Montana Consumer Data Privacy Act is an important piece of legislation which aims to protect the data of Montana consumers.
The Montana Consumer Data Privacy Act (MCDPA) is a landmark piece of legislation that aims to protect the personal information of consumers in Montana. Like other state level privacy laws, the MCDPA aims to reshape the way businesses collect, use, and protect consumer data. Enacted in 2023, the MCDPA establishes a comprehensive framework for data privacy and security, giving consumers more control over their personal information and holding businesses accountable for how they handle and protect it. While the legislation enters into force on October 1st, 2024, the MTCDPA requires prospective data protection impact assessments for any processing activities “created or generated” after January 1, 2025.
The MCDPA outlines requirements for companies doing business with consumers in the state of Montana, and which meet a certain threshold.
The MCDPA applies to any company that does business in the state of Montana or provides goods or services to Montana consumers and meets the following requirements:
- Controls or processes personal data (except for personal data used solely for completing payments) belonging to 50,000 or more Montana consumers, or
- Controls or processes personal data belonging to 25,000 or more Montana consumers and gets more than 25% of its gross revenue from selling that data
The MCDPA defines “consumers” as residents of Montana. It is important to note that contextually, employees or individuals operating in a commercial context do not count as consumers under the MCDPA. There are several entities and types of personal data that the MCDPA does not apply to, including state agencies, Nonprofit organizations, Higher education institutions, Certain national securities associations. Financial organizations governed by or personal data in compliance with the Gramm-Leach-Bliley Act as well as entities covered by the Health Insurance Portability and Accountability Act (HIPAA) are also exempt. Information that is subject to several other laws, including the Fair Credit Reporting Act, the Childrens’ Online Privacy Protection Act (COPPA), and the Family Educational Rights and Privacy Act is also not covered under the MCDPA.
The MCDPA affords several rights to Montana consumers, and requires businesses to implement security measures to protect consumer data.
The MCDPA also gives consumers the right to access, correct, and delete their personal information held by businesses. This right of access allows consumers to see what personal information businesses have collected about them, while the right to correct allows consumers to correct any inaccurate or incomplete information. The right to delete allows consumers to request that businesses delete their personal information, subject to some exceptions. Requests from consumers to exercise their rights must be responded to as soon as possible, and not more than 45 days from the date of the request. The MCDPA requires businesses to implement reasonable security measures to safeguard consumer data from breaches or unauthorized access. These security measures must be appropriate to the sensitivity of the personal information being collected and stored.
The MCDPA emphasizes the importance of transparency and consent in the collection and handling of consumer data.
One of the key provisions of the MCDPA is the requirement for businesses to be transparent about their data collection practices. Companies must provide consumers with clear and concise information about what personal data they collect, how it is used, and with whom it is shared. This transparency requirement is designed to empower consumers to make informed decisions about how their personal information is used. MCDPA also imposes a requirement for businesses to obtain consent before processing sensitive data, selling personal data, or processing personal data for advertising purposes. This consent must be freely given, specific, informed, and unambiguous. In other words, consumers must have a clear understanding of how their personal information will be used before they consent to its collection or sale. For this reason, the MCDPA requires data controllers to provide users with a Privacy Policy that is clearly written, easily accessible, and contains meaningful information on what happens to their data.
The Montana attorney general is the enforcing body for the MCDPA and may take action against entities if violations are not corrected within the required timeframe.
The MCDPA will be enforced by the Montana attorney general. Any entities found to be in violation of the MCDPA will receive a notification of the violation from the attorney general, and will have 60 days from the receipt of the notification to correct the violation. If the entity does not correct the violation within the 60 day timeframe, the attorney general can then take action against the entity. The MCDPA is expected to foster increased transparency from businesses about their data collection practices, consumer control over their personal information, security measures to protect data, and accountability for businesses handling consumer data.