Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Back
Jul 2023
LinkedIn Created with Sketch. Twitter Created with Sketch.

Montana: CDPA - FAQs

Privacy Impact AssessmentsFinesPrivacy Law ConceptsPrivacy Law Reform

The Montana Consumer Data Privacy Act (MCDPA) was signed by the Governor of Montana, Greg Gianforte, on May 18, 2023, following its passage by the State Senate and House of Representatives.

The MCDPA introduces obligations for data controllers and duties for data processors, as well as consumer rights, and will enter into effect on October 1, 2024.

Different_Brian / Essentials collection / istockphoto.com

Scope, applicability, and key definitions

Who does the MCDPA apply to?

The MCDPA applies to persons that conduct business in Montana or produce products or services that are targeted residents of Montana and that:

  • control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

However, the MCDPA excludes from its scope of application any state agency, body, authority, board, bureau, commission, district, or political subdivisions of the state, non-profit organization, institution of higher education, national securities associations registered under the Securities Exchange Act (SEA), financial institutions, affiliates of financial institutions, or data subject to the Gramm-Leach Bliley Act (GLBA), and entities subject to the Health Insurance Portability and Accountability Act (HIPAA).

Are certain data exempted from the application of the MCDPA?

Certain types of information are exempt under the MCDPA including:

  • protected health information under HIPAA;
  • information derived from any of the healthcare-related information mentioned above, including information deidentified in accordance with the requirements for deidentification pursuant to the privacy regulations of HIPPA;
  • the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report and by a user of a consumer report, but only to the extent that the activity is regulated by, and authorized under, the Fair Credit Reporting Act (FCRA);
  • data processed or maintained:
    • by an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party to the extent that the data is collected and used within the context of that role;
    • that is necessary to retain to administer benefits for another individual relating to the individual who is the subject of the information under HIPAA and is used for the purposes of administering the benefits; or
    • as the emergency contact information of an individual and used for emergency contact purposes; and/or
  • personal data regulated by the Family Educational Rights and Privacy Act (FERPA).

How does the MCDPA define 'consumer'?

The MCDPA defines 'consumer' as an individual who is a Montana resident. The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.

How does the MCDPA define a 'controller'?

A 'controller' means an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.

How does the MCDPA define 'personal data'?

Under the MCDPA, 'personal data' means any information that is linked or reasonably linkable to an identified or identifiable individual. In addition, the term does not include deidentified data or publicly available information.

How does the MCDPA define 'consent'?

Under the MCDPA, 'consent' means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous affirmative action.

How does the MCDPA define 'sensitive data'?

'Sensitive data' under the MCDPA means personal data that includes:

  • data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;
  • the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
  • personal data collected from a known child; or
  • precise geolocation data.

How does the MCDPA define 'processing'?

Under the MCDPA 'processing' means any operation or set of operations performed, whether by manual or automated means, on personal data or sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

How does the MCDPA define a 'processor'?

A 'processor' means an individual or legal entity that processes personal data on behalf of a controller.

How does the MCDPA define 'sale' of personal data?

The MCDPA defines the 'sale of personal data' as the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

Notably, 'sale of personal data' does not include:

    • the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
  • the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer;
  • the disclosure or transfer of personal data to an affiliate of the controller;
  • the disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
  • the disclosure of personal data that the consumer:
    • intentionally made available to the public via a channel of mass media; and
    • did not restrict to a specific audience; or
  • the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.

Key provisions and requirements

Does the MCDPA provide for consumer rights?

The MCDPA establishes consumer rights that may be exercised by a secure and reliable means established by the controller and are described to the consumer in the controller's privacy notice. These rights can also be invoked by a known child's parent or legal guardian on behalf of the known child regarding the processing of personal data. Notably, consumers may designate an authorized agent to exercise the consumer's right to opt out of the processing of their personal data, where such right is provided for by the MCDPA, on behalf of the same consumer.

The consumer data rights provided under the MCDPA include the right to:

  • confirm whether a controller is processing the consumer's personal data and accessing such personal data, unless such confirmation or access would require the controller to reveal a trade secret;
  • correct inaccuracies in the consumer's personal data, considering the nature of the personal data and the purposes of the processing of the consumer's personal data;
  • delete the personal data about the consumer;
  • obtain a copy of the consumer's personal data previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, provided the controller is not required to reveal any trade secret; and
  • opt out of the processing of the consumer's personal data for the purposes of:
    • targeted advertising;
    • the sale of the consumer's personal data, except as provided in Section 7(2) of the MCDPA; or
    • profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

In line with the above, the MCDPA establishes provisions for complying with consumer rights requests, providing that controllers must respond to consumers without undue delay, and in any case no later than 45 days after receipt of a request. The timeframe for a response may be extended by an additional 45 days when reasonably necessary, considering the complexity and number of consumer requests. However, in such cases, the consumer must be informed of the extension within the original 45-day timeframe, together with the reason for the extension. Equally, the MCDPA stipulates that controllers must inform data subjects without undue delay when declining to take action within the same timeframe, along with the reason for declining to take action, and instructions on how to appeal the decision.

Under the MCDPA, the information provided to consumers in response to requests must be provided free of charge up to once during any 12-month period per person. However, controllers may charge a reasonable fee, or decline to act, where the consumer request is manifestly unfounded, excessive, technically infeasible, or repetitive, and bears the burden of demonstrating the manifestly unfounded, excessive, repetitive, or technically unfeasible nature of the request.

Additionally, the controller will not be required to comply with a request where it is unable to authenticate the request using commercially reasonable efforts and may request the consumer to provide additional information to authenticate the consumer and their request. However, a controller may not be required to authenticate an opt-out request but may deny an opt-out request if it has a good faith, reasonable, and documented belief that the request is fraudulent, and shall inform the requester accordingly.

Are there obligations in relation to sensitive data?

Controllers must not process sensitive data concerning a consumer without obtaining their consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with Children's Online Privacy Protection Act (COPPA).

In addition, a controller shall conduct and document a Data Protection Assessment (DPA) if a processing activity entrails the processing of sensitive data, due to the heightened risk of harm to a consumer.

What are the main obligations for data controllers?

The MCDPA establishes that the controller shall:

  • limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer;
  • establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue; and
  • provide an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent and on revocation of the consent, cease to process the personal data as soon as practicable, but not later than 45 days after the receipt of the request.

Furthermore, a controller may not:

  • process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer's consent;
  • process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with the COPPA;
  • process personal data in violation of the laws of Montana and federal laws that prohibit unlawful discrimination against consumers;
  • process the personal data of a consumer for the purposes of targeted advertising or sell the consumer's personal data without the consumer's consent under circumstances in which a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age; or
  • discriminate against a consumer for exercising any of the consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.

What are the main obligations for data processors?

Processors must adhere to the instructions of a controller and assist them in meeting their obligations under the MCDPA, in order to:

  • fulfill the controller's obligation to respond to consumer rights requests, considering the nature of processing and the information available to the processor by appropriate technical and organizational measures as much as reasonably practicable;
  • assist the controller in meeting their obligations in relation to the security of processing the personal data and to the notification of a breach of security of the system of the processor, considering the nature of processing and the information available to the processor; and
  • provide the necessary information to enable the controller to conduct and document DPAs.

Are vendor privacy relationships regulated under the MCDPA?

In determining whether a person is acting as a controller or processor with respect to specific processing of data, the MCDPA explains that it is a fact-based determination that depends upon the context in which personal data is to be processed. To this end, a processor that continues to adhere to a controller's instructions with respect to the specific processing of personal data remains a processor.

The MCDPA requires a contract between controllers and processors that must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties. The contract must also require that the processor:

  • ensures that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  • at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
  • on the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations;
  • engage any subcontractor or agent pursuant to a written contract that requires the subcontractor to meet the duties of the processor with respect to personal data; and
  • allow and cooperate with reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations using an appropriate and accepted control standard or framework and assessment procedure for the assessments. The processor shall provide a report of the assessment to the controller on request.

Are Data Protection Impact Assessments regulated under the MCDPA?

A controller shall conduct and document a DPA for each of the controller's processing activities that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of harm to a consumer includes:

  • the processing of personal data for the purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for the purposes of profiling in which the profiling presents a reasonably foreseeable risk of:
    • unfair or deceptive treatment of or unlawful disparate impact on consumers;
    • financial, physical, or reputational injury to consumers;
    • a physical or other form of intrusion on the solitude or seclusion or the private affairs or concerns of consumers in which the intrusion would be offensive to a reasonable person; or
    • other substantial injury to consumers; and
  • the processing of sensitive data.

Who is empowered to enforce violations of the MCDPA?

The Montana Attorney General (AG) has exclusive authority on enforcing the MCDPA's provisions and shall, prior to initiating any action for a violation of any provision issue a notice of violation to the controller. If the controller fails to correct the violation within 60 days of receipt of the notice of violation, the AG may bring an action. Instead, if within the 60-day period the controller corrects the noticed violation and provides the AG an express written statement that the alleged violations have been corrected and that no such further violations will occur, no action must be initiated against the controller. The cure provision expires on April 1, 2026.

The MCDPA clarifies that nothing within it may be construed as providing the basis for, or be subject to, a private right of action for violations under the MCDPA or any other law.

What penalties are controllers and processors facing under the MCDPA?

The MCDPA does not specify the limits of the monetary penalties that the AG may seek.

Next stages

What is the legislative status of the MCDPA?

The MCDPA was signed by the Governor of Montana on May 18, 2023.

When will the MCDPA come into force?

The MCDPA will go into effect on October 1, 2024.

Cristina Die González Editor
[email protected]

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.