Montana has joined the growing list of consumer data privacy laws enacted throughout the country, creating new guidelines for consumer data privacy. Minnesota, Rhode Island, Connecticut, and other states enacted similar data privacy laws earlier this year.
The Montana Consumer Data Privacy Act (MCDPA) goes into effect on October 1, 2024. This article covers a few key factors for employers to consider.
What employers need to know
The Act is intended to give consumers more control and privacy over their personal data by regulating businesses across the state. Although this is a positive step for protecting consumer data and privacy in Montana, it comes with new regulations aimed at employers in the state. The MCDPA applies to entities that:
- Conduct business in Montana or produce products or services targeting Montana residents.
- Control or process the personal data of more than 50,000 consumers, excluding data processed solely for payment transactions.
- Control or process the personal data of more than 25,000 consumers and derive over 25% of their gross revenue from the sale of personal data.
Consumer Rights
Montana consumers are granted several rights under the MCDPA:
- Confirmation of Data Processing: Consumers can confirm if their data is being processed unless it violates trade secrets.
- Correction of Data: Consumers can correct inaccuracies in their personal data.
- Deletion of Data: Consumers have the right to delete their personal data.
- Access to Data: Consumers can request a copy of their personal data under certain circumstances.
- Opt-Out Rights: Consumers can opt out of the sale of their personal data, targeted advertising, or profiling for automated decision-making with significant impacts.
- Authorized Agents: Consumers can designate an authorized agent to submit opt-out requests on their behalf.
- Appeals: Consumers can appeal a controller’s refusal to act on a request within a reasonable timeframe.
Controller Obligations
Controllers include employers and businesses responsible for processing personal data. Below is an overview of regulations to which controllers must adhere:
- Data Collection and Processing: Limit data collection and process data only for disclosed purposes unless consumer consent is obtained.
- Data Security: Maintain administrative, technical, and physical data security practices.
- Assessing Data Protection: Conduct assessments for targeted advertising, sale of personal data, and high-risk profiling.
- Disclosure: Clearly disclose the sale of personal data or processing for targeted advertising.
- Consent for Sensitive Data: Obtain consumer consent before processing sensitive data.
- Opt-Out Mechanism: Provide an easy-to-use opt-out mechanism comparable to the consent mechanism.
- Universal Opt-Out: By January 1, 2025, allow consumers to opt out of targeted advertising or data sales through a universal mechanism.
- Privacy Notices: Post privacy notices with specific content requirements.
- Response to Requests: Respond to consumer data requests within 45 days, with a possible 45-day extension.
- Notification of Declines: Inform consumers within the same 45-day period if a request is declined.
- Authentication: Respond to authenticated requests or notify consumers if more information is needed for authentication.
- Appeals: Respond to consumer appeals within 60 days.
- Contracts with Processors: Enter into contracts with specific terms regulating data processing.
- Children’s Privacy: Comply with the Children’s Online Privacy Protection Act of 1998.
Employers have until January 1, 2025, to comply with the deadline for universal opt-out mechanisms and new regulations under the law. Take a closer look here to read the full details of Montana’s Data Privacy Act.
Expanding data privacy laws across the country
The MCDPA is one of the latest laws geared toward data and consumer privacy protection. As the topic of data privacy continues to stay in the spotlight, understanding and complying with data privacy regulations in the states where you operate or hire is essential to protecting consumer data, maintaining trust with employees and consumers, and remaining legally compliant.
With an uptick in data privacy laws seen in 2023 and 2024 following the Executive Order to Protect Sensitive Bulk Data, it is probable that more state-wide data privacy laws may be implemented in the near future. Employers who hire, operate, and target consumer data in Montana or other states with similar data privacy laws should consult their legal counsel to ensure compliance and determine how new data privacy laws apply to them