Update Applicable to:

Applicable to any for-profit business (subject to certain exemptions) that conducts business in Montana or produces products or services that are targeted to Montana residents and meets any one of two criteria listed below.

What happened?

This is an update to our previous communication (Link). The Montana Consumer Data Privacy Act (MCDPA) was signed into law on 5/19/2023 and is effective as of October 1, 2024.

What are the details?

Businesses subject to the MCDPA must meet any one of the two following criteria:

• During a calendar year, the business controls or processes personal data of at least 50,000 Montana residents; or
• Controls or processes personal data of at least 25,000 Montana residents and derives more than 50% of gross revenue from the sale of personal data.

Personal information (which is the same as “personal data” in Montana) is defined broadly and includes data that you may not think of. This includes data that can directly or indirectly identify a consumer.

Data can indirectly identify an individual if it can reasonably be associated with other data to identify them. 

Montana does NOT treat employees as consumers. Therefore, the law fully exempts data collected in the employment context, whether from employees, job applicants, or independent contractors. This exemption for employee data subjects does not have a sunset. It is a permanent exemption. Also, there is no private right of action under either law that would allow individuals to sue for any violation. 

Other notable provisions of the MCDPA include:

• Exclusions: The statute exempts, among other things, non-profits, government entities, institutions of higher education, financial institutions, and personal data governed by the GLBA, covered entities or business associates and information and data subject to HIPAA, information governed by FERPA, and certain information that is regulated by FCRA.
• B2B data: As with the other state laws, aside from the CCPA, the MCDPA excludes from its definition of “consumer” the data of individuals acting in a commercial context.
• Consumer rights: Consumer rights include: (1) the right to demand deletion of data; (2) the right to access data; (3) the right to correct data; (4) the right to data portability for data previously provided by the consumer; (5) opt-out rights for the purpose of targeted marketing, the sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer; and (6) the right to revoke consent.
• Authentication of requests: Controllers are not required to authenticate opt-out requests but may deny the request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent.
• Right to appeal: If a consumer’s request is denied, the controller must provide instructions for how to appeal the decision. Controllers must establish a process for consumers to appeal that must be conspicuously available and like the process for submitting requests to initiate action pursuant to the statute.
• Additional rights for children: Controllers may not, among other things, process the personal data of a consumer for the purpose of targeted marketing or sale of the data without consent if the controller has actual knowledge that the consumer is between 13-16 years old.
• Opt-out preference signals: The MCDPA will require businesses to recognize browser privacy signals. The deadline for doing so is January 2025.
• Data protection assessments: The MCDPA requires data protection assessments for each processing activity that presents a heightened risk of harm to a consumer, including for purposes of: (1) targeted advertising; (2) the sale of personal data; (3) the processing of personal data for the purposes of profiling in which the profiling presents certain reasonably foreseeable risks; (4) the processing of sensitive data. Controllers may use data protection assessments performed to comply with other state laws, as long as the assessment is reasonably similar in scope and effect to that required by the Montana law. Data protection assessment requirements must apply to processing activities created or generated after January 1, 2025.
• Penalties: The statute does not specify any specific penalties or capped damage amounts.
• Right to cure: The statute contains a 60-day cure period for violations that sunsets after April 1, 2026.
• Rulemaking: The statute does not contain any provision for rulemaking by the attorney general.

For more information, please see the links below:

Bill SB384

Bill Page: LINK

Law Firm Article: LINK

What do employers need to do?

Employers subject to the MCDPA should develop a roadmap for compliance and begin executing on the plan. The Fisher Phillips law firm suggests employers conduct a gap assessment of their current data collection and privacy practices, as that would help identify immediate vs. long-term priorities, with the next step being the completion of an employer’s data inventory, which are the results that would feed into the drafting of compliant privacy notices and policies.

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.