?On May 19, Montana Gov. Greg Gianforte signed Senate Bill 384, the Consumer Data Privacy Act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law. The law is scheduled to take effect on Oct. 1, 2024.
The law applies to a person or company that conducts business in Montana and:
- Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
- Controls and processes the personal data of not less than 25,000 consumers and derives more than 25 percent of gross revenue from the sale of personal data.
Covered persons are referred to as controllers.
The following entities are exempt from coverage under the law:
- Any authority, board, bureau, commission, district, or agency of the state or any political subdivision of the state.
- Nonprofit organizations.
- Institutions of higher education.
- National securities associations that are registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934.
- Financial institutions or affiliates of a financial institution governed by Title V of the Gramm- Leach-Bliley Act.
- Covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act (HIPAA).
The statute protects personal data, defined as information that is linked or reasonably linkable to an identified or identifiable individual. There are several exemptions to protected personal data, including for data protected under HIPAA and other federal statutes.
Under the law, a protected consumer is defined as an individual who resides in the state of Montana.
However, the term consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company partnership, sole proprietorship, nonprofit, or government agency.
Under the new law, consumers have the right to:
- Confirm whether a controller is processing the consumer’s personal data.
- Access personal data processed by a controller.
- Delete personal data.
- Obtain a copy of personal data previously provided to a controller.
- Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.
What obligations do businesses have?
The controller shall comply with requests by a consumer set forth in the statute without undue delay, but no later than 45 days after receipt of the request. If a controller declines to act regarding a consumer’s request, the business shall inform the consumer without undue delay, but no later than 45 days after receipt of the request, of the reason for declining.
The controller shall also conduct and document a data protection assessment for each of their processing activities that present a heightened risk of harm to a consumer.
Under the statute, the state attorney general has exclusive authority to enforce violations of the statute. There is no private right of action under Montana’s statute.
Jason C. Gavejian and Joseph J. Lazzarotti are attorneys with Jackson Lewis in Berkeley Heights, N.J. © 2023. All rights reserved. Reprinted with permission.