Background Brief: Montana Consumer Data Privacy Act

Privacy advocates including several politicians (notably Daniel Zolnikov) in Montana have campaigned for many years to introduce a raft of laws designed to shield citizens from intrusive uses of digital technologies [See key dates below].

On May 19, 2023, Montana Governor Greg Gianforte signed the state’s comprehensive data privacy law – the Montana Consumer Data Privacy Act – which is effective from October 1, 2024.

Montana’s data privacy law includes a provision requiring covered entities to process consumers’ opt-out preference signals via universal opt-out mechanisms by no later than January 1, 2025.

Key Dates: Montana Data Privacy Laws

• May 6, 2013 – Montana becomes the first state with a location data law requiring a government entity (e.g. police) to get a warrant before they can obtain location information of an electronic device, five years before the U.S. Supreme Court passed a similar judgment.
• April 19, 2019 – Montana citizens gain the right to opt-out from having their energy meter data (which includes their home address) shared or sold by energy utilities.
• May 7, 2019 – Montana becomes one of the first two states (the other is Maryland) to revise warrant requirements for DNA search results with a ruling that government entities must get a warrant before searching DNA databases.
• November 8, 2021 – 82.33% of voting citizens in Montana support an amendment to the state constitution to explicitly include electronic data and communications in search and seizure protections, requiring government entities to obtain a warrant first.
• February 16, 2023 – Montana Senator Daniel Zolnikov tables Senate Bill 384 (SB 384) with the title “Generally revise consumer privacy laws”, aiming to establish a new consumer data privacy act in the state that builds on his previous privacy policy proposals, many of which appear in this timeline. The Senate conducts its first reading of the bill the next day.
• March 15, 2023 – Montana’s House of Representatives conducts the first reading of SB 384 and refers it to a hearing by the committee for Energy, Technology and Federal Relations.
• May 11, 2023 – SB 384 (Montana Consumer Data Privacy Act) is passed in the House and signed by the Speaker.
• May 19, 2023 – SB 384 is passed by senators and signed by the President of the Senate.
• May 19, 2023 – Montana Governor Greg Gianforte signs the Montana Consumer Data Privacy Act. Sen Daniel Zolnikov says in an interview published by Montana Free Press: “We should be in charge of our information, and we should be able to decide who we share it with and who they share it with. And that’s it.”
• June 7, 2023 – Montana Governor Greg Gianforte signs the state’s Genetic Information Privacy Act, which covers not only DNA but also some forms of self-reported health information, making it the most protective consumer genetic privacy law in the United States. It became effective on October 1, 2023.
• June 29, 2023 – Montana’s Governor signs into law the Facial Recognition for Government Act, which prohibits continuous facial surveillance or facial identification by state and local government agencies. It becomes effective on the same day.
• October 1, 2024 – Montana Consumer Data Privacy Act goes into force.
• January 1, 2025 – effective deadline for entities covered by Montana’s consumer data privacy law to honor consumer’s opt-out preferences transmitted via universal opt-out mechanisms.

Montana Data Privacy Law Consumer Rights

The Montana Consumer Data Privacy Act defines ‘consumers’ as “an individual who is a resident of this state” but it also excludes citizens of Montana when they are an “individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role” with the above listed categories of organizations.

Montana’s privacy law defines ‘personal data’ like most other U.S. state privacy laws as “any information that is linked or reasonably linkable to an identified or identifiable individual”, with a caveat: “the term does not include deidentified data or publicly available information”.

Under the Act Montana’s citizens gain the following personal data privacy rights:

• Right to confirm (right to know) when a controller is processing their personal data.
  However, controllers are allowed to not honor such requests for confirmation or access to personal data records if the activity “would require the controller to reveal a trade secret”.
• Right to correct inaccuracies in records of personal data.
  Exercising this right involves “considering the nature of the personal data and the purposes of the processing of the consumer’s personal data”.
• Right to delete records of their personal data held by a controller.
• Right to obtain a copy of their personal data previously given to the controller, which must also honor the consumer’s right to portability of this copy of their data record.
  Controllers must honor such requests “to the extent technically feasible”, by providing the copy of the record in a “readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, provided the controller is not required to reveal any trade secret”.
• Right to opt-out from having their personal data processed for sale or for the purposes of targeted advertising or profiling.
  The right to opt-out from profiling protects consumers from having their data used as part of “solely automated decisions that produce legal or similarly significant effects concerning the consumer”.
• Right to non-discrimination for exercising personal data privacy rights.
  Discrimination is defined as “denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer”.
• Right not to have sensitive personal information processed if the consumer has not consented for the controller to do so.
  In the case of a known child (an individual under 13 years of age) any personal data relating to a child is defined as sensitive data and controllers must abide by the laws in the Children’s Online Privacy Protection Act 1998 (COPPA).

Under the Montana Consumer Data Privacy Act sensitive data is defined as information that reveals a person’s:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sexual orientation (as well as information about a person’s sex life)
• Citizenship or immigration status
• Genetic or biometric data for the purpose of uniquely identifying an individual
• Precise geolocation (“information derived from technology that directly identifies the specific location of an individual with precision and accuracy within a radius of 1750 feet”).

Consumers can exercise their rights under Montana’s privacy law by submitting a request to a controller through a secure and reliable mechanism which allows the controller to verify their identity. A parent or legal guardian of a known child can exercise the child’s rights under the privacy law on their behalf.

No Later Than January 1, 2025: Global Privacy Controls Must Be Honored

Organizations subject to the Montana Consumer Data Privacy Act have until January 1, 2025 – three months from the effective date of the Act (October 1, 2024) – to comply with rules relating to Global Privacy Control (GPC) signals.

The Act’s GPC provision allows consumers to designate an authorized agent to act on their behalf and signal opt-outs preventing processing of their personal data for the purposes of targeted advertising, sale or profiling.

The rule states designation of opt-outs to an authorized agent can be “by way of a technology, including but not limited to an internet link or a browser setting, browser extension, or global device setting indicating a customer’s intent to opt out of such processing.”

Which Organizations are Subject to the Montana Consumer Data Privacy Act?

Montana’s data privacy law applies to any person or organization that:

• Conducts business in Montana; or
• Produces products or services that are targeted to residents of Montana;

  and

Controls or processes the personal data of:

• 50,000 or more consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• 25,000 or more consumers and derives more than 25% of gross revenue from the sale of personal data.

Unlike several other U.S. states’ data privacy laws, Montana’s consumer data privacy law does not have a revenue threshold for organizations to be subject to its obligations.

Organizations Exempt From Montana Data Privacy Law Obligations

• Montana government organizations (body, authority, board, bureau, commission, district, or agency, or any political subdivision of Montana);
• Nonprofit organizations;
• Institutions of higher education;
• National securities associations registered under 15 U.S.C. 78o–3 of the federal Securities Exchange Act;
• Financial institution or an affiliate already governed by Title 10 V of the Gramm-Leach-Bliley Act; or
• Covered entity or business associate as defined in the privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA).

Data Exempted from Montana Consumer Privacy Law Provisions

• Protected health information used in compliance with the privacy regulations of HIPAA;
• Personal data used in compliance with the Gramm-Leach-Bliley Act;
• Medical/scientific research data under federal regulations for the protection of human subjects (45 CFR 46, 21 CFR 50 and 21 CFR 56) and patient-identifying information covered by U.S. Code 42 Section 290dd-2 (Public health and welfare – Confidentiality of records);
• Data and documents created for the purposes of the Health Care Quality Improvement Act;
• Patient safety work products for the purposes of the Patient Safety and Improvement Act;
• Consumer credit reporting data covered by the Fair Credit Reporting Act;
• Personal data used in compliance with the Driver’s Privacy Protection Act;
• Personal data regulated by the Family Educational Rights and Privacy Act;
• Personal data used in compliance with the Farm Credit Act;
• Personal data used in relation to price, route or service by an air carrier subject to the Airline Deregulation Act; or
• Data used by controllers and processors that comply with the Children’s Online Privacy Protection Act 1998 (COPPA) are considered compliant to any obligation to gain parental consent before collecting personal data of children.

Complying with the Montana Consumer Data Privacy Act

Under Montana’s data privacy law, controllers must:

• Limit the collection of personal data to only what is adequate, relevant and reasonably necessary to carry out the purposes disclosed to consumers;
• Establish, implement and maintain reasonable security practices to “protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue”;
• Provide an effective mechanism for consumers to revoke their consent that is at least as easy to use as the mechanism they used to give consent – and when a consumer revokes their consent, stop processing their personal data within 45 days of receiving the request;
• Gain a consumer’s consent (opt-in) before processing:
  – sensitive personal data; and/or
  – personal data for the purposes of targeted advertising or sale (including personal data of known young people aged between 13 and 16);
• Not process sensitive personal information concerning a child (under age 13) – unless in compliance with COPPA;
• Not discriminate against a consumer for exercising any of their consumer rights;
• Respond to a consumer’s request to exercise their rights under the Act within 45 days;
• Publish a privacy notice that is reasonably accessible, clear and meaningful;
• Conduct and document data protection assessments for processing activities that present heightened risks of harm to consumers.

Data processors must follow all instructions from a controller and help them meet their compliance obligations, including:

• Responding to consumer rights requests;
• Securing data during processing and if there is a security breach of the processor’s system, complying with rules for notifying such breaches;
• Entering a binding contract with a controller that governs the processor’s data processing procedures performed on behalf of the controller, (and require any subcontractor to enter a similar contract) including:
  – instructions for processing data;
  – nature and purpose of processing;
  – type of data subject to processing and duration of processing;
  – rights and obligations of both parties;
  – ensuring confidentiality of personal data is complied with by each person processing personal data;
  – at the controller’s direction, deleting or returning all requested personal data at the end of the contract (unless retention of the personal data is required by law);
  – complying with reasonable requests from the controller to provide all information necessary to demonstrate the processor’s compliance with the Act; and
  – cooperating with reasonable compliance assessments by the controller (or designated assessor).

Privacy Notice Requirements under Montana Data Privacy Law

A controller’s privacy notice must include:

• List of categories of personal data processed by the controller;
• List of purpose/s for processing personal data;
• List of categories of personal data that may be shared by the controller with third parties – and the categories of these third parties;
• A mechanism for consumers to contact the controller, such as a link to an active email address;
• Information about how consumers can exercise their rights under Montana’s data privacy law, including details of how consumers can appeal a controller’s decision about such a request; and
• One or more secure and reliable means for consumers to submit a request to exercise their rights under the Act.
  Note: any form or other method for submitting a request must be secure and reliable, it must consider the ways consumers normally interact with the controller, and it must allow the controller to verify a consumer’s identity.

Enforcement of Montana Consumer Data Privacy Act

The Montana Attorney General has exclusive authority to enforce violations of the Montana Consumer Data Privacy Act. Consumers do not have a private right of action but can report alleged violations to the AG’s office.

Before beginning any action against a controller alleged to have violated the Act, the AG will issue a notice of violation to a controller detailing the activities/incidents that are not compliant.

Until April 1, 2026, a 60-day cure period applies for alleged violations of the Act. If controllers do not correct violations during this timeframe the AG may begin legal action. After this date, the AG may initiate legal actions for alleged violations immediately.

Note: unlike other U.S. state data privacy laws, the text of the Montana Consumer Data Privacy Act does not mention the cost of fines, nor other penalties.