Montana passes Consumer Data Privacy Act
On April 21, 2023, Montana’s state legislature unanimously passed a comprehensive data privacy bill, Senate Bill 384. Following a number of cross-chamber amendments, Montana’s Consumer Data Privacy Act closely mirrors the Connecticut Data Privacy Act. As such, Montana joins Connecticut, Colorado, and California in providing consumers with strong data privacy protections.
Montana’s data privacy law would apply to entities conducting business in Montana (or producing products or services targeted to Montana residents) and entities that control or process the personal data of not less than 50,000 Montana residents. This is a notable deviation from the traditional 100,000 consumer threshold of other states. Entities also covered by SB 384 include those which control or process the personal information of not less than 25,000 Montana residents and derive more than 25% of its revenue from the sale of personal data.
Similar to its counterparts, a number of entities and types of information are exempt from SB 384’s requirements including:
- State entities and political subdivisions of the state
- Financial institutions subject to the Gramm-Leach Bliley Act (GLBA)
- Covered entities or business associates governed by Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Nonprofit organizations
- Higher education institutions
- Information governed by Fair Credit Reporting Act (FCRA)
- Personal data governed by Family Educational Rights and Privacy Act (FERPA)
Montana deviates from other Republican-controlled legislatures by requiring controllers to recognize universal opt-out mechanisms to execute requests to opt-out of sales and targeted advertising as well as imposes a sunset for a right to cure. However, SB 384 does follow in lock step with its predecessors by providing a number of consumer rights including the right to confirm and access their personal data is being processed by a controller, right to correct mistakes in their personal data, right to delete any personal data, right to obtain a copy of their data in a portable format, and right to opt out of targeted advertising, behavioral profiling and sale of personal data.
Montana’s Consumer Data Privacy Act also requires privacy notices which are reasonably accessible, clear, and meaningful to inform consumers of:
- The categories of personal information collected
- Purposes for processing personal data
- The categories of personal data being shared with third parties
- The categories of third parties receiving personal information
- How consumers can exercise their privacy rights or appeal a decision regarding a rights request
- How to contact the business
Similar to California and Connecticut, Montana also enumerates additional privacy protections for children between the ages of 13 and 15, wherein controllers cannot process the personal data of a consumer for purposes of targeted advertising or sell personal data without the consumer’s consent if there is actual knowledge that the consumer is at least 13 years of age but younger than 16.
Montana’s bill does not create a private right of action and therefore can only be enforced by the Attorney General. If enacted, SB 384 would take force on October 2024.
For more legislative updates on data privacy law from McDonald Hopkins, please subscribe to receive our publications or view the links below for recent updates on other state data privacy legislative updates.