In May 2023, Montana became yet another State to enact a consumer data privacy/protection statute. Montana’s version is called the “Montana Consumer Data Privacy Act.” The MCDPA will take effect in October 2024. In this article (Parts One and Two), we will provide a brief summary of the MCDPA. In Part One, we will summarize the applicability of the MCDPA and the rights that are given to Montana consumers.

In most respects, the MCDPA is not very different from other consumer privacy statutes. Like other statutes, the MCDPA distinguishes between “controllers” of consumer data/information and “processors.” Controllers are individuals or legal entities that, alone or jointly with others, determine the purpose and means of processing personal data. Processors are individuals or companies that process that data/information on behalf and per the instructions of the controllers.

As with similar statutes, the MCDPA applies to any person or company that conducts business in Montana or produces products or services that are targeted to the residents of Montana that also controls or processes personal data of not less than 50,000 Montana residents (other than the processing of personal data solely for the purpose of completing a payment transaction) or that controls or processes personal data of more than 25,000 Montana residents and derives more than 25% percent of its gross revenue from the sale of personal data.

Evident here is one of the oddities of the MCDPA. As far as we can tell, this is the first consumer data privacy statute that has excluded payment processing transactions for purposes of determining the applicability of the statute.

As with similar statutes, the MCDPA has many exceptions with respect to applicability. For example, not-for-profits, government agencies, and institutions of higher education are excluded from the applicability of the Act. Likewise, various types of data are excluded, such as health-related data and similar records under various federal and state statutes, research data and information, etc. Note that the MCDPA also does not apply to business-to-business transactions and to data that is employment-related.

The MCDPA is also similar to other statutes in that consumers are provided with a list of various rights. For example, Montana’s consumers are given the rights to:

• Correct inaccurate personal data
• Delete personal data
• Obtain a copy of the consumer’s personal data
• Opt out of the processing of the consumer’s personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer

In addition, Montana’s consumers are also given another right, but with a strange exception. This is the right to confirm whether the controller is processing the consumer’s data and provide access to the consumer’s data “unless such confirmation or access would require the controller to reveal a trade secret.” This exception seems unique among the various versions of the consumer privacy statutes. A lot of data collection and processing might be hidden under the label “trade secret.”

Data controllers have various duties imposed upon them, including the duties to give notice to consumers and obtain consent for the processing of consumer data. One interesting feature here is the statute’s granting to consumers the right to have an “authorized agent” signal the consumers’ choice. What is interesting is this language: “The consumer may designate an authorized agent by way of a technology, including but not limited to an internet link or a browser setting, browser extension, or global device setting indicating a customer’s intent to opt out of such processing.” This language seems unique among the consumer privacy statutes.

Another interesting difference from other consumer privacy statutes is the statutory definition that says that “consent” cannot be inferred from the “…. hovering over, muting, pausing, or closing a given piece of content…” This has become an issue since many consumers routinely ignore or close various pop-up boxes related to these consumer privacy statutes. Companies are taking the legal position that those actions are “consent.” Montana lawmakers say otherwise.

The MCDPA contains relatively standard rules with respect to consumers contacting data controllers to exercise their rights. Generally, some response is required within 45 days, there must be an appeal process, and the controller’s response to an appeal must be in writing within 60 days.

In Part Two, we will summarize what obligations are imposed on controllers under the Montana Consumer Data Privacy Act.

Contact the Consumer Data Privacy Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.