On April 21, the Montana legislature unanimously passed the Montana Consumer Data Privacy Act (MCDPA) (SB 384), joining several states with general consumer data privacy bills. The MCDPA most closely aligns with the Connecticut Data Privacy Act (CTDPA), which is generally considered one of the more consumer-friendly of the general privacy laws. The MCDPA is headed to Montana Governor Greg Gianforte for signature. If signed, Montana will become the eighth or ninth state with a comprehensive consumer data privacy law, subject to the signing of a similar law in Tennessee. The MCDPA is set to go into effect on October 1, 2024.

Compared to similar laws now in effect in seven states, the MCDPA is fairly consumer-friendly, most notably in covering a larger percentage of businesses (termed controllers), adding children’s privacy provisions and broad consumer rights for things like consent revocation and data deletion, requiring recognition of universal opt-out mechanisms (UOOMs), and sunsetting the right to cure violations of the law. Each of these provisions is discussed in more detail below.

Smaller Population, Lower Applicability Threshold

Given Montana’s smaller population (1.1 million) compared to most other states (and, particularly, those states that have passed comprehensive data privacy laws—which range from 3 million to nearly 40 million), the MCDPA lowers the typical applicability threshold from 100,000 to only 50,000 (and even further to 25,000 if the controller derives over 25% of its gross revenue from the sale of personal data). This means that the MCDPA will only apply to controllers that produce products or services targeted to Montana residents and that process or control the personal data of 50,000 or more Montana residents (or approximately 9% of the state’s population), excluding personal data controlled or processed solely to complete a payment transaction.

Broad Data “Sales” Definition

Similar to the definition adopted in California, Colorado, and Connecticut, the MCDPA defines the sale of personal data as encompassing transfers for both monetary and “other valuable consideration,” which means that more activities will fall under the scope of the “sale” of personal data and permit consumers to opt out of those sales.

Children’s Privacy Additions

Following in California and Connecticut’s footsteps, the MCDPA includes additional privacy protections for children between the ages of 13 and 15. If a controller has actual knowledge that a consumer is at least 13 years old but younger than 16 years old, the controller cannot process that consumer’s personal data for purposes of targeted advertising or the sale of personal data without the consumer’s consent (which may be exercised by the parent or legal guardian of the child). Additionally, the personal data of a child under the age of 13 is included in the definition of “sensitive data.” Lastly, if a controller or its service provider (termed a processor) is in compliance with the verifiable parental consent requirements of the Children’s Online Privacy Protection Act of 1998 (COPPA), they are considered compliant with any obligations under the MCDPA to obtain parental consent.

Broad Consumer-Friendly Data Rights: Consent Revocation, Data Deletion, Opt-Out Request Verification, and UOOMs

Under the MCDPA, consumers are given a broad range of rights to their personal data. Notably, Montana is only the second state statutorily (after Connecticut) and third state generally (after Colorado did so through the rulemaking process), to provide consumers with the right to revoke consent to the processing of their personal data. Consumers also can request the deletion of their personal data in the controller’s possession (as opposed to just data that the controller directly collected from the consumer). Further, opt-out requests for the sale of personal data, targeted advertising, or certain types of profiling must be honored, even if controllers are unable to authenticate the request. This means that controllers cannot ignore opt-out requests, even if they are unable to confirm the identity of the resident requesting the opt-out unless the controller has a good faith, reasonable and documented belief that the request is fraudulent.

Starting January 1, 2025, the MCDPA will require controllers to recognize UOOMs to effectuate opt-out requests for the sale of personal data and targeted advertising, meaning that individuals will be able to automatically opt out of such activities through their browser settings. This provision aligns closely with that of the CTDPA. Further, for processing activities created or generated after January 1, 2025, controllers must comply with data protection assessment requirements.

Enforcement and Temporary Second Chances

The MCDPA does not provide for a private right of action and is only enforceable by the Montana Attorney General’s (AG) office. It does, however, require the AG’s office to provide a controller with a notice of violation and an opportunity to cure, but only until April 1, 2026, when that right to cure sunsets.

Important Dates

  • October 1, 2024: MCDPA goes into effect.
  • January 1, 2025: Controllers must recognize UOOMs and comply with data protection assessment requirements.
  • April 1, 2026: Right to cure sunsets.

Our team will continue to monitor the MCDPA. If you have any questions about the MCDPA or similar state laws and how they could affect your business, please contact the authors.