Montana Consumer Data Privacy Act (MTCDPA): A comprehensive guide

Montana became the ninth state in the United States to enact a consumer privacy bill, SB 384, and the Montana Consumer Data Privacy Act (MTCDPA) will come into effect on October 24, 2024. This legislation was passed on May 19, 2023, giving organizations a little over a year to prepare for compliance.

2023 has seen a notable surge in the adoption of comprehensive state-level privacy laws across the United States. In the first half of 2023, nine US states passed new data privacy legislation.

The MTCDPA bears significant resemblance to the Connecticut Data Privacy Act (CTDPA) in terms of its provisions and requirements. It is important to note that as of now, there is no federal privacy law in place across the United States.

Montana privacy law – key information

The Montana Consumer Data Privacy Act (MTCDPA) is a regulation that protects the privacy and data rights of residents within the state. It applies to businesses operating within Montana or providing goods and services to its residents. Under the MTCDPA, businesses are required to inform consumers about the collection and processing of their data, including if it’s shared with third parties. Consumers have the right to opt out of data collection and processing. 

To ensure data security, both businesses and third parties must implement reasonable protective measures. The MTCDPA prioritizes consumer control, transparency, and accountability in data handling practices.

Definitions in the Montana Consumer Data Privacy Act

Montana, along with a number of other states, has a privacy law that revolves around certain fundamental concepts and responsibilities of a number of entities. These are common to many privacy regulations. It is necessary to ensure that the definitions achieve a balance between clarity and thoroughness while remaining adaptable to changes in technology for effective implementation and regulatory enforcement over time.

Personal data definition under the MTCDPA

The MTCDPA adopts a commonly used definition of personal data in privacy laws, which is also referred to as “personal information” in other laws. According to the law, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual.” However, publicly available information and de-identified data are excluded from this definition.

Unlike certain state-level data privacy laws, the MTCDPA does not provide a specific list of examples for personal data. Nevertheless, typical types of personal data encompass name, account/username, IP address, email address, Social Security Number, driver’s license number, or passport number. These examples highlight the kind of information that falls within the scope of personal data as recognized by the Act.

Consent definition under the MTCDPA

The General Data Protection Regulation (GDPR) in the European Union established the benchmark for defining valid user consent, and this framework has served as a model for many subsequent regulations.

Under the MTCDPA, consent is defined as: “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous affirmative action.”

Notably, the Montana consumer protection law incorporates certain exceptions to the requirement of consent, which distinguish it from many other data privacy laws and align with common digital user experiences. These exceptions encompass situations such as: 

• accepting a general or broad term of use that includes descriptions of personal data processing alongside unrelated information
• encountering personal data processing while interacting with content through actions like hovering over, muting, pausing, or closing
• agreements obtained through the use of dark patterns

Furthermore, Montana’s law, similar to Connecticut’s, imposes a crucial provision that grants consumers the right to revoke their consent. This requirement emphasizes the importance of consumer control and ensures individuals have a mechanism to withdraw their consent once given.

Sensitive data / sensitive personal information definition under the MTCDPA

This encompasses more distinct categories of personal information, specifically those that have the potential to cause harm if mishandled, including information that reveals:

• racial or ethnic origin
• religious beliefs
• mental or physical health condition or diagnosis
• information about a person’s sex life or sexual orientation
• citizenship or immigration status
• processing of genetic or biometric data for the purpose of uniquely identifying an individual
• personal data collected from a known child (under 13 years of age)
• precise geolocation data (within 1,750 feet or 533.4 meters)

Controller definition under the MTCDPA

Businesses engaged in the collection and processing of personal information are likely to be classified as controllers, as per the definition provided by the MTCDPA, which states: “an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data”.

Processor definition under the MTCDPA

When businesses share personal data with third-party entities for processing purposes, Montana privacy laws define the business as the controller and the third-party entity as the processor: “an individual who or legal entity that processes personal data on behalf of a controller.” 

Sale definition under the MTCDPA

The MTCDPA defines a sale as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party”. However, there are some exceptions to the definition:

• disclosure of personal data to a processor that processes the personal data on behalf of the controller
• disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
• disclosure or transfer of personal data to an affiliate of the controller
• disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
• disclosure of personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience
• disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Targeted advertising definition under the MTCDPA

Refers to “displaying advertisements to a consumer in which the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated internet websites or online applications to predict the consumer’s preferences or interests.”

The objective is to use the personal data in order to anticipate the interests and preferences of consumers, aiming to enhance relevance and personalize the advertising experience.

Targeted advertising does not include:

• advertisements based on activities on a controller’s own websites or online applications
• advertisements based on the context of a consumer’s current search query or visit to a website or online application
• advertisements directed to a consumer in response to the consumer’s request for information or feedback
• processing personal data solely to measure or report advertising frequency, performance, or reach

Compliance requirements under the Montana privacy law

Who must become MTCDPA-compliant?

The MTCDPA applies to organizations operating within Montana and any businesses that provide products or services specifically targeted towards Montana residents. Regarding MTCDPA compliance, organizations, referred to as ”controllers” under the law, must meet two main threshold criteria:

• control or process the personal data of 50,000 or more Montana residents during a calendar year

or 

• derive over 25 percent of gross revenue from the sale of personal data and control or process personal data of 25,000 or more state residents

Montana’s resident number threshold, which determines the applicability of the law, is low compared to many other states. This is not surprising considering Montana’s relatively small population. It is interesting to note that the original threshold was set at 100,000 residents, but was subsequently lowered through a House amendment. 

Unlike some recently enacted state-level data privacy laws, Montana’s law does not solely rely on a revenue-based threshold. This means that businesses would be required to comply with the regulation if their annual gross revenues exceeded a specific dollar threshold, even if they did not meet the threshold for the number of consumers whose data was processed.

With the absence of a revenue-only threshold, businesses of any size or value that meet the personal data or personal data plus revenue percentage thresholds outlined in the Montana privacy law, must become MTCDPA-compliant.

Exemptions to Montana Consumer Data Privacy Act compliance

The exemptions listed in the Montana consumer protection act are largely consistent with the exemptions found in other current US privacy laws, generally following existing federal laws. The following entities are exempt from compliance:

• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act
• Patient Safety and Quality Improvement Act
• Fair Credit Reporting Act (FCRA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act (FERPA)
• Driver’s Privacy Protection Act
• Farm Credit Act (FCA)
• Airline Deregulation Act

Additional exemptions within the Montana consumer privacy act encompass HR data, health records, research data related to human subjects that fall under the purview of other federal laws or standards, and data processed or maintained for employment-related purposes.

Exempted institutions include:

• state government entities
• national securities association
• financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
• insurance companies
• institutions of higher education
• nonprofit organizations

Exclusions to the MTCDPA’s definition of “consumer” include individuals acting in an employment or business context.

What are consumers’ rights under the Montana consumer protection act?

The new data protection law grants consumers several key rights concerning their personal information. In cases where children are involved, parents or legal guardians can exercise these rights on behalf of the child regarding the processing of their personal information.

The Montana privacy law grants consumers the following key rights:

• Right to access: Confirm if the controller is processing the consumer’s personal information and access that data, with some exceptions.
• Right to correction: Rectify any inaccurate or outdated information held by the controller that was provided by the consumer.
• Right to delete: Request the deletion of personal data held by the controller, with some exceptions.
• Right to portability: Obtain a readily usable copy of personal data previously provided to the controller by the consumer, with some exceptions.
• Right not to be discriminated against: Controllers are prohibited from unlawfully discriminating against consumers, including for exercising their rights.
• Right to opt out: Choose not to have personal data sold, be subjected to targeted advertising, or be subjected to profiling related to solely automated decisions with significant legal or similar effects on the consumer.

These rights empower consumers and promote greater control and transparency over their personal information.

The Montana data privacy law does not include the private right of action, which allows consumers to file lawsuits against controllers in case of violations. Currently, only California residents possess this right within the United States.

What the Montana Data Protection Act means for businesses

One of the main areas where companies have compliance responsibilities under Montana’s privacy law is with consumers’ rights. Consumers, or “data subjects” can make access requests (DSARs), and the law has guidelines for companies’ responses. Additionally, there are restrictions and requirements for companies’ collection and use of personal data, which center around security and privacy.

MTCDPA compliance requirements for consumer requests

Controllers are obligated to inform consumers about their rights and provide mechanisms for exercising those rights through verifiable requests. This information must be clearly outlined in the controller’s privacy notice or policy page on their website.

Upon receiving a consumer request, the controller must respond within 45 days, with some exceptions. These exceptions may include cases where the consumer’s identity cannot be reasonably verified or when an excessive number of requests are submitted within a 12-month period.

In certain circumstances where fulfilling a consumer request is challenging, the controller can extend the response period by an additional 45 days if reasonably necessary, as long as the consumer is promptly notified.

If a controller denies a request, the consumer retains the right to appeal the decision, and the controller must provide guidance on how to proceed with the appeal process. The controller is given a timeframe of 60 days to respond to such appeals.

Purpose limitation within the MTCDPA

Controllers are permitted to process personal data for the purpose(s) they have communicated, provided that the processing is deemed “adequate, relevant, and reasonably necessary” and proportionate to the stated purposes.

Security of data under the MTCDPA

Controllers are obligated to safeguard personal data by establishing, implementing, and maintaining reasonable administrative, technical, and physical security measures. These measures should be suitable for the type and amount of personal information being processed.

Data protection assessments (DPAs) under the Montana CDPA

Controllers must conduct and document data protection assessments when they process information:

• for the purposes of targeted advertising
• to sell the personal data
• categorized as sensitive personal data
• for the purposes of profiling if there is a reasonably foreseeable or heightened risk of harm to consumers

The Attorney General can request a DPA from a controller for the purposes of investigating an alleged violation.

Consent-related rules in the MTCDPA

Similar to other US states with privacy laws, Montana follows an opt-out model, meaning that in many cases, user consent is not required before collecting and processing personal data. However, consent is necessary for the collection or processing of sensitive personal data. Consumers must receive clear notice regarding data processing and have the ability to opt out of sale, targeted advertising, or profiling.

In accordance with the federal Children’s Online Privacy Protection Act (COPPA), the MTCDPA aligns with regulations for children. Prior consent from the parent or guardian of any known child under the age of 13 must be obtained before processing their personal data. Montana’s data privacy regulation treats data of children under 13 as sensitive by default, thus covering all children’s personal data.

Furthermore, Montana’s law provides additional safeguards for children. If a known consumer is at least 13 years old but under 16 years old, their consent (not a parent or guardian’s) is required prior to processing their personal data for the purposes of sale or targeted advertising.

Nondiscrimination requirements of the MTCDPA

Controllers are strictly prohibited from engaging in unlawful discrimination against consumers and from processing personal data in a manner that violates state or federal anti-discrimination laws. Discrimination against consumers for exercising their rights is also strictly forbidden. For instance, a consumer cannot be denied access to a website simply because they choose to opt out of personal information collection.

However, it is important to note that certain website features or functions may require the activation of specific cookies. If a consumer opts out of allowing the collection of personal information through these cookies, it may impact the optimal functioning of the site. It is important to understand that this limitation is not considered discriminatory.

Controllers have the option to provide voluntary incentives, such as discounts, to encourage consumers’ voluntary participation in activities like loyalty programs or newsletter signups, which involve the collection and processing of personal data. However, it is essential that these incentives are reasonable, as disproportionate offers can raise concerns and be viewed unfavorably by data protection authorities, as they could resemble bribes.

MTCDPA statutes concerning transparency 

Controllers are obligated to provide consumers with transparent and easily accessible information regarding data processing. Typically, this information is presented on the company’s website through a privacy notice or policy. As per the MTCDPA, the information provided must include the following:

• categories of personal data processed by the controller 
• purpose(s) for processing personal data
• how consumers may contact the controller, exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)
• categories of personal data that the controller sells to third parties, if any 
• categories of third parties to whom the controller sells personal data, if any
• notice about the right to opt out of the sale of personal data to third parties or processing personal data for targeted advertising or profiling and how to exercise that right

MTCDPA requirements for contracts with third parties

Controllers must have contracts in place with third-party processors (service providers) with clear information about:

• duty of confidentiality 
• instructions for processing data
• nature and purpose of processing
• type of data subject to processing
• duration of processing
• rights and obligations of both parties

Universal opt-out signal references in the MTCDPA

The Montana CDPA is one of the few state-level laws that reference the Global Privacy Control (GPC) “universal opt-out” or similar mechanism. By January 1, 2025 the consumer must be able to “opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data through an opt-out preference signal sent with the consumer’s consent.”

While some state-level data privacy laws, such as Indiana’s and Tennessee’s, do not make mention of this particular signal, it is worth noting that California, Colorado, and Connecticut have incorporated it into their laws. The purpose behind its inclusion is to establish a standardized approach to user consent online. 

By utilizing this signal, consumers can create a unified set of personal data privacy consent preferences. These preferences can then be communicated to all the websites or apps that users visit, alleviating the need to set new preferences for each site. Furthermore, employing this mechanism aids in ensuring compliance with applicable consumer privacy laws for each individual user.

Consequences of violating the Montana CDPA

The exclusive responsibility for enforcing the MTCDPA lies with the Attorney General in Montana. The law does not grant consumers the right to pursue legal action individually. However, consumers can report suspected violations or complaints regarding denied requests to the office of the Attorney General. In such cases, the Attorney General is required to provide written notice to the parties involved, detailing the alleged violations.

60 days to “cure” or fix issues under the MTCDPA

A designated 60-day period, known as a “cure period”, is allotted for organizations to address and rectify any identified issues while implementing preventive measures to avoid future occurrences. Cure periods in other state-level data privacy laws vary from 30 to 90 days. In line with Colorado’s Privacy Act (CPA), the right to cure under the MTCDPA will “sunset”, or cease, on April 1, 2026.

Organizations found to be in violation of the MTCDPA are required to inform the Attorney General about the actions taken to rectify the situation. They must provide a statement ensuring that no further violations will transpire.

MTCDPA enforcement measures and penalties

In the event that the controller or any of their data processors continue to violate the MTCDPA, even after the cure period or the submission of their statement, the Attorney General is empowered to initiate investigations. Unlike many other state-level data privacy laws, the MTCDPA does not specify a predetermined monetary value for fines or statutory damages. Rather, it emphasizes that the Attorney General can “bring an action” in response to violations.

Montana TikTok ban and TikTok lawsuit

On May 18, 2023, Montana’s governor signed Senate Bill 419, banning popular social media app TikTok. The primary concern behind the move is to protect Montana residents’ personal data from Chinese authorities, though no direct evidence has ever been revealed of Chinese authorities accessing TikTok user data. Bytedance, TikTok’s parent company, is Chinese. 

“All social media applications tied to foreign adversaries” were also prohibited on state equipment and for state business, and use of them by third parties conducting business on behalf of the state.

TikTok filed suit against the state of Montana soon after, calling the new law’s concerns “baseless”, with the main argument being that the ban is unconstitutional and a violation of free speech that is tantamount to censorship. While Montana’s governor has signed SB 419 into law, it does not go into effect until January 1, 2024.

The suit also argues that any alleged “national security threat” would be under federal, not state, jurisdiction. While there have been rumblings of a federal ban on TikTok in the United States, and a number of countries have banned it from government-issued devices, there is no federal restriction or ban on TikTok in the US to date. There have been threats to do so if Bytedance does not sell at least the US arm of the company to an American buyer. 

Montana’s new law banning TikTok puts the onus on companies that run app stores, like Apple and Google, to prevent the app from being downloaded or accessed in the state. Failure to do so carries the risk of fines up to US $10,000 per day for those companies and TikTok itself. 

TikTok does have “Project Texas” in play in response to US data privacy and security concerns. This project is a US $1.5 billion data security plan, in collaboration with software giant Oracle, which is based in Austin, Texas, and would see American TikTok users’ data stored exclusively on US-based servers and administered by a US-based team.

MTCDPA compliance and consent management

Montana’s consumer privacy law aligns with the prevailing opt-out model in use with other state-level data privacy laws in the United States. An exception is situations involving sensitive personal data. Under this model, controllers are not required to obtain user or data subject consent prior to collecting or processing personal data.

However, consumers must be given the choice to opt out of the collection and processing of their personal data for purposes such as sale, targeted advertising, or profiling. This information should be clearly provided on the website, typically within the privacy notice or policy page.

To facilitate the opt-out process, a banner or similar mechanism can be employed, commonly presented as a link or button. Consent management platforms (CMPs), like Cookiebot CMP, offer automation features that help identify the cookies and tracking technologies utilized on websites and apps. CMPs streamline the collection and provision of information to users regarding the categories of data being processed, specific services employed by the controller and/or processors, and any third parties with whom data is shared. Such notifications are mandated by Montana’s privacy law, as well as similar data privacy regulations worldwide.

Since the United States lacks a comprehensive federal data privacy law, companies operating nationwide or internationally may need to comply with multiple consumer privacy laws to safeguard data. (Learn more: Comparing US state-level data privacy laws) A CMP can simplify this process by offering customization options for banners and geotargeting capabilities. With geotargeting, data processing details, consent information, and choices specific to regulations can be presented based on the user’s location. This approach enhances clarity and user experience by providing information in the user’s preferred language.

Using a consent management platform empowers companies to achieve MTCDPA compliance and other existing and future data privacy regulations in the United States. Furthermore, for companies operating internationally, utilizing a consent management platform ensures adherence to regulations such as the GDPR, which imposes more stringent requirements for consent management compared to US laws.

Getting ready for the Montana Consumer Data Privacy Act

Organizations conducting business in Montana have until late 2024 to prepare for compliance with the MTCDPA. If they have already complied with other state-level data privacy laws in the US, such as Connecticut’s law, a significant portion of the work is already complete. Taking a privacy by design approach will benefit all aspects of an organization, regardless of specific regulatory requirements.

Ensuring MTCDPA compliance primarily involves understanding the specific requirements of Montana’s law and implementing a solution that provides users with the necessary notifications and opt-out options. The Cookiebot Consent Management Platform can assist websites in managing cookie and tracking notifications.

Updates to the MTCDPA can be expected over time, as these US regulations are in their initial versions and both technology and consumer expectations continue to evolve. Unlike California, the MTCDPA does not include a private right of action, meaning that consumer class-action lawsuits will not directly influence future amendments to Montana’s privacy law.

Seeking guidance from qualified legal counsel or your organization’s data privacy expert, such as a Data Protection Officer, is recommended to ensure compliance with obligations.

Beyond meeting requirements, proactively safeguarding user privacy is a valuable business endeavor. It fosters user trust, enhances user experiences, and strengthens long-term customer relationships, leading to higher-quality data for marketing operations and increased revenue.

Usercentrics A/S (Cookiebot™) does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.