Press "Enter" to skip to content

Montana Enacts Comprehensive Consumer Data Privacy Law

The State Capitol building in Helena, Montana, USAMontana Gov. Greg Gianforte on May 19 signed into law Senate Bill 384, the Montana Consumer Data Privacy Act, making Montana the ninth state to enact a comprehensive consumer data privacy law, following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, and Tennessee. The law will take effect Oct. 1, 2024.

APPLICABILITY

The law applies to persons that conduct business in Montana or persons that produce products or services that are targeted to residents of Montana and:

  1. control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
EXEMPTIONS

Importantly, the law exempts financial institutions and affiliates, or personal data subject to the Gramm-Leach-Bliley Act. Other exemptions include covered entities or business associates governed by the Health Insurance Portability and Accountability Act, and the use of personal information to the extent the activity is regulated by and authorized under the Fair Credit Reporting Act.

CONSUMER RIGHTS

Consumers are provided the right to:

  1. confirm whether a controller is processing the consumer’s personal data and to access the personal data;
  2. correct inaccuracies in the consumer’s personal data;
  3. delete personal data about the consumer;
  4. obtain a copy of the consumer’s personal data previously provided by the consumer;
  5. opt out of the processing of personal data if the purpose is for targeted advertising, sale of the personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
SENSITIVE DATA

A controller may not process “sensitive data” without a consumer’s consent.

“Sensitive data” includes:

  1. data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person’s sex life, sexual orientation, or citizenship or immigration status;
  2. the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
  3. personal data collected from a known child; or
  4. precise geolocation data.
CONTRACT REQUIREMENTS

A contract between a controller and a processor must include certain provisions to:

  1. ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data;
  2. at the controller’s direction, delete or return all personal data to the controller as requested;
  3. on the reasonable request of the controller, make available to the controller all information in the processor’s possession necessary to demonstrate the processor’s compliance;
  4. engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
  5. allow and cooperate with reasonable assessments by the controller or the controller’s designated assessor.
DATA PROTECTION ASSESSMENTS

A controller must conduct and document a data protection assessment if the processing involves:

  1. targeted advertising;
  2. the sale of personal data;
  3. certain profiling;
  4. sensitive data.
ENFORCEMENT

The Attorney General has the exclusive authority to enforce the law. Prior to taking any action, the Attorney General must provide a controller or processor 60 days to cure the violation. In the absence of a cure, civil penalties not to exceed $7,500 may be sought for each violation. The cure provision expires April 1, 2026.

IMPRESSION

The Montana law is very similar to the non-California data privacy laws recently enacted, so it should cause few additional compliance challenges.

For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: Chuck Haney/Danita Delimont/stock.adobe.com

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.