Montana Consumer Data Privacy Act Goes Into Effect Today
Montana Consumer Data Privacy Act (MTCDPA) went into force today, on October 1, 2024. This law has significant implications for companies operating in Montana, as it introduces new compliance requirements with a comparatively low threshold for applicability. Businesses should carefully assess their data handling practices to ensure adherence to the MTCDPA’s provisions, given its broad reach and potential impact on a wide range of enterprises within the state.
MTCDPA’s Key Provisions:
- Applicability
The MTCDPA applies to companies that:
- Control or process personal data of at least 50,000 Montana residents (excluding payment transaction data); and
- Control or process personal data of at least 25,000 Montana residents and derive over 25% of gross revenue from personal data sales.
This threshold is notably lower than other state privacy laws, likely due to Montana’s smaller population.
- Consumer Rights
The MTCDPA grants consumers several rights, including:
- Confirmation and access to personal data
- Correction of inaccuracies
- Deletion of personal data
- Data portability
Controllers must respond to requests within 45 days, with a possible 45-day extension.
- Sensitive Data Protection
The law prohibits processing of sensitive data without consumer consent. Sensitive data includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship and immigration status
- Genetic and biometric data
- Precise geolocation data
- Personal data of known children under 13.
- Universal Opt-Out Mechanisms
By January 1, 2025, controllers must recognize universal opt-out mechanisms for personal data sales and targeted advertising.
- Data Protection Impact Assessments
Data controllers will be required to conduct assessments for processing activities “created or generated” after January 1, 2025 that present heightened risks, such as:
- Targeted advertising
- Personal data sales
- Sensitive data processing
- Certain profiling activities.
- Enforcement and Compliance
The Montana Consumer Data Privacy Act grants exclusive enforcement authority to the Montana Attorney General. During the initial implementation phase, a temporary 60-day cure period is available for businesses to address potential violations, but this provision will expire on April 1, 2026. Notably, the Act does not include a private right of action, meaning individual consumers cannot file lawsuits against businesses for alleged violations of the law.
Next Steps for Businesses
- Assess applicability based on the MTCDPA’s thresholds
- Review and update privacy notices and data processing practices
- Implement mechanisms for honoring consumer rights requests
- Prepare for universal opt-out mechanism recognition
- Conduct necessary data protection impact assessments
- Review and update processor contracts
Businesses should closely monitor developments and seek legal counsel to ensure full compliance with the MTCDPA.
Conclusion
The Montana Consumer Data Privacy Act going into force further underscores the ongoing evolution of privacy law landscape in the United States. Companies with operations spanning multiple states must stay alert to emerging state-level privacy laws and consider consulting legal experts to ensure full compliance.
By taking a proactive approach to adapting your data handling practices, you can better position yourself to navigate the increasingly complex regulatory landscape. This forward-thinking strategy not only aids in compliance but also aligns with growing consumer expectations regarding the protection of personal information.
NEED HELP WITH DATA PRIVACY AND SECURITY LAW COMPLIANCE?
The CommLaw Group Can Help!
If your company has questions about its data privacy and security obligations under state and federal laws and FCC rules or would like specific guidance on becoming compliant with the Montana Consumer Data Privacy Act, please contact Diana James at Tel: 703-663-6757 / E-mail: daj@commlawgroup.com.