Montana Governor Greg Gianforte signed Senate Bill 384, the Montana Consumer Data Privacy Act (MTCDPA), on May 19, 2023. The consumer privacy law will become effective on October 1, 2024, and requires covered entities that process personal data to comply with several transparency and disclosure obligations. The MTCDPA follows the structure and scope of other US state data privacy laws, including the California Consumer Privacy Act, Tennessee Information Protection Act, and Colorado Privacy Act.
This article provides a comprehensive overview of the Montana Consumer Data Privacy Act, revealing the regulation's scope, key definitions, requirements, and consumer rights. Keep reading to learn if your organization needs to comply with the MTCDPA.
Streamline compliance across your third-party ecosystem with UpGuard Vendor Risk>
Who does the MTCDPA apply to?
The Montana Consumer Data Privacy Act imposed obligations on data controllers and processors who meet both of the following location and volume applicability requirements:
- Location: Conduct business in Montana or produce products or services that target Montana residents
- Volume: Control or process the personal data of more than 49,999 Montana residents (excluding data processed solely for payment transactions) or control OR process the personal data of more than 24,999 Montana residents and derive more than 25 percent of its gross revenue from the sale of consumer data
Exemptions
The Montana Consumer Data Privacy Act does not apply to entities regulated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA), government agencies, nonprofit organizations, institutions of higher education, or the business associates of any of these groups. The MTCDPA also does not apply to specific data classes, including HIPAA-regulated health records, research data, credit reports, employment-related data, and data overseen by the Family Educational Rights and Privacy Act, Fair Credit Reporting Act, or the federal Farm Credit Act.
Data controllers and processors
Following in the footsteps of many other US state data privacy laws, the MTCDPA utilizes the regulatory framework set forth by the European Union’s General Data Protection Regulation (GDPR). The GDPR and MTCDPA distinguish responsibilities and obligations between data controllers and processors:
- Data controllers: Individual or entity that, either alone or with others, determines the purpose and means of processing personal data
- Data processors: Individual or entity that, either alone or with others, processes personal data on behalf of a controller
In addition to providing definitions for data controllers and processors, the Montana privacy law also highlights information on the types of data its obligations and requirements apply to.
De-identified and personal data
The Montana Consumer Data Protection Act applies to personal data only and excludes de-identified data from its scope. The MTCDPA defines de-identified data as any type of data that cannot be used to reasonably infer information about or otherwise be linked to an identified or identifiable person. Like other state privacy laws, the MTCDPA requires data controllers to take reasonable measures to ensure that de-identified data cannot be associated with an individual in the future.
What rights does the MTCDPA grant to consumers?
The Montana Consumer Data Protection Act grants rights to Montana residents acting in an individual capacity and otherwise defined by law as consumers. Under the MTCDPA, consumers have the following rights:
- Confirmation: The right to confirm whether a controller is processing their data
- Accessibility: The right to request access to the data a controller has collected
- Correction: The right to correct inaccuracies in personal data
- Deletion: The right to request a controller delete collected data
- Portability: The right to obtain a copy of the data a controller has collected
- Opt out: The right to opt out of the processing of personal data for the purposes of targeted advertising, sale, or automated profiling.
Once a consumer submits a request, data controllers have 45 days to respond. Given the complexity or number of consumer requests received, the Montana Attorney General’s Office may extend this period by 45 days when reasonably necessary.
The MCDPA also grants consumers the right to appeal a controller’s refusal to complete a request. If an appeal is submitted, the controller has 60 days to respond and must provide the consumer with a method to contact the Montana Attorney General if they deny the appeal.
What obligations does the MTCDPA require controllers to follow?
Under the MTCDPA, data controllers must comply with several transparency and disclosure requirements. Data controllers must also limit what data they collect and how they collect consumer information to comply with the regulation. The MTCDPA includes the following obligations:
- Limited collection: The MTCDPA requires data controllers to limit their collection of a consumer’s personal data to what is reasonably necessary for the disclosed data processing purposes.
- Data security controls: The MTCDPA requires data controllers to establish and maintain reasonable data security safeguards (administrative, technical, and physical) to protect the confidentiality and integrity of consumer data.
- Customer consent: The MTCDPA requires data controllers to obtain consumer consent before processing sensitive data (genetic or biometric information that identifies an individual or reveals an identifiable individual’s, race, religion, health, immigration status, or precise geolocation data).
- Privacy notice: The MTCDPA requires data controllers to provide a clear and accessible privacy policy. The notice must include the categories of personal data that they will process, the purpose for processing the data, the categories of data that they will share with third-party vendors and service providers, the categories of third parties that will receive the data, contact information, and an explanation of how data subjects can exercise the rights granted to them by the MTCDPA.
- Sale of personal data: The MTCDPA requires data controllers to disclose if they sell consumer data to third parties or participate in targeted advertising.
- Universal opt-out mechanism: The MTCDPA requires data controllers to allow consumers to opt out of the sale or processing of their data for targeted advertising (effective January 1, 2025).
- Data protection assessment: The MTCDPA requires data controllers to conduct a data protection impact assessment on any processing activity that presents a risk to consumers, including targeted advertising, the sale of data, and the processing of sensitive data. Data controllers must also conduct impact assessments on their profiling activities.
- De-identified data: The MTCDPA requires data controllers who have collected de-identified data to take reasonable security measures to ensure the data cannot be re-identified or connected to an individual in the future. Data controllers must also contractually obligate any third parties or other recipients of the data to comply with the MTCDPA.
- Data of a known child: The MTCDPA aligns with the Children’s Online Privacy Protection Act (COPPA) and requires data controllers to obtain parental consent before processing the data of any child under 13 years of age.
What obligations does the MTCDPA require processors to follow?
Data processors are not required to follow the regulations imposed on data controllers. However, the MTCDPA does require data processors to assist controllers in meeting their obligations under the act. These duties include helping the controller process requests submitted by consumers. The MTCDPA also requires data controllers and processors to sign a formal contract that outlines relevant consumer privacy obligations before entering a partnership.
Penalties, fines, and MTCDPA enforcement
Unlike the California Consumer Privacy Act, the Montana Consumer Data Privacy Act does not grant consumers the private right of action. Instead, the act grants the Montana Office of the Attorney General the exclusive authority to enforce requirements and impose violations.
When the Montana Attorney General becomes aware of a violation, it must notify the controller before taking action or imposing any penalty. The violating controller will then have a 60-day cure period to provide an express written notice to the Montana Attorney General’s Office. This notice should include evidence that the controller has corrected the violations and taken reasonable measures to ensure similar violations do not occur in the future.
Unlike other data privacy laws in the United States, the MTCDPA does not specify a civil penalty amount for violations committed under the act.
Important note: The cure period afforded to data controllers is temporary. The Montana Attorney General will terminate this provision eighteen months after the MTCDPA becomes effective (April 1, 2026).
List of US state privacy regulations
- California Privacy Rights Act
- Colorado Privacy Act
- Connecticut Personal Data Privacy and Online Monitoring Act
- Delaware Personal Data Privacy Act
- Indiana Consumer Data Protection Act
- Iowa Consumer Data Protection Act
- Kentucky Consumer Data Protection Act
- Montana Consumer Data Privacy Act
- New Hampshire Senate Bill 255
- New Jersey Senate Bill 332
- Oregon Consumer Privacy Act
- Tennessee Information Protection Act
- Texas Data Privacy and Security Act
- Utah Consumer Privacy Act
- Virginia Consumer Data Protection Act
Streamline Your Organization’s MTCDPA compliance with UpGuard
Managing compliance with the MTCDPA and other US state privacy laws can be challenging, especially if your organization relies on a sizeable third-party ecosystem. Given the strict requirements of the Montana Consumer Data Privacy Act, your organization should develop a compliance management program to ensure comprehensive compliance across its first and third-party operations.
UpGuard offers organizations of all industries robust third-party risk management (TPRM) solutions that help identify, assess, and remediate third-party compliance risks all in one intuitive software.
Here’s how UpGuard has helped organizations similar to yours with TPRM and compliance management:
- Mattress Firm: “When I add a new vendor in UpGuard, I see their ratings and download the report to keep as a baseline. I can also identify any outstanding remediation issues on existing vendors and ensure they’re resolved.”
- Rimi Baltic: “Before UpGuard, conducting proper research for each vendor would eat up a lot of time – Does it comply with our requirements? Where is their data located? Do they have privacy policies? UpGuard has saved us a significant amount of time with its automation process. I would say it definitely saves us a few days per month. For example, in initial research that would have taken me 1-2 hours, I can get that answer in 5-10 minutes.”
- Wesley Mission Queensland: “One of the best features of the platform is being able to bring all our vendors into one place and manage it from there. We can also set reassessment dates which means we don’t have to manage individual calendar reminders for each vendor.”
These and other UpGuard customers have elevated their TPRM programs with UpGuard Vendors Risk’s powerful features and tools:
- Vendor risk assessments: Fast, accurate, and comprehensive view of your vendors’ security posture
- Security ratings: Objective, data-driven measurements of an organization’s cyber hygiene
- Security questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security
- Reports library: Tailor-made templates that support security performance communication to executive-level stakeholders
- Risk mitigation workflows: Comprehensive workflows to streamline risk management measures and improve overall security posture
- Integrations: Application integrations for Jira, Slack, ServiceNow, and over 4,000 additional apps with Zapier, plus customizable API calls
- Data leak protection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- 24/7 continuous monitoring: Real-time notifications and new risk updates using accurate supplier data
- Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Trust Page: Eliminate having to answer security questionnaires by creating an UpGuard Trust Page
- Intuitive design: Easy-to-use first-party dashboards
- World-class customer service: Plan-based access to professional cybersecurity personnel that can help you get the most out of UpGuard
Get started with UpGuard Vendor Risk today.