On October 1, 2024, the Montana Consumer Data Privacy Act (MTCDPA) came into effect after being signed by the Governor of Montana on May 19, 2023.

What is the scope of the MTCDPA?

The MTCDPA applies to persons who conduct business in Montana or persons who produce products or services that are targeted to residents of Montana, and:

• control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Additionally, a 'consumer' is considered an individual who is a resident of the State of Montana.

What rights do consumers have under the MTCDPA?

The MTCDPA provides consumers with the right to:

• confirm whether a controller is processing their personal data and accessing the data;
• correct inaccuracies in their personal data, considering the nature of the personal data and the purposes of the processing;
• have their personal data deleted;
• obtain a copy of their personal data previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, provided the controller is not required to reveal any trade secrets; and
• opt out of the processing of their personal data for the purposes of:
  • targeted advertising;
  • sale, with some exceptions; or
  • profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

Controllers must establish and describe to the consumer in the controller's privacy notice secure and reliable means for consumers to exercise the abovementioned rights.

What are the controllers' obligations under the MTCDPA?

The MTCDPA imposes obligations on controllers, such as the obligation to:

• establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
• limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed;
• provide an effective mechanism for a consumer to revoke the consumer's consent under the MTCDPA; and
• conduct a data protection assessment in connection with processing activities that present a heightened risk of harm to a consumer, with the MTCDPA noting the required contents of such an assessment.

What are the processors' obligations?

The MTCDPA states that data processors must adhere to controllers' instructions and assist controllers in meeting their obligations, with a contract between controllers and processors being required to govern data processing procedures performed on the controller's behalf.

For further information please see:

• Montana – Data Protection Overview
• Insight - USA: Comparing new privacy laws in Florida, Texas, Oregon, and Montana
• Report: Comparing Comprehensive US Privacy Laws

You can read the MTCDPA here.