On May 19, 2023, Senate Bill No. 384 for An Act Establishing the Consumer Data Privacy Act (the Act) was signed by the Governor of Montana. The Act was thereafter assigned a Chapter Number on May 22, 2023.

Scope

The Act applies to persons that conduct business in Montana or persons that produce products or services that are targeted to residents of Montana, and:

• control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Data subject rights

Under the Act, a consumer is granted the right to:

• confirm whether a controller is processing their personal data and accessing the same;
• correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing;
• have their personal data deleted;
• obtain a copy of their personal data previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, provided the controller is not required to reveal any trade secret; and
• opt out of the processing of their personal data for the purposes of:
  • targeted advertising;
  • sale, with some exceptions; or
  • profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

Principles and obligations

The Act imposes obligations on controllers such as the obligation to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. Equally, the controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, alongside providing an effective mechanism for a consumer to revoke the consumer's consent under the Act.

More practically, under the Act, controllers must perform a data protection assessment in connection with processing activities that present a heightened risk of harm to a consumer, with the Act noting the required contents of such an assessment. The Act also states that data processors must adhere to the controller's instructions and assist controllers in meeting their obligations, with a contract between controllers and processors being required to govern data processing procedures performed on the controller's behalf.

The Act enters into force on October 1, 2024.

You can read the Act here and its legislative progress here.