Montana MCDPA

Like many of the recently enacted state privacy laws, Montana expands the definition of sensitive data in addition to the usual elements, such as:

• racial or ethnic origin
• religious beliefs
• information about a person’s sex life or orientation
• genetic and biometric data

Montana adds:

• mental or physical health diagnosis
• citizenship and immigration status
• precise geolocation data
• personal data collected from a known child

Montana follows the lead of California, Colorado, and Connecticut in defining ‘sale’ to include exchange for money or other valuable consideration. Notably, this definition includes most targeted advertising activities! If your company sells personal data, you will need to provide consumers with a right to opt out of that sale just as you do for California, Virginia, Colorado, and Connecticut, as well as targeted advertising and profiling activities.

The individual rights created under MCDPA align well with those provided under other state laws. If MCDPA applies to your business, you must allow consumers to:

• Confirm whether your business is processing any data and, if so, access it
• Correct data about them
• Delete personal data about them
• Obtain a copy of personal data they provided (data portability)
• Opt-out of targeted advertising, the sale of personal data, and profiling

Unless a business cannot authenticate a request, it must respond within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge at least once per year. If the business declines to take a requested action, it must provide the consumer with written notification and instructions for appeal.

The appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must allow consumers to submit a complaint via an online mechanism (if available) or another method for contacting the Montana State Attorney General.

Like the privacy law in Virginia and some other states, a business does not need to include pseudonymous data in its response to Individual Rights Requests under the MCDPA.

The MCDPA defines “pseudonymous data” as “personal data that cannot be attributed to a specific individual without the use of additional information, provided the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.”

Pseudonymous data is often used in clinical trials, where each trial participant is assigned a unique random ID. Only the physician and other medical staff know the identity of the participants; other entities participating in the research (including the sponsor/manufacturing company, labs, and other supporting entities) have only the participant ID connected to the study data.

Other types of organizations may want to consider whether they can store customer data in a pseudonymized way, especially those that already assign identifiers through, for example, loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers, membership IDs (like insurance companies, libraries, and fitness centers), or a player ID (for online and mobile games).

By separating identifying data (like contact information and payment details) from other information (company-specific identifiers, transactional history, profile information, etc.), a company may be able to decrease its burden in responding to Individual Rights Requests by limiting the data and databases to which the requests must be applied.

Like many other state privacy laws, the MCDPA includes a requirement to conduct Privacy Impact Assessments. The circumstances under which they must be completed align with VCPDA and CTDPA. Similarly, the MCDPA includes an allowance for use of Assessments conducted for compliance with other laws to satisfy the MCDPA requirements if “reasonably similar in scope and effect.”

MCDPA requires companies to conduct assessments on activities carried out after January 1, 2025 that present a heightened risk of harm, including:

• Processing for targeted advertising
• Selling personal data (remember: this includes exchange for non-monetary value and
  will likely require an Assessment of behavioral advertising activities)
• Processing for the purposes of profiling, if it presents a “reasonably foreseeable risk” of
• Unfair or deceptive treatment or unlawful disparate impact on consumers
• Financial, physical, or reputational injury to consumers
• Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person
• Other substantial injury
• Processing sensitive data

If your entity uses AI, consider reviewing how you use it and the effects it creates to determine whether or not an assessment is required.

Like almost all state data privacy laws, including those of Virginia, Colorado, Connecticut, and Utah, the Attorney General will have the sole enforcement authority, and violations will be treated as an unfair trade practice under the Montana Consumer Protection Act.

• Enforcement actions may be brought after 60 days’ notice and a cure period; the cure period will expire on April 1, 2026.
• In any enforcement action, the Attorney General can seek an injunction or restraining order (orders that require the entity to stop engaging in certain activities immediately), as well as civil fines of not more than $10,000 for each violation.
• If an individual has engaged in fraudulent activity, that person may be fined not more than $5,000, imprisoned for not more than one year, or both, at the discretion of the court.
• The Consumer Protection Act provides for an additional civil penalty not to exceed $10,000 for each violation if the offending conduct is perpetrated against a person over age 60 or against a developmentally disabled person.