Montana became the ninth state to pass comprehensive data privacy legislation—and the first Republican-controlled legislature to pass a data privacy bill with a universal opt-out mechanism—back in April 2023. Senate Bill 384 (“Montana Consumer Data Privacy Act”) was signed into law on May 19, 2023, and came into force on October 1, 2024.
The MTCDPA is part of a broader trend of state data privacy laws being enacted across the U.S. It includes provisions for sensitive data, such as biometric data, requiring explicit consumer consent for its processing.
While businesses have had nearly a year and a half to prepare for the MTCDPA, they might have to take some extra steps to comply with the law, considered one of the strongest of its kind passed to date—and not just because of the universal opt-out mechanism.
Learn more about what sets Montana’s privacy law apart from other states and what businesses should be doing to comply.
Overview of the MTCDPA
The Montana Consumer Data Privacy Act (MTCDPA) is a comprehensive state data privacy law designed to protect the personal data of Montana residents.
Signed into effect on May 19, 2023, it came into force on October 1, 2024, and marks a significant step in safeguarding consumer privacy. The law applies to businesses that conduct operations in Montana or offer products or services targeted at Montana consumers. By imposing various obligations on controllers and processors of personal data, the MTCDPA aims to ensure that personal data is handled with the utmost care and transparency.
What is the Montana Consumer Data Privacy Act?
Privacy is a bedrock of Montana law. The state’s Constitution, rewritten in 1972, provides for an individual right to privacy. According to the Montana Constitution, that right is not to be infringed without the showing of a compelling state interest.
With the passage of the MTCDPA, a privacy standard now applies to businesses and how they handle Montanans’ personal information. The goal of the legislation is laid out in its opening paragraph. The MTCDPA intends to:
- Provide rights related to the consumer's personal data
- Establish requirements for companies that control and process personal data
- Set requirements and limitations for processing personal data
- Provide data protection assessments
- Exempt certain data and organizations from data privacy protections
- Create mechanisms for enforcing the law
In short, the MTCDPA requires covered businesses to comply with transparency and disclosure obligations and gives consumers rights related to how organizations collect, use, and sell their data. Businesses that don’t comply with consumer rights under the MTCDPA can face investigations and penalties.
At the time the law was passed, law firm Husch Blackwell called it one of the strongest consumer data privacy laws in the country, alongside California, Colorado, and Connecticut.
Politico calls the Montana law “the strongest privacy law among red states.” But it almost didn’t turn out that way.
Tech company lobbyist groups reportedly tried to get Senator Daniel Zolnikov, who sponsored the bill, to follow a more business-friendly approach adopted in Republican-led states like Utah and Virginia. However, Zolnikov resisted their efforts to water the bill, and Montana ended up with a law modeled on the one passed in Connecticut, which is considered more consumer-friendly.
Notably, the Montana law has a universal opt-out mechanism that lets consumers automatically opt out of online data collection using a browser extension, such as Global Privacy Control, which makes it more difficult for companies to gather and sell consumer data. Montana is the only Republican state to pass a bill that allows consumers to use a universal opt-out mechanism.
“So if you get that extension in your browser, then you can opt out of being tracked by everybody. And that is only passed in a few states (...) “I know there's been eight or nine states that have done [data privacy laws], but no Republican state has put that into their law and no Republican state has passed a law this strong. This is very exciting that this thing got passed.”
Daniel Zolnikov, Montana State Senator (Source: The Record)
While general provisions for the MTDCPA came into force on October 1, 2024, for general requirements, this universal opt-out mechanism provision goes into effect on January 1, 2025.
{{learn-more-global-privacy-control-gpc}}
Scope and Application
The MTCDPA applies to personal data collected from individuals who are residents of Montana, with specific exclusions to ensure clarity and focus.
Notably, the law excludes personal data collected or processed from individuals acting in an employment or commercial context, as well as data processed solely for completing payment transactions. Additionally, the MTCDPA provides exemptions for state political subdivisions or entities, nonprofit organizations, institutions of higher education, and any information or data regulated by other specific privacy laws.
This targeted approach ensures that the law addresses the most relevant and impactful areas of personal data protection.
Does the Montana privacy law apply to you?
One of the notable aspects of the MTCDPA is it has a lower applicability threshold than other states that have implemented data privacy laws. The law applies to companies that:
- Conduct business in Montana or produce products or services that target Montana residents; and:
- Control or process the personal data of at least 50,000 Montana residents (excluding payment transaction data); or
- Control or process the personal data of at least 25,000 Montana residents and derive over 25% of gross revenue from personal data sales.
Husch Blackwell writes that Montana’s 50,000-consumer threshold was lowered from 100,000 in a House committee amendment and likely reflects the state’s relatively small population of 1.1 million. A 100,000-consumer threshold would have amounted to around 9% of the population in Montana, a much higher percentage than in other states.
In addition to a lower applicability threshold, the MTCDPA has entity-level exemptions that apply to:
- Government agencies
- Nonprofits
- Higher education institutions
- Entities regulated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA)
- National securities associations registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934.
Am I a controller or a processor under the MTCDPA?
“Controllers” and “processors” have technical definitions in the MTCDPA.
- A “controller” is an individual or entity that, alone or with others, determines the purpose and means of processing personal data. Personal data refers to any information linked to an identified or identifiable individual.
- A “processor” is an individual or legal entity that processes personal data on behalf of a controller. Service providers generally meet the definition of data processors.
If you’re not sure of the difference, here is a more detailed explanation:
- An e-commerce company that collects customer data during the purchase process, such as names, addresses, and payment details, is the data controller because it determines how and why the data will be processed.
- A data processor is an organization, agency, or person that acts on behalf of a data controller. Data processors include companies like cloud providers, outside agencies, and service providers that have access to personal data.
- For example, a health club that provides a printing company with member names and addresses to send invitations to an event is the data controller, and the printing company is the data processor. The club determines the purpose and means of the data processing, while the printing company processes the data.
Data controllers and processors, as defined in the MTCDPA, are required to enter into contracts that govern how a service provider processes consumer data on behalf of a controller.
The contract must address instructions for processing data, the type(s) of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also allow the controller to assess the processor’s compliance with data protection measures and require processors to ensure any subcontractors they use adhere to the same standards.
What rights do consumers have under the MTCDPA regarding sensitive data?
MTCDPA grants consumers these rights regarding their personal data:
- Right to Access: Individuals have the right to confirm whether a controller is processing their personal data and access that data (unless doing so would require the controller to reveal a trade secret).
- Right to Correct: Consumers can correct any inaccuracies in their personal data.
- Right to Deletion: Individuals can request the deletion of their personal data. This includes all personal data the controller has about the consumer, and not just data that the controller collected directly from the consumer.
- Right to Opt-Out: Montana residents have the right to opt out of data collection and processing activities that are done for the purposes of targeted advertising, the sale of their personal data, or profiling. This includes prohibiting businesses from selling personal data without consumer consent.
- Right to Data Portability: Consumers can obtain a copy of their data in a portable format, allowing them to transfer it elsewhere.
Montanans must be able to exercise these rights “by a secure and reliable means established by the controller and described to the consumer in the controller’s privacy notice,” the legislation states. That privacy notice must be “reasonably accessible, clear and meaningful” and include the following information:
- The categories of personal data processed by the controller
- The purpose for processing personal data
- The type(s) of personal data the controller shares with third parties
- The type(s) of third parties the controller shares personal data with
- An email address or other way the consumer can contact the controller and
- How consumers can exercise their data rights, including how to appeal a controller’s decision about a consumer’s request.
Within the privacy notice, controllers must also establish and describe one or more “secure and reliable means” for consumers to submit a request to exercise their rights. The controller is not allowed to require a consumer to create a new account for this purpose.
Controllers have 45 days to respond to a consumer rights request. This deadline may be extended by an additional 45 days “when reasonably necessary” as long as the consumer is notified of the extension and the reason for the extension within the initial 45-day response period.
If the controller denies a consumer’s request, the controller must explain why and give instructions for filing an appeal that are “conspicuously available” and similar to the process for submitting consumer rights requests.
Within sixty (60) days of receiving an appeal request, a controller must inform the consumer of any action taken or not taken in response to the appeal. If the appeal is denied, the controller must provide the consumer with an online mechanism or other way to contact the Montana Attorney General to submit a complaint.
Handling Data Subject Access Requests (DSARs) effectively is crucial for MTCDPA compliance. To learn more about DSARs and how to handle them, check out our full guide:
{{learn-everything-you-need-to-know-about-dsar}}
What else should companies know about the Montana data privacy law and data protection assessments?
Since the Montana law is modeled on the Connecticut Data Privacy Act, businesses that already comply with the Connecticut law should have a solid platform for adapting their existing data privacy compliance program to the MTCDPA.
However, the Montana data privacy law has some provisions that set it apart from other state privacy laws and need to be accounted for in a compliance strategy.
For example, tech companies wanted Montana to narrow the definition of what counts as “selling” user data. In the bill's final version, legislators defined the “sale of personal data” as "the exchange of personal data for monetary or other valuable consideration by the controller to a third party."
The broader the definition of what counts as “selling” user data, the harder it is for companies to trade in user information. Unlike some states that require strictly monetary compensation to qualify as a sale, the MTCDPA takes the view that a company is “selling” a consumer's personal data to another company when it exchanges it for something of value and not just when it charges a dollar amount for the data.
Montana’s relatively broad interpretation of what constitutes a “sale” means businesses must evaluate a wider range of data-sharing activities to determine if they meet the statutory definition of a “sale” in the MTCDPA. It also shows how the fine print of state privacy laws can be challenging to interpret and may complicate a company’s compliance strategy.
Here are some other finer points from the fine print of the MTCDPA that companies need to pay attention to:
- Added child protections: Montana’s law has privacy protections for children similar to those found in the California and Connecticut laws, aligning with the Children’s Online Privacy Protection Act (COPPA). Controllers are prohibited from processing a consumer's personal data for targeted advertising purposes or selling the consumer’s personal data without their consent when the controller has actual knowledge that the consumer is between the ages of 13 and 15.
- Opt-out requests do not require verification: The MTCDPA does not require opt-out requests to be verified. In other words, a company can't always demand additional proof of identity before processing an opt-out request from a consumer. They may be able to deny a request if they have a "good faith, reasonable, and documented belief" that the request is fraudulent and must inform the consumer of this reason for denial.
- Right to cure sunset: Another area where Montana legislators fought to implement stronger consumer protections is the time companies have to resolve privacy violations before the state can commence enforcement actions—a provision known as the “right to cure” an alleged violation. Montana provides a 60-day cure period for controllers to address violations—but the cure only applies until April 1, 2026. Montana was the first Republican-controlled legislature to pass a privacy bill with a sunsetting right to cure.
- Pseudonymous data: The MTCDPA contains provisions about pseudonymous data, which was another sticking point in drafting the legislation.
Pseudonymous data “cannot be attributed to a specific individual without the use of additional information.”
Some consumer rights do not apply to the pseudonymous data of Montana residents if the controller shows that any additional information necessary to identify the consumer is kept separately and subject to effective technical and organizational measures that prevent the controller from accessing such information.
This categorization allows companies to continue to use pseudonymous data in specific ways without it being directly identifiable, offering flexibility for companies while protecting consumer identities.
- Sensitive data handling: The MTCDPA places stringent requirements on the handling of sensitive data, a category that includes "personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship status, or genetic or biometric data for the purpose of uniquely identifying an individual". Businesses must obtain explicit consumer consent (i.e., consumers must “opt-in”) before processing such data.
- Data minimization and security: Montana mandates that companies limit the collection of personal data to what is “adequate, relevant, and reasonably necessary” in relation to the purpose for which the data is being processed and to implement data security measures that are “appropriate to the volume and nature of the personal data” that is processed.
- Data protection assessment: A controller must conduct a data protection impact assessment on the processing of personal data that presents a “heightened risk of harm to a consumer.” Data processing that falls into this category includes targeted advertising, the sale of personal data, the processing of sensitive data, and profiling that presents a foreseeable risk of consumer harm.
- Dark patterns: Like California’s and Colorado's privacy laws, the MTCDPA prohibits the use of "dark patterns" in obtaining consumer consent.
MTCDPA enforcement and penalties
Montana does not give consumers a private right of action. The MTCDPA places enforcement power in the hands of the Montana Attorney General, whose office can investigate potential violations and levy fines. Note that the Attorney General must provide controllers with a 60-day written notice of violation before initiating an action.
Montana is once again an outlier in data privacy law in that it does not give an exact penalty amount for violations of the MTCDPA.
How Didomi can help companies comply with Montana’s privacy law
The MTCDPA features dual compliance dates: October 1, 2024, for general provisions and January 1, 2025, for universal opt-out mechanisms.
This article outlines the basic rules of the Montana Consumer Data Privacy Act, a legal document that runs to 24 pages and is packed with legalese, not written with businesses in mind.
Given the lower applicability threshold found in the Montana privacy law, it could impact businesses that do not have to comply with data privacy laws in other states. Montana has several more provisions that set it apart from different states and could necessitate changes to an existing compliance strategy.
The year 2024 matched 2023 with seven new comprehensive privacy laws enacted. But, as IAPP notes in its 2024 report on state privacy laws, the laws passed this year are less uniform than in past years and have qualitative differences compared to their predecessors. According to IAPP, the seven bills enacted in 2024 address privacy harms in unique ways that “present new compliance challenges for privacy professionals to overcome.”
Companies can overcome these challenges and turn them into business opportunities using a multi-regulation Consent Management Platform (CMP) that covers privacy laws and regimes in the U.S. and worldwide. Spend less time on consumer compliance and more time on customer success.
Get in touch with the Didomi team to learn more, and learn about other U.S. states in our comprehensive guide:
{{learn-more-about-data-privacy-in-the-us}}
Frequently Asked Questions (FAQ)
When does the Montana Consumer Data Privacy Act go into effect?
The MTCDPA's general provisions came into force on October 1, 2024. However, businesses have until January 1, 2025, to comply with the universal opt-out mechanism requirements.
Does my business need to comply with the MTCDPA?
Your business needs to comply if it conducts business in Montana or targets Montana residents AND either:
- Controls/processes personal data of 50,000+ Montana residents (excluding payment transaction data), or
- Controls/processes personal data of 25,000+ Montana residents and derives over 25% of gross revenue from personal data sales.
What is considered "sensitive data" under the MTCDPA?
Sensitive data includes personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship status, or genetic or biometric data for uniquely identifying an individual. It also includes personal data pertaining to known children.
How long does my business have to respond to consumer rights requests?
Businesses have 45 days to respond to consumer rights requests, with the possibility of a 45-day extension if reasonably necessary and the consumer is notified.
What happens if my business violates the MTCDPA?
The Montana Attorney General enforces the law and can investigate violations and levy fines. Before any enforcement action, they must provide controllers with a 60-day written notice of violation.
Do I need explicit consent to process sensitive data?
Yes, controllers must obtain explicit opt-in consent from consumers before collecting and processing sensitive personal data.
Do I need to recognize Global Privacy Control (GPC)?
Yes, by January 1, 2025, controllers must recognize and process opt-out requests submitted via universal opt-out mechanisms like GPC. Learn more about GPC here.
Are there exemptions to the MTCDPA?
Yes, exemptions apply to government agencies, nonprofits, higher education institutions, and entities regulated by GLBA or HIPAA, among others.