Support Centre

Montana

Summary

Law: Consumer Data Privacy Act (MTCDPA)

Regulator: The Montana Attorney General (AG)

Summary: On May 18, 2023, the Montana Governor signed Senate Bill No. 384 for An Act Establishing the Montana Consumer Data Privacy Act (CDPA), which will enter into effect on October 1, 2024. The CDPA introduces obligations for controllers, including the obligation to implement administrative, technical, and physical data security practices, limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to its purposes, and to conduct data protection assessments.

The CDPA also requires a contract between controllers and processors to govern procedures performed on the controller's behalf. The CDPA provides for data subject rights, including the right to confirm whether a controller is processing their personal data, the rights to access, correct, delete, and obtain a copy of such personal data, and the right to opt out of certain processing activities. Furthermore, the CDPA provides the Montana Attorney General (AG) with enforcement powers but does not provide a private right of action.

Montana also has its own data breach requirements under §30-14-1704 of Part 17 of Chapter 14 of Title 30 of the Montana Code Annotated 2017 which require a person or business to disclose any breach of the security of the data system following discovery or notification of the breach. Moreover, the AG's Office of Consumer Protection needs to be simultaneously notified alongside individuals in the event of a personal data breach.

You can follow legislative developments in the US through the USA State Law Tracker.

Insights

On July 1, 2024, state privacy legislation in Florida, Texas, and Oregon will enter into effect, joining those laws already in force including, California, Connecticut, Colorado, Virginia, and Utah. 2024 will also see the entrance into effect, on October 1, 2024, of a state privacy law in Montana. Each law builds on trends seen in other US state privacy legislation, though each has distinct provisions. OneTrust DataGuidance breaks down some of the key provisions of the Florida, Texas, Oregon, and Montana laws.

Data privacy continues to dominate legislative discussions in the US, both at the federal and state levels. While many states are considering broader, more comprehensive laws, there are certain states that are passing privacy laws more focused on certain industries or data types. A good example of this trend is the recently passed Montana Genetic Information Privacy Act (GIPA). GIPA recognizes the inherent sensitivity of genetic data and significant privacy risks in the collection and processing of genetic data.  

Specifically, GIPA prohibits the disclosure of a consumer's genetic data to the consumer's employer and any entity offering health insurance, life insurance, or long-term care insurance without the consumer's express consent. It is important to note that consumers may revoke consent at any time. Further, GIPA requires entities that collect genetic data to implement and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure. Jordan L. Fischer, Partner at Constangy, Brooks, Smith & Prophete LLP, explores the key areas of GIPA and its initial response.  

The Montana Consumer Data Privacy Act (MCDPA) was signed by the Governor of Montana, Greg Gianforte, on May 18, 2023, following its passage by the State Senate and House of Representatives.

The MCDPA introduces obligations for data controllers and duties for data processors, as well as consumer rights, and will enter into effect on October 1, 2024.

The Consumer Data Privacy Act was introduced, on February 16, 2023, to the Montana State Senate. Since then, the Act has passed both the State Senate, as well as the House of Representatives, and was signed by the Governor of Montana, Greg Gianforte, on May 18, 2023. The Act introduces obligations for both data controllers and data processors, as well as consumer rights, and will enter into effect on October 1, 2024. OneTrust DataGuidance Research gives an overview of the Act.