Regulatory Authority

The Office of the Attorney General of Montana is the exclusive regulatory authority for the enforcement of provisions of the MCDPA. The attorney general has the following responsibilities:

• The controller must receive a notice of violation from the attorney general before any legal action is taken for a violation of any clause;
• The attorney general may file a lawsuit if the controller doesn't fix the violation within 60 days of receiving the notice of violation;
• No action must be taken against the controller if, within the 60-day window, the controller cures the observed violation and gives the attorney general an express written statement confirming that the alleged violations have been fixed and that no similar violations will occur in the future. This cure period, however, expires after April 1, 2026.

IX. How an Organization Can Operationalize Montana’s Consumer Data Privacy Act (MCDPA)

Organizations can operationalize Montana’s Consumer Data Privacy Act by:

• Establishing policies and procedures for processing data;
• Obtaining informed consent from consumers before collecting or sharing their data;
• Implementing appropriate security measures such as data encryption, access controls and audit logs to protect the confidentiality and integrity of the data;
• Establishing a robust and comprehensive framework to receive and process DSR requests;
• Conducting DPAs, vendor assessments, and other risk assessments at regular intervals
• Training employees who process consumer data;
• Establishing the organization's policies and procedures that support compliance with evolving regulations and regularly monitor for any updates; and
• Establishing a mechanism for handling any breaches of personal data or violations of the provisions of the MCDPA.

X. How Can Securiti Help

Securiti’s Unified Data Controls framework enables organizations to comply with Montana’s Consumer Data Privacy Act (MCDPA) – Senate Bill 384 by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.