Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Montana: Consumer Data Privacy Act - a comprehensive state privacy law

The Consumer Data Privacy Act was introduced, on February 16, 2023, to the Montana State Senate. Since then, the Act has passed both the State Senate, as well as the House of Representatives, and was signed by the Governor of Montana, Greg Gianforte, on May 18, 2023. The Act introduces obligations for both data controllers and data processors, as well as consumer rights, and will enter into effect on October 1, 2024. OneTrust DataGuidance Research gives an overview of the Act.

Tashka / Essentials collection / istockphoto.com

Definitions

The Act contains definitions for terms, including 'consumer,' 'personal data,' 'sensitive data,' 'biometric data,' 'consent,' 'processing,' and 'profiling.' Among the notable definitions are those of 'controller,' which means an individual who, or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data, and 'processor,' which means an individual who, or legal entity that, processes personal data on behalf of a controller.

Importantly, the Act defines 'personal data' as any information that is linked or reasonably linkable to an identified or identifiable individual, with the exclusion of deidentified data or publicly available information, whereas 'deidentified data' means data that cannot be used to reasonably infer information about, or otherwise be linked to, an identified or identifiable individual or a device linked to the individual, if the controller that possesses the data complies with certain requirements (see the section on deidentified data below).

Further to the above, the Act defines 'consumer' as an individual who is a Montana resident of this state, excluding individuals acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, non-profit, or government agency.

With regard to 'sensitive data,' the Act specifies that this means personal data that includes:

  • data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, citizenship, or immigration status;
  • the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
  • personal data collected from a known child; or
  • precise geolocation data.

Scope

The Act is applicable to persons that conduct business in Montana, or produce products or services that are targeted to Montana residents and:

  • control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

However, the Act clarifies that any state agency, or body, authority, board, bureau, commission, district, or political subdivisions of the state, financial institutions, affiliates of financial institutions, or data subject to the Gramm-Leach Bliley Act (GLBA), associations registered under the Securities Exchange Act (SEA), and entities subject to the Health Insurance Portability and Accountability Act (HIPAA) are not subject to the Act. In addition, non-profit organizations and institutions of higher education also fall out of the Act's scope.

Certain types of information are also exempt under the Act, including:

  • protected health information under HIPAA;
  • information derived from any of the healthcare-related information mentioned above, including information deidentified in accordance with the requirements for deidentification pursuant to the privacy regulations of HIPPA;
  • the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report and by a user of a consumer report, but only to the extent that the activity is regulated by, and authorized under, the Fair Credit Reporting Act (FCRA);
  • data processed or maintained:
    • by an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party to the extent that the data is collected and used within the context of that role;
    • that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under HIPAA and is used for the purposes of administering the benefits; or
    • as the emergency contact information of an individual and used for emergency contact purposes; and/or
  • personal data regulated by the Family Educational Rights and Privacy Act (FERPA).

Furthermore, the Act clarifies that nothing within its provisions should be construed to impose any obligation on a controller or processor that adversely affects the rights or freedoms of any person, including, but not limited to, their rights to freedom of speech or freedom of the press guaranteed in the First Amendment to the U.S. Constitution, Rule 504 of the Montana Rules of Evidence, or apply to a person's processing of personal data during the person's personal or household activities.

Data subject rights

The Act establishes consumer rights that may be exercised by a secure and reliable means established by the controller and are described to the consumer in the controller's privacy notice. These rights can also be invoked by a known child's parent or legal guardian on behalf of the known child regarding the processing of personal data. Notably, consumers may designate an authorized agent to exercise the consumer's right to opt out of the processing of their personal data, where such right is provided for by the Act, on behalf of the same consumer.

Pursuant to the above, the consumer rights provided for under the Act include the right to:

  • confirm whether a controller is processing the consumer's personal data;
  • access the consumer's personal data, unless such confirmation or access would require the controller to reveal a trade secret;
  • correct inaccuracies in the consumer's personal data;
  • delete personal data about the consumer;
  • obtain a copy of the consumer's personal data previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means; and
  • opt out of the processing of the consumer's personal data for the purposes of targeted advertising, of the sale of the consumer's personal data, or of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

In line with the above, the Act establishes provisions for complying with consumer right requests, providing that controllers must respond to consumers without undue delay, and in any case no later than 45 days after receipt of a request. The timeframe for a response may be extended by an additional 45 days when reasonably necessary, considering the complexity and number of consumer requests. However, in such cases, the consumer must be informed of the extension within the original 45-day timeframe, together with the reason for the extension. Equally, the Act stipulates that controllers must inform data subjects without undue delay when declining to take action within the same timeframe, along with the reason for declining to take action, and instructions on how to appeal the decision.

Under the Act, the information provided to consumers in response to requests must be provided free of charge up to once during any 12-month period per person. However, controllers may charge a reasonable fee, or decline to act, where the consumer request is manifestly unfounded, excessive, technically infeasible, or repetitive, and bears the burden of demonstrating the manifestly unfounded, excessive, repetitive, or technically unfeasible nature of the request. Additionally, the controller will not be required to comply with a request where it is unable to authenticate the request using commercially reasonable efforts and may request the consumer to provide additional information to authenticate the consumer and their request.

On opt-out requests, a controller may deny an opt-out request if the controller has good faith and reasonable and documented belief that the request is fraudulent. However, where a controller denies an opt-out request because the controller believes the request is fraudulent, the controller must send notice to the person who made the request disclosing that the controller believes the request is fraudulent and that the same may not comply with such request.

In relation to personal data about a consumer obtained from a third party, a controller is considered to comply with a deletion request by:

  • retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring that the consumer's personal data remains deleted from the controller's records and not using the retained data for any other purpose pursuant to the Act; or
  • opting the consumer out of the processing of the consumer's personal data for any purpose except for those exempted pursuant to the provisions of the Act.

Furthermore, a controller or processor is not required to comply with an authenticated consumer rights request, where the conditions below are met:

  • the controller is not reasonably capable of associating the request with the personal data or it would be unreasonably burdensome for the controller to associate the request with the personal data;
  • the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
  • the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by the Act.

Importantly, the Act stipulates that the controller is responsible for establishing a process for a consumer to appeal refusals within a reasonable period after the consumer receives such a decision from the controller.

Authorized agents

Interestingly, the Act introduces a provision pursuant to which a consumer may designate another person to serve as their authorized agent acting on the consumer's behalf to opt out of the processing of the consumer's personal data. The Act specifies that the designation of the authorized agent may be done by way of a technology indicating the consumer's intent to opt out of the processing of their personal data. Controllers receiving an opt-out request from an authorized agent must comply with it if they are able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on their behalf.

On opt-out methods which may be employed, the Act provides that they must possess certain characteristics, among which, for instance, the fact that they must:

  • provide a clear and conspicuous link on the controller's internet website to the web page that enables a consumer, or their authorized agent, to opt out of the targeted advertising or sale of the consumer's personal data;
  • be consumer-friendly and easy to use by the average consumer;
  • be consistent with any federal or state law or regulation; and
  • not unfairly disadvantage another controller.

Controller obligations

The Act stipulates that controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer. The Act further notes that controllers must not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which the personal data is processed unless the controller obtains the consumer's consent.

In addition, the controller must provide an effective mechanism for a consumer to revoke their consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and on the revocation of the consent, cease to process the personal data as soon as practicable, but not later than 45 days after the receipt of the request. Furthermore, the Act provides that the controller may not process the personal data of a consumer for the purposes of targeted advertising or sell the consumer's personal data without the consumer's consent when a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age.

Privacy notices

According to the Act, controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • the categories of personal data processed by the controller;
  • the purpose for processing personal data;
  • an active email address or other mechanisms that consumers can use to contact the controller;
  • how consumers may exercise their consumer rights under the Act, including how a consumer may appeal a controller's decision with regard to the consumer's request;
  • the categories of personal data that the controller shares with third parties, if any; and
  • the categories of third parties, if any, with whom the controller shares personal data.

On consumer rights, the Act provides that controllers may not require a consumer to create a new account in order to exercise the consumer's rights under the Act, but may require a consumer to use an existing account.

In addition, under the Act, controllers must establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights. Such means must take into account:

  • the ways in which consumers normally interact with the controller;
  • the need for the secure and reliable communication of such requests; and
  • the ability of the controller to authenticate the identity of the consumer making the request.

With regard to the sale of data to third parties by the controller, or the processing of personal data for targeted advertising, the data controller must clearly and conspicuously disclose such activity, as well as the way in which the consumer may exercise the right to opt out of such processing.

Data security

Importantly, the Act also provides that controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

DPAs

With regard to obligations introduced by the Act in relation to Data Protection Assessments (DPAs), it is established that controllers must conduct and document such assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. Such processing activities include:

  • the processing of personal data for targeted advertising;
  • the sale of personal data;
  • the processing of personal data for purposes of profiling, if such profiling presents a reasonably foreseeable risk of:
    • unfair or deceptive treatment of, or unlawful disparate impact on, consumers;
    • financial, physical, or reputational injury to consumers;
    • a physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers, if such intrusion would be offensive to a reasonable person; or
    • other substantial injuries to consumers; and
  • the processing of sensitive data.

The Act specifies that this requirement is applicable to processing activities created or generated after January 1, 2025, and does not apply retrospectively.

Additionally, the Act states that a single DPA may address a comparable set of processing operations that include similar activities.

Regarding the way DPAs must be conducted, the Act outlines that DPAs must identify and weigh the direct and indirect benefits of the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. In this regard, the use of de-identified data, the reasonable expectations of consumers, the context of the processing, and the relationship between the controller and the consumers whose personal data would be processed, shall be factored into such an assessment.

The Act entitles the Attorney General (AG) to request that a controller disclose any DPA that is relevant to an investigation it is conducting. Upon receipt of such a request, the controller must make the DPA available to the AG. The AG may also evaluate the DPA for a controller’s compliance with the responsibilities set forth under the Act. Nevertheless, the Act confirms that DPAs are confidential and exempt from disclosure under the Freedom of Information Act (FOIA). To the extent any information contained in a DPA disclosed to the AG includes information subject to attorney-client privilege or work product protection, the disclosure may not constitute a waiver of the privilege or protection.

Prohibition against discrimination

The Act provides that controllers shall not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers. Similarly, pursuant to the Act, controllers must not discriminate against a consumer for exercising any of the consumer rights under the Act, including by way of denying goods or services to consumers, charging different prices or rates for goods and services, or providing a different level or quality of goods or services to the consumer.

Use of de-identified or pseudonymous data

The Act specifies that a controller processing de-identified data must:

  • take reasonable measures to ensure such data cannot be associated with an individual;
  • publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and
  • contractually obligate recipients of the de-identified data to comply with all provisions of the Act.

Additionally, the Act clarifies that none of its provisions may be construed to:

  • require a controller or processor to re-identify de-identified data or pseudonymous data;
  • maintain data in identifiable form; or
  • collect, obtain, retain, or access any data or technology in order to be capable of associating an authenticated consumer request with personal data.

Furthermore, under the Act a controller is not required to comply with a request from a consumer in certain circumstances, stipulating that in these cases consumer rights do not apply to pseudonymous data, if the controller is able to demonstrate that any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information.

Moreover, when a controller discloses pseudonymous data or de-identified data, they must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data is subject and take the appropriate steps to address any breaches of the same contractual commitments.

Sensitive data

Under the Act, controllers must not process sensitive data concerning a consumer without obtaining their consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with Children's Online Privacy Protection Act (COPPA).

Processor obligations

Processors must adhere to the instructions of a controller and assist them in meeting their obligations under the Act, in order to:

  • fulfill the controller's obligation to respond to consumer rights requests, considering the nature of processing and the information available to the processor by appropriate technical and organizational measures as much as reasonably practicable;
  • assist the controller in meeting their obligations in relation to the security of processing the personal data and to the notification of a breach of security of the system of the processor, considering the nature of processing and the information available to the processor; and
  • provide the necessary information to enable the controller to conduct and document DPAs.

Notably, the Act further provides that controller-processor relationships must be governed by a binding contract with respect to the processing activities conducted by the processor on behalf of the controller. In this regard, the Act specifies that such a contract must set forth the instructions for processing personal data, the nature and purpose of processing, the duration of processing, the type of data subject to processing, and the rights and duties of both parties. Controller-processor contracts under the Act must require that the processor:

  • ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  • at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
  • upon the reasonable request of the controller, make available to them all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations under the Act;
  • allow, and cooperate with, reasonable assessments by the controller or their designated assessor - alternatively, the processor may arrange for a qualified and independent assessor to assess its policies and technical and organizational measures using an appropriate and accepted control standard or framework and assessment procedure for the assessments, which must be reported to the controller upon request; and
  • engage any subcontractor pursuant to a written contract that requires them to meet the obligations of the processor with respect to the personal data.

In determining whether a person is acting as a controller or processor with respect to specific processing of data, the Act explains that it is a fact-based determination that depends upon the context in which personal data is to be processed. To this end, a processor that continues to adhere to a controller's instructions with respect to the specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing and may be subject to an enforcement action under Section 12 of the Act.

Importantly, the Act clarifies that none of its provisions may be construed to relieve a controller or processor from the liabilities imposed on the controller or processor by virtue of their role in the processing relationship.

Limitations

The Act outlines a list of items that must not be intended as being restricted by the same, which includes a controller's or processor's ability to:

  • comply with federal, state, or municipal ordinances or regulations;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, municipal, or other governmental authorities;
  • cooperate with law enforcement agencies concerning the conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or municipal ordinances or regulations;
  • investigate, establish, exercise, prepare for, or defend legal claims;
  • provide a product or service specifically requested by a consumer;
  • perform under a contract to which a consumer is a party, including fulfilling the terms of a written warranty; and
  • prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for any of these actions.

In addition, obligations imposed pursuant to the Act on a controller or processor will not restrict their ability to collect, use, or retain personal data for internal use to:

  • conduct internal research to develop, improve, or repair products, services, or technology;
  • effectuate a product recall;
  • identify and repair technical errors that impair existing or intended functionality; and
  • perform internal operations that are:
    • reasonably aligned with the expectations of the consumer;
    • reasonably anticipated based on the consumer's existing relationship with the controller; or
    • are otherwise compatible with:
      • processing data in furtherance of the provision of a product or service specifically requested by a consumer; or
      • the performance of a contract to which the consumer is a party.

In line with the above, the Act also highlights instances in which controller or processor obligations do not apply, namely where it would violate an evidentiary privilege under Indiana law. Correspondingly, where a controller or processor discloses personal data to a third-party controller or processor, in compliance with the requirements of limitation provided within the Act, it is not in violation of the Act if said third party processes the personal data in violation of the Act, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient would commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of the Act is likewise not liable for the offenses of the controller or processor from which it receives such personal data.

Specific to personal data processing under Section 11 of the Act (i.e. limitations), a controller is permitted to process data to the extent that the processing is:

  • reasonably necessary and proportionate to the purposes listed in this section; and
  • adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in this section.

In addition, the controller or processor must, when applicable, consider the nature and purpose of the collection, use, or retention of the personal data collected, used, or retained. The personal data must be subject to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of harm to consumers relating to the collection, use, or retention of personal data.

Controllers processing personal data pursuant to any for the exemptions in Section 11 of the Act bear the burden of demonstrating that the processing qualifies for the exemption and complies with the requirements outlined above.

Enforcement

The Act outlines that the AG has exclusive authority to enforce the Act's provisions.

Notably, the AG must issue a notice of violation to the controller, before initiating any action for a violation of the Act until April 1, 2026. If the controller fails to correct the violation within 60 days of receipt of the notice of violation, the AG may bring an action pursuant to the Act. Instead, if within the 60-day period, the controller corrects the noticed violation and provides the AG with an express written statement that the alleged violations have been corrected and that no such further violations will occur, no action can be initiated against the controller.

Crucially, the Act clarifies that nothing within the Act may be construed as providing the basis for, or be subject to, a private right of action for violations under the Act or any other law.

Francesco Saturnino Privacy Analyst
[email protected]