In this compliance guide, we will discuss the following items with regard to the MCDPA:
- Who needs to comply with Montana’s privacy law?
- How the law defines personal data;
- The privacy rights provided to residents of Montana;
- The penalties for non-compliance; and
Who needs to comply with Montana’s new privacy law?
Similar to other privacy laws, the MCDPA has a broad reach and can apply to businesses outside of Montana. The MCDPA applies to persons that do business in Montana or that produce products or services that are targeted to residents of Montana and meet one or more of the following factors:
- Control or process the personal data of not less than 50,000 Montana residents (excluding personal data controlled or processed solely for completing payment transactions); or
- Control or process the personal data of not less than 25,000 Montana residents and derive more than 25% of gross revenue from the sale of personal data.
The law exempts nonprofit organizations, higher education institutions, national securities associations, financial institutions and entities that need to comply with HIPAA.
How does Montana’s privacy law define personal data?
The MCDPA defines personal data as “any information that is linked or reasonably linkable to an identifiable individual.” In addition, the law does not consider deidentified data or publicly available information as personal data. This means that data commonly collected through business websites such as names, email addresses, phone numbers, IP addresses, or billing addresses would be covered by this new privacy law.
What privacy rights are provided to residents of Montana by the MCDPA?
Montana’s privacy law was passed to provide protections to residents of Montana by providing them with the following privacy rights:
- The right to confirm whether a controller is processing the individual’s personal data and access their data;
- The right to correct inaccuracies in the consumer’s personal data;
- The right to delete the consumer’s personal data;
- The right to obtain a copy of the consumer’s personal data in a portable format that allows the consumer to transmit the personal data to another controller;
- The right to opt out of targeted advertising;
- The right to opt out of the sale of the consumer’s personal data;
- The right to opt out of the use of the consumer’s personal data for profiling in furtherance of solely automated decisions that produce legal similarly significant effects concerning the consumer;
- The right to not be discriminated against for exercising privacy rights.
Businesses that need to comply with this law will have 45 days to respond to consumer privacy rights requests, which may be extended by an additional 45 days if needed. Consumers will also have the right to appeal any decision made by the business with regard to a privacy rights request.
- The categories of personal data processed;
- The purpose of processing the personal data;
- The categories of personal data shared with third parties, if any;
- The categories of the third parties, if any, with whom the personal data is shared;
- An active e-mail address or other contact method which consumers can use to contact the controller;
- How consumers may exercise their privacy rights;
- How consumers may appeal a decision with regard to their privacy rights requests.
Penalties for failure to comply with Montana’s new privacy law
Montana SB384 does not provide a private right of action but will instead be enforced by the Montana Attorney General. Companies will receive a 60 day period in which they can cure a violation of the law, which will end on April 1, 2026.
Termageddon’s plan for the MCDPA