Montana Consumer Data Privacy Act (MTCDPA): An Overview

Montana was the ninth state in the US to pass a consumer privacy bill, SB 384, with an effective date of October 24, 2024. As of May 19, 2023, when the law was passed, organizations have a little less than a year and a half to prepare for MTCDPA compliance.

Passing comprehensive state-level privacy laws is gaining momentum in the United States in 2023, with six laws passed between March and June: Iowa, Indiana, Tennessee, Montana, Florida, and Texas. Iowa and Indiana’s laws were passed before Montana’s, but come into effect later.

The law passed in Montana most closely aligns with the Connecticut Data Privacy Act (CTDPA). A federal law in the US has not been passed.

The Montana Consumer Data Privacy Act (MTCDPA) protects the privacy and personal data rights of Montana’s 1.1 million residents, and establishes data privacy responsibilities for companies doing business in the state or providing goods or services targeting Montana residents. In the course of doing business these organizations process consumers’ personal information. Like other states with data privacy laws, Montana defines a consumer as a resident of the state who is not acting in a commercial or employment context.

The MTCDPA uses an opt-out model, as do the laws in all the other states that have passed comprehensive data privacy regulations to date. This means that businesses that are required to become MTCDPA-compliant must inform consumers about data collection and processing that they perform, i.e. what data, for what purposes, third parties with whom the data will be shared, etc. Businesses must give consumers a way to opt out of data collection and processing. They and any third parties they engage for data processing must also implement reasonable security and protections.

Personal data

The MTCDPA uses a fairly standard definition of personal data (also called personal information in some other laws): “any information that is linked or reasonably linkable to an identified or identifiable individual”. The law excludes publicly available information or de-identified data.

The Act does not list specific examples of personal data, as some other state-level data privacy laws do, but common types include name, account/username, IP address, email address, Social Security Number, driver’s license number, or passport number.

Consent

The European Union’s General Data Protection Regulation (GDPR) set the standard for defining consent, which has been followed by many regulations passed since.

Under MTCDPA, consent is defined as: “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous affirmative action.”

Interestingly, Montana’s law includes some specific exceptions to consent, which are not present in many other laws, and which reflect common digital user experiences:

• acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information
• hovering over, muting, pausing, or closing a given piece of content
• an agreement obtained using dark patterns

It is notable that Montana’s law, like Connecticut’s, includes a requirement for consumers to have a means to revoke their consent.

Sensitive data / sensitive personal information

This covers more specific categories of personal information, particularly that could cause harm if misused, including that which reveals:

• racial or ethnic origin
• religious beliefs
• mental or physical health condition or diagnosis
• information about a person’s sex life or sexual orientation
• citizenship or immigration status
• processing of genetic or biometric data for the purpose of uniquely identifying an individual
• personal data collected from a known child (under 13 years of age)
• precise geolocation data (within 1,750 feet or 533.4 meters)

Controller

Businesses that collect and process personal information will likely qualify as controllers, which the MTCDPA defines as “an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data”.

Processor

For businesses that share personal data for processing purposes, the business will be the controller and the third-party entity will be the processor, defined in the Montana privacy act as “an individual who or legal entity that processes personal data on behalf of a controller.”

Sale

This is defined as the “the exchange of personal data for monetary or other valuable consideration by the controller to a third party”. Several notable exclusions to the definition of sale of personal data include:

• disclosure of personal data to a processor that processes the personal data on behalf of the controller
• disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
• disclosure or transfer of personal data to an affiliate of the controller
• disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
• disclosure of personal data that the consumer intentionally made available to the public via a channel of mass media and did not restrict to a specific audience
• disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets

Targeted advertising

Refers to “displaying advertisements to a consumer in which the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated internet websites or online applications to predict the consumer’s preferences or interests.”

The goal is to use the personal data to predict the consumers’ interests and preferences to increase relevance and personalize the advertising experience.

Targeted advertising does not include:

• advertisements based on activities within a controller’s own internet websites or online applications
• advertisements based on the context of a consumer’s current search query or visit to an internet website or online application
• advertisements directed to a consumer in response to the consumer’s request for information or feedback
• processing personal data solely to measure or report advertising frequency, performance, or reach

The MTCDPA applies to organizations conducting business in Montana, and any business that offers products or services targeted to Montana residents. MTCDPA compliance has two primary threshold criteria for organizations (“controllers” under the law):

• control or process the personal data of at least 50,000 Montana residents during a calendar year

or

• derive over 25 percent of gross revenue from the sale of personal data and control or process personal data of 25,000 or more state residents

Montana’s resident number threshold is lower than many other states’, which is unsurprising given Montana’s relatively low population. Interestingly, it was originally 100,000 but was lowered in a House amendment.

Like some of the other more recently passed state-level data privacy laws, Montana’s will not have a revenue-only-based threshold. That means that companies otherwise would be required to comply with the regulation if their annual gross revenues exceeded a certain dollar threshold (e.g. US $25 million), even if they did not meet the threshold of the number of consumers’ whose data was processed.

Without this threshold, businesses of any size/value that meet the Montana privacy law’s personal data or personal data plus revenue percentage thresholds must become MTCDPA-compliant.

The exemptions in the Montana data privacy act are fairly consistent with the other existing US data privacy laws, deferring mainly to existing federal laws, including:

• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act
• Patient Safety and Quality Improvement Act
• Fair Credit Reporting Act (FCRA)
• Children’s Online Privacy Protection Act (COPPA)
• Family Educational Rights and Privacy Act (FERPA)
• Driver’s Privacy Protection Act
• Farm Credit Act (FCA)
• Airline Deregulation Act

Other exemptions include HR data, health records, research data for human subjects that are covered by other federal laws or standards, and data that is processed or maintained for employment-related purposes.

Exempted institutions include:

• state government entities
• national securities association
• financial institutions (also entities and affiliates subject to the Gramm-Leach-Bliley Act)
• insurance companies
• institutions of higher education
• nonprofit organizations

Exclusions to the MTCDPA’s definition of “consumer” include individuals acting in an employment or business context.

Consumers have a number of main personal information rights under the new data protection law.

• Right to access: confirmation if the controller is processing the consumer’s personal information and access to that data, with some exceptions
• Right to correction: any inaccurate or outdated information the controller has that was provided by the consumer
• Right to delete: any personal data the controller has about or from the consumer (with some exceptions)
• Right to portability: obtain a copy of the consumer’s personal data that the consumer previously provided to the controller, in a readily usable format, with some exceptions
• Right not to be discriminated against: controllers cannot unlawfully discriminate against consumers, including for exercising their rights
• Right to opt out: of sale of personal data, targeted advertising, or profiling “in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer”

Parents or guardians can exercise these rights on behalf of children. The most notable personal data right that is not included is private right of action, consumers’ ability to sue the controller in the event of a violation. To date only California residents have this right in the US.

Controllers must notify consumers of their rights and ways that consumers can exercise those rights by submitting a verifiable request to the company. The controller must include clear information on how to exercise consumer rights in their privacy notice or policy page on their website.

After a consumer request is received, the controller has 45 days to respond. There are some limited reasons that they can decline, including if the consumer’s identity cannot be reasonably verified or if the consumer submits an excessive number of requests in a 12-month period.

If there are extenuating circumstances preventing fulfilling a consumer request, once the consumer has been notified, that response period can be extended by 45 days if reasonably necessary.

If a controller denies a request, the consumer can appeal such a decision, and the controller has to provide information on how to do so. The controller has 60 days to respond to appeals.

Purpose limitation

Controllers can process personal data for the purpose(s) that they have communicated, as long as the processing is “adequate, relevant, and reasonably necessary” and proportional to those purposes.

Data security

Controllers must protect personal data by establishing, implementing and maintaining reasonable administrative, technical, and physical security measures. These measures should be appropriate to the nature and volume of personal information being processed.

Data protection assessments (DPA)

Controllers must conduct and document data protection assessments when they process information:

• for the purposes of targeted advertising
• to sell the personal data
• categorized as sensitive personal data
• for the purposes of profiling if there is a reasonably foreseeable or heightened risk of harm to consumers

The Attorney General can request a DPA from a controller for the purposes of investigating an alleged violation.

Consent requirements

Like other US states that have passed privacy laws, Montana uses an opt-out model, so user consent is not required before collecting and processing personal data in many cases. The exception is that consent must be obtained before collecting or processing sensitive personal data. Consumers must be given clear notice about processing and be able to opt out of sale, targeted advertising, or profiling.

Where children are concerned, the MTCDPA follows the federal Children’s Online Privacy Protection Act (COPPA). Consent from any known child’s parent or guardian must be obtained before processing of any personal data of any user known to be under 13 years of age. This would include all children’s personal data, as under Montana’s data privacy regulation data of children under 13 is classified as sensitive by default.

Montana’s law includes additional protection for children. If a known consumer is at least 13 years old, but younger than 16 years old, that consumer’s consent must be obtained prior to processing their personal data for the purposes of sale or targeted advertising.

Nondiscrimination

Controllers are prohibited from unlawful discrimination against consumers, and from processing personal data if doing so is in violation of state or federal laws governing discrimination. Controllers cannot discriminate against consumers for exercising their rights. For example, a consumer cannot be blocked from accessing a website if they opt out of allowing personal information collection.

However, there are often website features or functions that will not work without certain cookies being active, so if a consumer does not opt in to their use because they collect personal information, the site may not work optimally. This is not discriminatory.

Controllers can offer voluntary incentives like discounts for consumers’ voluntary participation in operations like an organization’s loyalty program or signing up for a newsletter, where these operations collect and process personal data. Such offers have to be reasonable, as data protection authorities tend to frown on disproportionate incentives as they start to look like bribes.

Transparency

Controllers must provide consumers with clear and accessible information about data processing. Commonly this appears on the company’s website in a privacy notice or policy. Under the MTCDPA, this information must include:

• categories of personal data processed by the controller
• purpose(s) for processing personal data
• how consumers may contact the controller, exercise their rights and/or appeal a controller’s decision (e.g. if a request for access is denied)
• categories of personal data that the controller sells to third parties, if any
• categories of third parties to whom the controller sells personal data, if any
• notice about the right to opt out of the sale of personal data to third parties or processing personal data for targeted advertising or profiling and how to exercise that right

Third party contracts

Controllers must have contracts in place with third-party processors (service providers) with clear information about:

• duty of confidentiality
• instructions for processing data
• nature and purpose of processing
• type of data subject to processing
• duration of processing
• rights and obligations of both parties

Universal opt-out signal

The Montana Consumer Data Protection Act is one of the few state-level laws that reference the Global Privacy Control (GPC) “universal opt-out” or similar mechanism. By January 1, 2025 the consumer must be able to “opt out of any processing of the consumer’s personal data for the purposes of targeted advertising, or any sale of such personal data through an opt-out preference signal sent with the consumer’s consent.”

While other recently passed state-level data privacy laws, like Indiana’s and Tennessee’s, do not reference this signal, California, Colorado, and Connecticut’s laws do. It is intended to standardize user consent online. Using it enables consumers to create a single set of their own personal data privacy consent preferences. These settings can then be communicated to all websites or apps that consumers visit, so users don’t have to set new preferences on every site. Use of this mechanism also helps ensure compliance with consumer privacy laws relevant to each user.

In Montana, the Attorney General has exclusive enforcement authority for the MTCDPA. As noted, the law does not provide consumers with private right of action, but they can report alleged violations or complaints about denial of requests to the Attorney General’s office. The Attorney General must provide parties with alleged violations against them with written notice that lists the violations.

There is a 60-day cure period when organizations can fix the issues and take steps to prevent recurrence. Cure periods in other state-level data privacy laws range from 30 to 90 days. Under the MTCDPA, the right to cure will sunset on April 1, 2026, similar to Colorado’s Privacy Act (CPA).

Organizations found to have violated the MTCDPA also have to notify the Attorney General that they have taken these repair actions, and provide a statement that no further violations will occur.

If the controller or any of their data processors are still in violation after the cure period, or after submitting their statement, the Attorney General can initiate investigative actions. Unlike most of the other state-level data privacy laws, the MTCDPA does not reference any specific dollar amount for fines for violating the law or other statutory damages. It just notes that the Attorney General can “bring an action”.

On May 18, 2023, Montana’s governor signed Senate Bill 419, banning popular social media app TikTok. The primary concern behind the move is to protect Montana residents’ personal data from Chinese authorities, though no direct evidence has ever been revealed of Chinese authorities accessing TikTok user data. TikTok’s parent company, Bytedance, is Chinese.

“All social media applications tied to foreign adversaries” were also prohibited on state equipment and for state business, and use of them by third parties conducting business on behalf of the state.

TikTok filed suit against the state of Montana soon after, calling the new law’s concerns “baseless”, with the main argument being that the ban is unconstitutional and a violation of free speech that is tantamount to censorship. While Montana’s governor has signed SB 419 into law, it does not go into effect until January 1, 2024.

The suit also argues that any alleged “national security threat” would be under federal, not state, jurisdiction. While there have been rumblings of a federal ban on TikTok in the United States, and a number of countries have banned it from government-issued devices, there is no federal restriction or ban on TikTok in the US to date. There have been threats to do so if Bytedance does not sell at least the US arm of the company to an American buyer.

Montana’s new law banning TikTok puts the onus on companies that run app stores, like Apple and Google, to prevent the app from being downloaded or accessed in the state. Failure to do so carries the risk of fines up to US $10,000 per day for those companies and TikTok itself.

TikTok does have “Project Texas” in play in response to US data privacy and security concerns. This project is a US $1.5 billion data security plan, in collaboration with software giant Oracle, which is based in Austin, Texas, and would see American TikTok users’ data stored exclusively on US-based servers and administered by a US-based team.

Montana’s consumer privacy law reflects the opt out model, as do all other current US state-level data privacy laws, except where sensitive personal data is concerned. Under this model, controllers do not have to obtain user/data subject consent prior to collecting or processing personal data.

Consumers do have to be provided with the option of opting out of collection and processing of their personal data for sale, targeted advertising, or profiling at any point. Information about that must be provided on the website, typically under the privacy notice/policy page.

The mechanism to enable users to opt out of data processing can be presented in a banner and displayed, most commonly as a link or button. A consent management platform (CMP) like Usercentrics’ also helps to automate detection of the cookies and other tracking technologies in use on websites and apps. Use of a CMP streamlines collecting and providing the information to users about categories of data and specific services in use by the controller and/or processor(s), and third parties with whom data is shared. Montana’s privacy law, and most data privacy regulations around the world, require this notification.

Because the United States does not have a single federal data privacy law, companies doing business across the country and/or with other countries may need to comply with multiple consumer privacy laws to protect data. (Learn more: Comparing US state-level data privacy laws) A CMP can make this easier by enabling banner customization and geotargeting. Data processing, consent information and choices for specific regulations can be presented based on specific user location. Geotargeting can also improve clarity and user experience by presenting this information in the user’s preferred language.

This will enable companies to achieve data privacy MTCDPA compliance, as well as other current and upcoming regulations across the United States. For companies doing business internationally, using a consent management platform also enables compliance with regulations like the GDPR, which has more strict consent management requirements than the laws in the US.

Organizations doing business in Montana have until late 2024 to prepare for compliance with the MTCDPA. If they have already achieved compliance with other state-level data privacy laws in the US, like Connecticut’s, a good portion of the work is already done. As always, a privacy by design approach will benefit all operations in an organization, whether specifically for regulatory compliance or not.

Achieving MTCDPA compliance will mainly be a matter of confirming the Montana law’s specific requirements and having a solution in place to provide users with the necessary notifications and opt-out options. The Usercentrics Consent Management Platform can help on companies’ websites with cookie and tracking notification and management.

Updates to the MTCDPA are likely over time, as these US regulations are all in their first version, and both technology and consumer expectations are rapidly changing. The MTCDPA does not include private right of action, so consumer class-actions lawsuits will not be a potential influence on future amendments to Montana’s privacy law as they may be in California.

Consulting qualified legal counsel and/or your organization’s data privacy expert, like a Data Protection Officer, is recommended to ensure responsibilities are met.

Beyond just meeting requirements, being proactive about protecting user privacy is a valuable business effort. It builds user trust and engagement, provides better user experiences, and strengthens customer relationships long-term, which leads to more high quality data for marketing operations and boosts revenue.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.

Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.