2023

On May 19, 2023, Montana SB384, the Montana Consumer Data Privacy Act (“MTCDPA”), was signed into law.

2024

MTCDPA went into effect on October 1, 2024.

Amendments

Who

The MTCDPA is intended to protect the personal data of consumers, meaning Montana residents who are not acting as a business or employee.¹

The MTCDPA applies to entities that conduct business in Montana or produce products or services that are targeted to residents of Montana and do one or more of the following²:

• control or process personal data of at least 25,000 consumers, or
• control or process personal data of at least 15,000 consumers and derive over 25% of gross revenue from the sale of personal data.

These thresholds set which businesses must follow most of the MTCDPA. Some of its minor-specific duties apply more broadly: the duty of care owed to minors and related obligations apply to any business operating in or targeting Montana, regardless of these thresholds.³

The MTCDPA distinguishes between controllers and processors.⁴ A controller is an entity that alone, or jointly with others, determines the purposes and means for processing personal data.⁵ A processor is an entity that processes personal data on behalf of a controller. ⁶

Processing means any operation performed on personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.⁷

The MTCDPA imposes restrictions and obligations on the relationship between controllers and processors, requiring that processors follow instructions from the controller related to how personal data may be processed.⁸ Contracts between controllers and processors must include the following⁹:

• the types of personal data to be processed,
• instructions for processing the personal data,
• the purpose for processing the personal data,
• a duty of confidentiality, meaning the data is protected from disclosure to or access by unauthorized parties
• an obligation to delete or return personal data upon the controller’s request,
• the ability to demonstrate compliance with the contractual requirements,
• an obligation that any subcontractors of the processor have controls to protect personal data that are at least as protective as the obligations in the agreement between the controller and the processor, and
• the right for the controller to conduct or engage an independent third party to conduct an assessment of the processor’s technical and organizational measures related to the protection of personal data.

What

Personal Data

The MTCDPA regulates how companies can collect, use, and share personal data. “Personal data” means information that is linked or reasonably linkable to an identified or identifiable person, subject to some exceptions.¹⁰

Sensitive Data

The MTCDPA provides additional guidance around a subcategory of personal data called sensitive data.¹¹ Sensitive data is treated differently because misuse, loss, or unauthorized disclosure of the data can have a more significant impact on consumers than with other types of personal data. For example, this data can facilitate discrimination, financial loss, identity theft, or reputational damage.

Sensitive data includes¹²:

• racial or ethnic origin,
• religious beliefs,
• mental or physical health condition or diagnosis,
• sex life,
• sexual orientation,
• citizenship or immigration status,
• genetic or biometric data processed for the purpose of uniquely identifying an individual,
• personal data of children (someone younger than 13 years of age), and
• precise geolocation data (specific location of an individual within 1,750 feet).

Exemptions

Exempt Entities

The MTCDPA does not apply to the following entities¹³:

• any body, authority, board, bureau, commission, district or agency of Montana or of any political subdivision of Montana,
• nonprofit organizations established to detect and prevent fraudulent acts in connection with insurance,
• higher education institutions,
• national securities associations that are registered under 15 U.S.C. § 78o-3 of the Securities Exchange Act of 1934,
• state or federally chartered banks, credit unions, or their affiliates or subsidiaries that are principally engaged in financial activities under 12 U.S.C. § 1843(k),
• covered entities or business associates as defined in the Health Insurance Portability and Accountability Act (HIPAA),
• insurers and insurance producers as defined in Montana Code Title 33, third party administrators of self-insurance, or their affiliates or subsidiaries that are primarily engaged in financial activities as described in 12 U.S.C. § 1843(k),

Exempt Data

The following types of data are exempt from the MTCDPA¹⁴:

• Protected Health Information under the Health Insurance Portability and Accountability Act (HIPAA),
• patient Identifying Information for the purposes of 42 U.S.C. § 290dd-2, which covers confidentiality of records related to substance abuse and mental health services,
• identifiable private information for purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46, which governs research involving human subjects,
• identifiable private information that is collected as part of human subjects research pursuant to the “Good Clinical Practice” guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use or for the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56, which govern research involving human subjects,
• information and documents created for purposes of the Health Care Quality Improvement Act of 1986 (42 USC 11101 et seq.),
• patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act (42 U.S.C. § 299b-21 et seq.),
• information used for public health activities and purposes as authorized by HIPAA,
• collection, maintenance, disclosure, sale, communication, or use of personal data bearing on a consumer's credit worthiness to the extent that such activity is regulated by and authorized under the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.),
• personal data collected, processed, sold, or disclosed in compliance with the federal Driver's Privacy Protection Act of 1994 (18 U.S.C. § 2721 et seq.),
• personal data regulated by the federal Family Educational Rights and Privacy Act (20 U.S.C. § 1232g et seq.),
• personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act (12 U.S.C. § 2001 et seq.),
• personal data collected, processed, sold, or disclosed in accordance with Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. § 6801 et seq.),
• data processed or maintained for applications for employment or employment purposes or for independent contractors to the extent that data is used in the context of the employee or contractor role,
• emergency contact information used for emergency contact purposes for employees or independent contractors,
• data necessary to administer benefits for employees and independent contractors, and
• personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Airline Deregulation Act of 1978 (49 U.S.C. § 41713).

Deidentified Data

The MTCDPA includes an exemption for deidentified data.¹⁵

Deidentified data is data that cannot reasonably be used to infer information about or be linked to an identified individual or a device linked to such individual.¹⁶ Controllers processing deidentified data must¹⁷:

• take reasonable measures to ensure that the data is deidentified and cannot be linked to an individual,
• publicly commit to not attempt to reidentify the data, and
• contractually obligate recipients to comply with all provisions of the MTCDPA.

Publicly Available Data

The MTCDPA does not apply to publicly available information.¹⁸ Publicly available information is information that is¹⁹:

• lawfully made available through government records or widely distributed media, or
• lawfully made available to the general public by an individual.

Pseudonymous Data

Pseudonymous data is data that cannot be attributed to a specific individual without the use of additional information that is maintained separately.²⁰ Where the controller is able to demonstrate that any information necessary to identify the individual is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing such information, the controller is not required to grant the individual rights to access, deletion or control over the individual’s data.²¹

Consumers have several rights under the MTCDPA²²:

• Right to Know,
• Right to Correct,
• Right to Delete,
• Right to Opt-Out,
• Right to Opt-In to the Processing of Sensitive Data,
• Right to Not Be Discriminated Against, and
• Minors’ Rights.

Right to Know

Consumers have the right to know whether a controller is processing their personal data and what personal data is being processed about them.²³ This includes the right to obtain a copy of their data in a format that is portable such that the consumer can transmit the data to another controller.²⁴

This right also shapes the disclosures a business must make in its privacy notice. The notice must include²⁵:

• the categories of personal data processed by the controller,
• the purpose for processing personal data,
• an explanation of consumers’ rights,
• how consumers can exercise their rights,
• if applicable, a disclosure that data is sold or used for targeted advertising,
• the categories of personal data that the controller sells or shares with third parties,
• an e-mail address or other mechanism to contact the controller, and
• the date the notice was last updated.

Right to Correct

Consumers have the right to request that a controller correct inaccuracies in the consumer’s personal data.²⁶

Right to Delete

Consumers have the right to request that a controller delete any personal data about the consumer.²⁷

Right to Opt Out

Consumers have the right to opt out of a controller processing their personal data for the purpose of targeted advertising, the sale of personal data, or consumer profiling used to analyze individuals and make decisions about them that have legal consequences or have other serious impacts on their lives.²⁸

Targeted advertising means displaying advertisements to a consumer that are selected based on the consumer’s personal data that has been obtained over time and from across nonaffiliated websites or online applications and is used to predict the consumer's preferences or interests.²⁹ Targeted advertising does not include³⁰:

• advertisements based on activities within a controller's own websites or online applications,
• advertisements based on the context of a consumer's current search query or current visit to a website or online application,
• advertisements directed to a consumer in response to the consumer's request for information or feedback, or
• personal data processed solely for measuring or reporting advertising performance.

Sale of data is a controller’s exchange of personal data with a third party for money or other valuable consideration.³¹ Sale does not include³²:

• the disclosure of personal data to a processor that processes the personal data on behalf of the controller,
• the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer,
• the disclosure or transfer of personal data to an affiliate of the controller or that is made as part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets,
• the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, or
• the disclosure of information that the consumer intentionally made available to the general public.

Profiling is a controller’s use of automated processing to evaluate, analyze, or predict personal aspects related to a consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.³³

Right to Opt In for Sensitive Data

Controllers may not process sensitive data without obtaining consent from the consumer.³⁴ Accordingly, the consumer has the right to not have their sensitive data processed unless they have opted into such processing.³⁵

Consent must be: ³⁶

• freely given, meaning the consent is given voluntarily,
• specific, meaning the consent is given for a clearly defined purpose,
• informed, meaning the data subject is provided an explanation of how the data will be processed, and
• unambiguous, meaning it is clear the data subject has consented (e.g., by clicking “I agree”).

Right to Not Be Discriminated Against

Consumers have the right for their personal data to not be processed in violation of state and federal laws that prohibit unlawful discrimination.³⁷ Consumers also have the right to not be discriminated against by a controller for exercising their consumer rights.³⁸ A controller cannot deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods and services to the consumer because that consumer exercised their MTCDPA rights.³⁹

However, the MTCDPA does not prevent a controller from offering different prices, rates, levels, qualities, or selections of goods or service if such difference is unrelated to the consumer’s assertion of their consumer rights.⁴⁰

Minors’ Rights

When a controller offers an online service, product, or feature that it knows or willfully disregards is used by a minor (any consumer under 18), it may not process the minor’s personal data for the following purposes without consent, either the minor’s own consent or, if the minor is under 13, the consent of a parent or legal guardian⁴¹:

• targeted advertising,
• sale of personal data, and
• profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.

Controllers must also not process minors’ personal data⁴²:

• for any purpose other than the one the controller disclosed at the time of collection, or that is reasonably necessary for and compatible with that disclosed purpose,
• for longer than reasonably necessary to provide the online service, product, or feature,
• use a system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature, or
• collect a minor’s precise geolocation data unless the precise geolocation data is necessary to provide the service, product, or feature and the controller provides a signal indicating the collection of the precise geolocation data for the duration of the time the precise geolocation data is collected.

The MTCDPA also prohibits controllers from offering direct messaging platforms for use by minors without providing safeguards that limit the ability of an adult to send unsolicited communication to a minor with whom the adult is not connected.⁴³ This requirement does not apply to email or direct messages sent between devices where the message is only visible to the sender and recipient and is not posted publicly.⁴⁴

Separately, a controller that knows or willfully disregards that a consumer is at least 13 but younger than 16 years old may not process that consumer’s personal data for targeted advertising, or sell it, without the consumer’s consent.⁴⁵

Exercising Rights

A consumer may exercise their rights to know, correct, delete, or opt out under the MTCDPA by submitting a request to the controller in accordance with the means established in the controller’s privacy notice.⁴⁶ Consumers may also designate an authorized agent to opt out of the processing of their personal data on their behalf.⁴⁷

Within the controller’s privacy notice, the controller must describe one or more means by which a consumer can submit a request to exercise their consumer rights.⁴⁸ This mechanism cannot require the creation of a new account to exercise the consumer’s rights.⁴⁹

A controller must respond to the consumer’s request within 45 days of receipt.⁵⁰ If reasonably necessary due to the complexity or quantity of consumer requests, the controller may extend their response period by 45 days so long as the controller notifies the consumer within the initial 45-day period of such extension and provides a reason for the extension.⁵¹

A controller must also provide information in response to a consumer request free of charge, up to once per year.⁵² If a consumer’s requests are unfounded, excessive, or repetitive, the controller may charge a reasonable administrative fee or refuse to act on the request.⁵³ A controller may also refuse the request if they cannot reasonably authenticate the consumer.⁵⁴

Controllers must establish an appeals process for a consumer to appeal any refusal by the controller to take action on a request.⁵⁵

The Attorney General of Montana has authority to enforce the provisions of the MTCDPA.⁵⁶ The Attorney General may issue a civil investigative demand pursuant to Mont. Code Ann. § 30-14-113.⁵⁷ The Attorney General may seek civil penalties of up to $7,500 per violation, injunctive relief, and attorney fees and other reasonable expenses incurred in investigating and bringing an action under the MTCDPA.⁵⁸

1. Mont. Code Ann. § 30-14-2802(7) (2025). ↩
2. Mont. Code Ann. § 30-14-2803(1) (2025). ↩
3. Mont. Code Ann. § 30-14-2803(2) (2025). ↩
4. Mont. Code Ann. § 30-14-2802 (2025). ↩
5. Mont. Code Ann. § 30-14-2802(9) (2025). ↩
6. Mont. Code Ann. § 30-14-2802(22) (2025). ↩
7. Mont. Code Ann. § 30-14-2802(21) (2025). ↩
8. Mont. Code Ann. § 30-14-2813(1) (2025). ↩
9. Mont. Code Ann. § 30-14-2813(2) (2025). ↩
10. Mont. Code Ann. § 30-14-2802(19) (2025). ↩
11. Mont. Code Ann. § 30-14-2812(2)(b) (2025). ↩
12. Mont. Code Ann. § 30-14-2802(28) (2025). ↩
13. Mont. Code Ann. § 30-14-2804(1) (2025). ↩
14. Mont. Code Ann. § 30-14-2804(1)(f), (2) (2025). ↩
15. Mont. Code Ann. § 30-14-2802(19) (2025). ↩
16. Mont. Code Ann. § 30-14-2802(12) (2025). ↩
17. Mont. Code Ann. § 30-14-2815(1) (2025). ↩
18. Mont. Code Ann. § 30-14-2802(19) (2025). ↩
19. Mont. Code Ann. § 30-14-2802(26) (2025). ↩
20. Mont. Code Ann. § 30-14-2802(25) (2025). ↩
21. Mont. Code Ann. § 30-14-2815(4) (2025). ↩
22. Mont. Code Ann. §§ 30-14-2808(1), 30-14-2811(2), 30-14-2812(2)(b), 30-14-2812(2)(e) (2025). ↩
23. Mont. Code Ann. § 30-14-2808(1)(a) (2025). ↩
24. Mont. Code Ann. § 30-14-2808(1)(d) (2025). ↩
25. Mont. Code Ann. § 30-14-2812(4)-(5) (2025). ↩
26. Mont. Code Ann. § 30-14-2808(1)(b) (2025). ↩
27. Mont. Code Ann. § 30-14-2808(1)(c) (2025). ↩
28. Mont. Code Ann. § 30-14-2808(1)(e) (2025). ↩
29. Mont. Code Ann. § 30-14-2802(29)(a) (2025). ↩
30. Mont. Code Ann. § 30-14-2802(29)(b) (2025). ↩
31. Mont. Code Ann. § 30-14-2802(27)(a) (2025). ↩
32. Mont. Code Ann. § 30-14-2802(27)(b) (2025). ↩
33. Mont. Code Ann. § 30-14-2802(23) (2025). ↩
34. Mont. Code Ann. § 30-14-2812(2)(b) (2025). ↩
35. Id. ↩
36. Mont. Code Ann. § 30-14-2802(6) (2025). ↩
37. Mont. Code Ann. § 30-14-2812(2)(c) (2025). ↩
38. Mont. Code Ann. § 30-14-2812(2)(e) (2025). ↩
39. Id. ↩
40. Mont. Code Ann. § 30-14-2812(3) (2025). ↩
41. Mont. Code Ann. § 30-14-2811(2) (2025). ↩
42. Id. ↩
43. Mont. Code Ann. § 30-14-2811(3)(b) (2025). ↩
44. Id. ↩
45. Mont. Code Ann. § 30-14-2812(2)(d) (2025). ↩
46. Mont. Code Ann. § 30-14-2808(2) (2025). ↩
47. Mont. Code Ann. §§ 30-14-2808(3), 30-14-2809 (2025). ↩
48. Mont. Code Ann. § 30-14-2812(11)(a) (2025). ↩
49. Mont. Code Ann. § 30-14-2812(11)(b) (2025). ↩
50. Mont. Code Ann. § 30-14-2808(4)(a) (2025). ↩
51. Mont. Code Ann. § 30-14-2808(4)(a) (2025). ↩
52. Mont. Code Ann. § 30-14-2808(4)(c) (2025). ↩
53. Id. ↩
54. Mont. Code Ann. § 30-14-2808(4)(d) (2025). ↩
55. Mont. Code Ann. § 30-14-2808(5) (2025). ↩
56. Mont. Code Ann. § 30-14-2817(1) (2025). ↩
57. Mont. Code Ann. § 30-14-2817(3) (2025). ↩
58. Mont. Code Ann. § 30-14-2820 (2025). ↩