<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

    Montana Passes Consumer Data Privacy Bill

    by Alex Margau
    4 min read
    Montana Glacier National Park

    On the 21st of April, Montana became the first Republican-controlled legislature that passed a data privacy bill for the protection of the personal information of consumers, joining the ranks of California, Connecticut and Colorado, with whose data privacy bills it resembles. SB 384, or Montana’s Consumer Data Privacy Act, was passed unanimously and is now awaiting the signature of Governor Greg Gianoforte, who can sign it, veto it or let it become law without its being signed, which means that it would go into effect as of October 1st, 2024. It stands out through the fact that it recognizes universal opt-out mechanisms, provides additional rights and safeguards for the personal information of children, it lowers the threshold for applicability and sunsets the right to cure violations, all of which make it be seen as another comprehensive and strong consumer data privacy bill. 

    Same as CCPA, CPRA or CTDPA, it defines ‘sale’ as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party” with all other definitions being similar to the other data privacy bills passed in the US. 

    One key difference is that Montana’s bill lowers the threshold for applicability stating that the law applies

    “to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and:

    (1) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

    (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.”

    This is remarkable when considering that across the US all the others have set the threshold to 100,000 consumers, but it is believed that Montana has made this change due to the fact that the state’s population is significantly smaller than that of other states, so with a threshold of 100,000 consumers for a state with around 1.1 million inhabitants, it would entail a percentage of about 9% of the state’s total population. 

    Montana’s bill requires controllers to set up universal opt out mechanisms for data subjects “to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of such personal data through an opt-out preference signal sent with the consumer's consent, to the controller by a platform, technology” which will have to be in place as of January 1, 2025. 

    When it comes to the personal information of children, the law establishes additional safeguards for children between the ages of 13 and 15 years old by stating that controllers are prohibited from processing “the personal data of a consumer for the purposes of targeted advertising or sell the consumer's personal data without the consumer's consent under circumstances in which a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age.”

    Same as Connecticut, Montana grants consumers the following privacy rights:

    • The right to confirm whether their data is being processed and to access such data;
    • The right to correct inaccurate data;
    • The right to delete their personal data; 
    • The right to obtain a portable copy of their personal data; 
    • The right to “opt out of the processing of the consumer's personal data for the purposes of: (i)  targeted advertising; (ii)  the sale of the consumer's personal data, or
    • (iii)  profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.”

    Controllers have an obligation to respond to requests submitted by consumers no later than 45 days from receipt of the request and may extend this by an additional 45 days “when reasonably necessary, considering the complexity and number of the consumer's requests” and only if the consumer is informed of this extension within the initial 45 days. Other controller obligations include conducting DPIAs, having data processing agreements in place, displaying a privacy policy, implementing reasonable security measures for the protection of the data, and adhering to the principles of purpose limitation and data minimization.

     

    The enforcing authority is the Attorney General who, prior to initiating an investigation, will issue a notice to the controller, allowing them a cure period of 60 days. This cure period is set to sunset as of April 1, 2026. There is no private right of action in the Montana data privacy bill and no mention of the penalties to be incurred for violations of the provisions once the law goes into effect.