On May 23, 2023 the Montana Consumer Data Privacy Act (MCDPA) was enacted, providing the residents of Montana with privacy rights and protections. This law will go into effect on October 1, 2024, imposing requirements such as having a Privacy Policy on businesses that need to comply with this law.
In this Compliance Guide, we will discuss the following items with regard to the MCDPA:
- Who needs to comply with Montana’s privacy law?
- How the law defines personal data;
- The privacy rights provided to residents of Montana;
- The Privacy Policy requirements of the MCDPA;
- The penalties for non-compliance; and
- How Termageddon will handle Privacy Policy updates for this new law.
Table of Contents
Who needs to comply with Montana’s new privacy law?
Similar to other privacy laws, the MCDPA has a broad reach and can apply to businesses outside of Montana. The MCDPA applies to persons that do business in Montana or that produce products or services that are targeted to residents of Montana and meet one or more of the following factors:
- Control or process the personal data of not less than 50,000 Montana residents (excluding personal data controlled or processed solely for completing payment transactions); or
- Control or process the personal data of not less than 25,000 Montana residents and derive more than 25% of gross revenue from the sale of personal data.
The law exempts nonprofit organizations, higher education institutions, national securities associations, financial institutions and entities that need to comply with HIPAA.
How does Montana’s privacy law define personal data?
The MCDPA defines personal data as “any information that is linked or reasonably linkable to an identifiable individual.” In addition, the law does not consider deidentified data or publicly available information as personal data. This means that data commonly collected through business websites such as names, email addresses, phone numbers, IP addresses, or billing addresses would be covered by this new privacy law.
What privacy rights are provided to residents of Montana by the MCDPA?
Montana’s privacy law was passed to provide protections to residents of Montana by providing them with the following privacy rights:
- The right to confirm whether a controller is processing the individual’s personal data and access their data;
- The right to correct inaccuracies in the consumer’s personal data;
- The right to delete the consumer’s personal data;
- The right to obtain a copy of the consumer’s personal data in a portable format that allows the consumer to transmit the personal data to another controller;
- The right to opt out of targeted advertising;
- The right to opt out of the sale of the consumer’s personal data;
- The right to opt out of the use of the consumer’s personal data for profiling in furtherance of solely automated decisions that produce legal similarly significant effects concerning the consumer;
- The right to not be discriminated against for exercising privacy rights.
Businesses that need to comply with this law will have 45 days to respond to consumer privacy rights requests, which may be extended by an additional 45 days if needed. Consumers will also have the right to appeal any decision made by the business with regard to a privacy rights request.
Montana Consumer Data Privacy Act Privacy Policy requirements
Montana’s new privacy law requires businesses that need to comply with the law to have a Privacy Policy that includes the following disclosures:
- The categories of personal data processed;
- The purpose of processing the personal data;
- The categories of personal data shared with third parties, if any;
- The categories of the third parties, if any, with whom the personal data is shared;
- An active e-mail address or other contact method which consumers can use to contact the controller;
- How consumers may exercise their privacy rights;
- How consumers may appeal a decision with regard to their privacy rights requests.
Businesses will need to ensure that their Privacy Policy is updated with these new disclosures prior to the law’s effective date.
Penalties for failure to comply with Montana’s new privacy law
Montana SB384 does not provide a private right of action but will instead be enforced by the Montana Attorney General. Companies will receive a 60 day period in which they can cure a violation of the law, which will end on April 1, 2026.
Termageddon’s plan for the MCDPA
We will continue to track this new law and any accompanying regulations. If your Privacy Policy has already been generated with Termageddon, we will send you an email and will update your Privacy Policy accordingly if this privacy law applies to you. If you are not a Termageddon customer, do not have a Privacy Policy or do not have a strategy to keep it up to date with changing privacy laws such as this one, make sure to check out the Termageddon Privacy Policy generator.
