The Montana House of Representatives passed the Consumer Data Privacy Act and returned it to the Senate on April 17, 2023, before it heads to the Governor’s office for signature.
Which businesses does this law apply to?
The law applies to companies that conduct business, or produce products or services targeted to residents in the state of Montana, and fall under the following categories:
What are the key highlights of the law?
Let’s take a look at how the Montana Consumer Data Privacy Act defines consent, sensitive data, the “sale” of personal data, consumer rights, and data protection impact assessments.
Consent
Under Montana’s law, consent is defined as the “clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data”. It further states that the accepted mediums are a written statement, electronic statement, or any other action that qualifies as unambiguous and affirmative.
Montana primarily operates on an opt-out mechanism regarding how data controllers need to go about obtaining consent.
Sensitive Personal Information (SPI)
Data that falls under the following categories constitutes SPI as defined by Montana’s Consumer Data Privacy Act:
There is also an additional provision in the law that states that data controllers can only process a consumer’s sensitive data with additional consent around this processing use case. Controllers are also required to conduct a data protection assessment in the case of processing sensitive data.
Consumer Rights
The following privacy rights are afforded to consumers under Montana’s Consumer Data Privacy Act:
When it comes to controllers responding to these requests, they are subject to a 45-day timeline to respond to the request. However, this can be extended for an additional 45 days if “reasonably necessary” based on the number of requests and their complexity. If the response period is extended, data controllers must inform consumers of this extension within the initial 45-day period.
Additionally, the law states that responding to consumer requests should be completed free of charge once every 12 months. In the case of multiple requests that are deemed “unfounded, excessive, technically infeasible, or repetitive”, controllers have the right to charge consumers with reasonable fees to cover the administrative costs of fulfilling these requests. They also have the option to decline these requests that fall under that category.
Sale of Personal Data
The sale of personal data is defined as the “exchange of personal data for monetary or other valuable consideration by the controller to a third party”, similar to the Connecticut Data Privacy Act (CTDPA).
It differs from other privacy laws due to the language around “valuable consideration”, which expands this definition beyond just monetary exchanges for data.
Privacy Notices and Disclosures
Montana’s Consumer Data Privacy Act states that privacy notices must be “reasonably accessible, clear, and meaningful”, that answer the following questions about your business:
Data Protection Assessments (DPA)
Data controllers are required to conduct a DPA when carrying out activities that present “a heightened risk of harm” to consumers. These include the following:
What does this mean for your organization?
Montana’s Consumer Data Privacy Act is currently set to go into effect on October 1, 2024, pending signature from the Governor’s office, meaning organizations that are required to comply with the law have over a year to get acquainted with its provisions and add it to their US privacy compliance checklist.
How can OneTrust help with compliance?
OneTrust can help your organization introduce the right business workflows and data policies that help keep you compliant with all applicable privacy regulations. For more information on what you can do to stay on top of the US privacy landscape, take a look at how to operationalize privacy compliance, with OneTrust Privacy Management. Request a demo to see what works for your business today.