IDC Names Securiti a Worldwide Leader in Data PrivacyView
A wave of comprehensive state privacy laws is increasingly emerging in the United States. In a growing effort to enact statewide data privacy laws, Montana introduces its Consumer Data Privacy Act.
The House unanimously approved the Montana Consumer Data Privacy Act (MCDPA) – Senate Bill 384 on April 21, 2023. The bill has been passed to Greg Gianforte, the governor of Montana, for final approval.
The MCDPA stands out as the first data privacy bill mandating controllers to give universal opt-out mechanisms in a state legislature with a Republican majority, and it is structured similarly to Connecticut's CTDPA. Organizations have until October 1, 2024, to abide by the law.
The provisions of MCDPA apply to persons that conduct business in Montana or persons that produce products or services that are targeted to residents of Montana and:
The MCDPA exempts the following entities from its application:
The law also does not have any application to the following types of data:
Affiliate means a legal entity that shares common branding with another legal entity or controls, is controlled by, or is under common control with another legal entity.
Biometric data means data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.
Consent means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous, affirmative action.
Consumer means an individual who is a resident of Montana.
Controller means an individual who or a legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.
A dark pattern means a user interface designed or manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice
Personal data means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data or publicly available information.
Processor means an individual or legal entity that processes personal data on behalf of a controller.
Sensitive data means personal data that includes:
Learn more about What is Sensitive Data and It's Types
Third-party means an individual or legal entity, such as a public authority, agency, or body, other than the consumer, controller, or processor or an affiliate of the controller or processor.
Under the MCDPA, a controller must limit the collection of all personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data is being collected.
A controller is required to provide an effective mechanism for consumers to revoke their consent for processing of personal data and on revocation of the consent, the controller must cease to process the personal data as soon as practicable, but not later than 45 days after the receipt of the request to revoke consent.
A controller must seek the consumer’s express consent for processing the personal data for a purpose that is not reasonably necessary or compatible with the purposes for which the data was originally collected.
A controller is barred from discriminating against the consumers for exercising their rights under the provisions of MCDPA or processing their personal data in violation of state and federal laws that prohibit unlawful discrimination. However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if the consumer has exercised his/her right to opt-out of the sale of personal data or the offer is based on the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
A controller is required to provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
Additionally, the controller must establish and describe in the privacy notice at least one (1) or more safe and reliable means for consumers to exercise their data subject rights (DSRs).
The MCDPA requires organizations to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
A data protection assessment (DPA) must be carried out and documented for each of the controller's processing activities that carry a heightened risk of harm to a customer, including:
A DPA must identify and balance potential benefits to the controller, the consumer, other stakeholders, and the public from the processing against any potential risks to the consumer's rights, as mitigated by any safeguards the controller may use to lessen these risks.
The controller must also consider the use of deidentified data, consumers' reasonable expectations, the context of the processing, and the relationship between the controller and the consumer whose personal data will be processed when conducting a DPA.
Moreover, an assessment carried out by the controller in pursuit of compliance with other regulations may also be used if the assessment has a reasonably comparable scope and effect to an assessment conducted under the MCDPA.
Any DPA that is relevant to an inquiry carried out by the attorney general may be requested to be disclosed by a controller, and the controller is required to make the assessment available to the attorney general.
Requirements for data protection assessments shall not be retroactive and must relate to processing operations started or generated after January 1, 2025.
Any controller in possession of de-identified data must:
A controller who discloses pseudonymous data or de-identified data must exercise reasonable oversight to ensure that any contractual obligations to which the pseudonymous data or de-identified data is subject are being met and must also take the appropriate steps if any of these obligations are violated.
The MCDPA requires the processors to assist the controllers by adopting appropriate technical and organizational measures to fulfill the controllers’ obligations to respond to DSR requests and to meet security and breach notification obligations with respect to the personal data processed.
The processors must also assist the controllers by providing the necessary information to conduct DPAs.
The processor shall be required to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor (contract), setting forth the instruction for processing, nature, and purposes of the processing, the type of data processed, the duration of the processing and the rights and duties of both the parties. The contract shall also require the processor to:
The following data privacy rights are afforded to consumers under MCDPA:
Consumers have the right to confirm that the data controller is processing their data and the right to access the data.
Consumers have the right to correct any mistakes in their personal data.
Consumers have the right to delete any personal data that relates to them.
Consumers have the right to obtain a copy of their data, in a portable format that is readily usable, allowing the consumers to transfer the data to another controller without any issues.
Consumers have a right to opt-out of the sale of their personal data or the processing of their personal data for the purposes of targeted advertising and behavioral profiling.
Controllers must establish a process for consumers to appeal the controller's refusal to act on a request within a reasonable period after the consumer's receipt of the decision.
Controllers have 45 days to respond to the DSR requests after receiving them. However, if reasonably necessary and depending on the volume and complexity of requests, the response time may be extended for an additional 45 days. In case of an extension in the response period, data controllers must inform consumers within the first 45 days.
If a controller declines to take any action related to the consumer's request, it must inform the consumer of such denial within the forty-five (45) day period, along with a justification for declining to take action and appropriate instructions on how to appeal the decision.
A controller must establish an appropriate process for a consumer to appeal any decision made by the controller in relation to their DSR requests within a reasonable period. The process to launch appeals must be just as easily available as the process to submit a DSR request.
A controller must inform the consumer of any action taken or not taken as a result of their appeal within sixty (60) days of receiving their appeal. If the appeal is rejected, the controller is required to provide the consumer with information on how they may contact the Attorney General to launch a complaint.
Any information provided to the consumers due to a DSR request must be provided free of charge once annually. A controller may charge a reasonable fee covering administrative costs if the requests are manifestly unfounded, excessive, or repetitive. However, the controller bears the burden of demonstrating that a particular request is manifestly unfounded, excessive, or repetitive.
If a controller cannot authenticate a DSR request via commercially reasonable efforts, they may decline to take action and may request additional information from the consumer to authenticate the request.
Limiting its scope of application, the MCDPA provides that it does not restrict the ability of the controllers and the processors to do the following:
Further, MCDPA provides that any obligations placed on a controller or processor under its provisions do not prohibit or restrict a controller or a processor from collecting, maintaining, using, or storing data to:
Similarly, any obligations placed on a controller or a processor under MCDPA do not apply if compliance with such a requirement would violate an evidentiary privilege under Montana law.
The Office of the Attorney General of Montana is the exclusive regulatory authority for the enforcement of provisions of the MCDPA. The attorney general has the following responsibilities:
Organizations can operationalize Montana’s Consumer Data Privacy Act by:
Securiti’s Data Command Center framework enables organizations to comply with Montana’s Consumer Data Privacy Act (MCDPA) – Senate Bill 384 by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
Montana Consumer Data Privacy Act (MCDPA) is the first data privacy bill mandating controllers to give universal opt-out mechanisms. It applies to persons who conduct business in Montana or persons who produce products or services that are targeted to residents of Montana and control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction; or control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
Like many states, Montana recognizes the right to privacy as a fundamental right of its residents. Under MCDPA, personal data means any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include deidentified data or publicly available information.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128