How to Prepare for Montana Consumer Data Privacy Law

They’re Coming Fast and Furious!

On April 21, 2023, the Montana Consumer Data Privacy Act (MCDPA) passed unanimously in the House following two Senate concurrence votes. Interestingly, on this very date, a comprehensive information privacy law was successfully passed in Tennessee as well. Joined with Indiana, there was a whopping number of three privacy laws passed in exactly a week!

The bill has been sent to Montana Governor Greg Gianforte, and he will either sign it, veto it, or have it passed into law without his signature.

Structured similarly to Connecticut’s CTDPA, Montana’s law stands out as the first data privacy bill requiring controllers to provide universal opt-out mechanisms in a Republican-majority state legislature. 

The MCDPA was definitively passed with a unanimous vote and had support on both sides of the partisan divide. Businesses will have until October 1, 2024, to comply with the law. 

Key Takeaways of the MCDPA

Scope

Montana being a state with a population of just over 1 million, the Montana consumer privacy protection act lowers the 100,000 citizen threshold we have seen being used in other state privacy laws to 50,000. The law states that businesses that process or handle the personal information of at least 50,000 citizens of Montana are covered by the bill.  

For context, 50,000 people are 4.52% of Monatna’s population. In this sense, Montana’s 50,000 threshold covers a higher percentage of state residents than any other state privacy law.

Controllers Must Recognize Universal Opt-out Mechanisms

The law requires controllers to recognize universal opt-out mechanisms to act on consumer requests to opt out of the sale of personal data and for targeted advertising like the Global Privacy Control. Tools like these were developed by privacy advocates, and allow consumers to automatically send an opt-out command to every website host that they visit. 

In addition, the measure will require that covered companies display noticeable links that allow consumers to opt out of targeted advertising.

An earlier version of the Montana data privacy law wouldn’t have given consumers the right to avoid having pseudonymous data used for ad targeting, and wouldn’t have required companies to honor universal opt-out signals. Advocacy group Consumer Reports pushed for an amendment of the Montana privacy act, which was revised after the organization raised concerns about the initial version.

“We commend Montana lawmakers for advancing meaningful privacy legislation that will help protect the personal information of their constituents,” Matt Schwartz, a policy analyst at Consumer Reports, stated.

Definition of Data Sales Beyond Monetary

In the MCDPA, “sale of personal data” is defined as the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

The term does not include: 

1. the disclosure of personal data to a processor that processes the personal data on behalf of the controller
2. the disclosure of personal data to a third party for the purposes of providing a product or service requested by the consumer
3. the disclosure or transfer of personal data to an affiliate of the controller;
4. the disclosure of personal data in which the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
5. the disclosure of personal data that the consumer:
   1. intentionally made available to the public via a channel of mass media
   2. did not restrict itself to a specific audience
6. the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets. 

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Learn more about how to be compliant with Montana Consumer Data Privacy Law
Click Here

Additional Safeguards for Children’s Privacy

Children between the ages of 13 and 15 are given enhanced privacy safeguards under Montana law. In situations where a controller has actual knowledge that the consumer is at least 13 but under 16 years old, the controller may not use the consumer’s personal data for the purpose of targeted advertising or sell the consumer’s personal data without the consent of the consumer. Connecticut and California have legislation with similar restrictions.

Broader Privacy Rights

The legislation enables state residents to ask a controller to erase any personal information they have collected on them, as opposed to limiting consumer control to information the consumer has provided directly to them.

Notably, opt-out requests do not need to be authenticated under Montana law. In other words, a resident of Montana won’t need to provide identification to refuse to have their personal information sold for the purpose of targeted advertising or certain forms of profiling. 

Right to Cure and Sunset Timeframe

The MCDPA provides businesses with a window of opportunity to cure before the Attorney General takes enforcement action. This provision, however, is set to be canceled two years after the law goes into effect. 

Effective Date

If signed by the Governor, the Montana law will go into effect on October 1, 2024. That’s earlier than Indiana and Iowa which passed in the last month.

How to Prepare for the MCDPA

Businesses already in compliance with other state privacy laws are not going to need a major overhaul to their compliance management systems. For those that are starting now, here is a to-do list to get started with compliance. Feel free to reach out to our team at Centraleyes to help you get further on the road.

• Perform a gap analysis to see where you stand in relation to a given standard or law
• Create a data inventory to identify how PII is collected and processed
• Update Privacy policies that support privacy law compliance
• Update consumer request procedures
• Review and update your written information security plan

Centraleyes can help you comply with the 2023 state privacy laws and give you the tools you need to develop your cyber maturity through an intuitive, risk-based workflow. Doing so will further help your business prepare for additional consumer privacy laws that are definitely going to emerge this year.