The Montana Consumer Data Privacy Act (MTCDPA) is a comprehensive privacy law enacted to safeguard the personal data of Montana residents. Signed into law on May 19, 2023, the MTCDPA became effective on October 1, 2024. The MTCDPA grants Montana consumers enhanced control over their personal information and imposes specific obligations on entities that process such data—impacting a wider range of businesses compared to other state privacy laws due to its lower applicability thresholds.

Last updated on October 1, 2024

Scope and Applicability

The MTCDPA applies to entities that conduct business in Montana or produce products or services targeted to Montana residents, and that meet one of the following thresholds:

  • Control or process personal data of 50,000 or more Montana residents annually, excluding data processed solely for payment transactions
  • Derive over 25% of gross revenue from the sale of personal data annually and control or process personal data of 25,000 or more Montana residents

The law excludes certain entities, including:

  • State and local governmental entities
  • Nonprofit organizations
  • Higher education institutions
  • Entities subject to specified federal regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Children’s Online Privacy Protection Act (COPPA).

The law only applies to Montana residents acting in an individual context, not employment or commercial contexts.

Key Provisions

Consumer Rights

Under the MTCDPA, consumers are granted the following rights:

  • Right to Confirm and Access: Consumers can confirm whether a controller is processing their personal data and access that data.
  • Right to Correct: Consumers can request the correction of inaccuracies in their personal data.
  • Right to Delete: Consumers can request the deletion of their personal data held by the controller.
  • Right to Data Portability: Consumers can obtain a copy of their personal data in a portable and readily usable format.
  • Right to Opt Out: Consumers can opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

Business Obligations

Key obligations of entities subject to the MTCDPA:

  • Provide Transparency: Publish a clear and accessible privacy notice detailing the categories of personal data processed, purposes for processing, how consumers can exercise their rights, and whether personal data is sold to third parties.
  • Honor Consumer Rights: Establish procedures to respond to consumer requests to exercise their rights within 45 days, extendable by an additional 45 days if reasonably necessary.
  • Implement Data Security Measures: Adopt reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data.
  • Conduct Data Protection Assessments: Perform assessments for processing activities that present a heightened risk of harm to consumers, such as targeted advertising, sale of personal data, or processing sensitive data.

Definitions of Sensitive Data

Sensitive data under the MTCDPA includes:

  • Data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
  • Genetic or biometric data processed for uniquely identifying an individual.
  • Personal data collected from a known child (under 13 years of age).
  • Precise geolocation data.

The Act does not differentiate between levels of sensitivity within sensitive data; all categories are afforded heightened protection.

Opt-In vs. Opt-Out Approach

The MTCDPA adopts a hybrid approach:

  • Opt-Out: Consumers have the right to opt out of the sale of their personal data, targeted advertising, and certain types of profiling.
  • Opt-In: Controllers must obtain consumer consent before processing sensitive data, effectively requiring an opt-in for such data.
  • Global Privacy Controls (GPCs): Effective January 1, 2025, controllers  must recognize and respect GPC signals, providing consumers an alternative opt-out method. 

Compliance Doesn't Need to be Complicated

Is your team prepared to meet the challenges of protecting your customers' data in an ever-changing privacy & security landscape? The cost of non-compliance is growing with each new law passed. RBA can help you navigate these complexities and equip your organization with the knowledge and tools you need to be successful.

  • Expertise: We stay up-to-date with the latest in domestic and international data privacy legislation
  • Customized Solutions: Tailored approaches for businesses of all sizes, including those with a global footprint
  • Comprehensive Support: From assessment to implementation and ongoing compliance advice
  • Risk Mitigation: We'll work directly with your legal, compliance, regulatory, and security teams to help minimize your risk

Enforcement and Penalties

The MTCDPA is enforced exclusively by the Montana Attorney General with no right to private action. Key enforcement mechanisms include:

  • Penalties: Violations can result in monetary penalties and legal action, but the Act does not specify a dollar amount for fines.
  • Cure Period: Controllers are provided a 60-day cure period after receiving notice of an alleged violation to rectify the issue before enforcement action is taken—the right to cure sunsets on April 1, 2026.
  • Individual Liability: The Act does not specify criminal penalties or personal liability for individual officers; enforcement actions target the business entities.
Sources
  1. Montana Legislature – Text of the Montana Consumer Data Privacy Act (SB 384)
  2. International Association of Privacy Professionals (IAPP) – Montana, Tennessee comprehensive privacy bills clear legislatures
  3. OneTrust DataGuidance – Montana – Data Protection Overview
  4. Iubenda Legal Resources – Understanding the Montana Consumer Data Privacy Act
Disclaimer

The information provided on this website is for general informational purposes only. While we strive to keep the content accurate and up-to-date, RBA, Inc., makes no representations or warranties of any kind, express or implied, about the completeness, reliability, or suitability of the information contained on this website.

Please note that RBA, Inc., is not a law firm, and its consultants are not attorneys or legal professionals. Any advice or opinions provided are offered in good faith and should not be construed as legal advice. We strongly recommend consulting your legal, regulatory, compliance, and/or security teams before making decisions with legal implications.

RBA, Inc., disclaims any liability for any loss or damage arising out of the use of this website or reliance on its content.