Montana Consumer Data Privacy Act: What Business Owners Need to Know
The Montana Consumer Data Privacy Act (MTCDPA), effective from October 01, 2024, has been enacted to protect consumer privacy by setting up clear guidelines for how businesses must manage personal data. Compliance with this legislation is crucial for a business owner to maintain trust and avoid potential penalties. Here’s a breakdown of the key elements of the Montana Consumer Data Privacy Act and how it impacts your business.
Applicability of Montana Consumer Data Privacy Act (MTCDPA)
These rules apply to businesses that either operate in this state or target their products or services to residents of this state and:
- Manage the personal data of at least 50,000 consumers, not counting data used solely for payment transactions or
- Manage the personal data of at least 25,000 consumers and earn more than 25% of their revenue from selling personal data.
Exemptions
The following entities and types of information are exempted under the Montana Consumer Data Privacy Act:
Entities
- State and local government bodies, agencies, and political subdivisions.
- Nonprofit organizations.
- Institutions of higher education.
- National securities associations registered under the Securities Exchange Act.
- Financial institutions and their affiliates, as long as they comply with the Gramm-Leach-Bliley Act.
- Covered entities and business associates under HIPAA.
Information Types
- Protected health information under HIPAA.
- Patient-identifying information related to substance abuse.
- Identifiable confidential information for human subject’s research.
- Information created under the Health Care Quality Improvement Act.
- Patient safety work products.
- Deidentified information or limited data sets under HIPAA.
- Public health-related information as authorized by HIPAA.
- Consumer credit information regulated by the Fair Credit Reporting Act.
- Personal data related to driver’s privacy under the Driver’s Privacy Protection Act.
- Data regulated by the Family Educational Rights and Privacy Act.
- Personal data collected in compliance with the Farm Credit Act.
- Employment-related data of individuals connected to a controller or processor.
- Emergency contact information used for emergencies.
- Data necessary for administering benefits.
- Personal data concerning airline services that are preempted by the Airline Deregulation Act.
Consumer Rights Regarding Personal Data
1. Confirm Data Processing: Consumers have the right to know if your company is processing their personal data.
2. Correct Inaccurate Data: Consumers can request to correct their inaccurate personal data depending on the nature and use of that data.
3. Data Deletion: Consumers can ask you to delete their personal data from your records unless exemptions apply such as legal requirements.
4. Data Portability: Consumers have the right to get a copy of their data in a usable format allowing them to transfer it elsewhere, without compromising trade secrets.
5. Opt-Out Rights: Consumers can opt out of-
- Targeted advertising.
- The sale of their data (with certain exceptions).
- Automated profiling that has legal or significant impacts on them.
Exercising Consumer Rights
Businesses must offer secure and straightforward methods for consumers to exercise their rights, usually outlined in the company’s privacy notice and must respond to requests within 45 days, which can be extend by another 45 days if the request is complex.
Key Provisions under the Montana Consumer Data Privacy Rights Act
Data Processing by Controllers
1. Responsibilities of Controller:
Businesses should only collect personal data that is necessary for the purposes disclosed to the consumer. Security measures must be in place to protect this data, and consumers must be able to revoke their consent as easily as they provided it. You must stop processing data within 45 days of receiving such a request.
2. Prohibited Actions:
- Controllers cannot process data for purposes outside the disclosed reasons unless they obtain consumer consent.
- Sensitive data (e.g., about children) cannot be processed without consent, following the Children’s Online Privacy Protection Act (COPPA).
- They cannot target advertising or sell personal data of consumers aged 13-16 without their consent.
- Discriminating against consumers for exercising their privacy rights, like charging different prices or reducing service quality is also prohibited.
Transparency and Disclosure Obligations
If a business sells personal data or uses it for targeted advertising, then must clearly inform consumers and provide them with an opt-out mechanism. Furthermore, the privacy notice must be comprehensive and easily accessible covering:
- Types of personal data processed.
- Purposes for data processing.
- Categories of data shared with third parties (if applicable).
- Contact details of the controller.
- Instructions for consumers to exercise their rights and appeal decisions.
Consumer Requests
Businesses must provide secure and reliable methods for consumers to submit requests to exercise their rights, without any requirement to create new accounts. However, they may be required to use an existing account.
Data Processor Responsibilities
Data processors, which may include any third parties, must adhere to the instructions given by Data Controller about the processing of personal data. This includes:
- Helping with consumer rights requests.
- Maintaining data security.
- Helping with data breach notifications.
- Providing relevant information for data protection assessments.
Processor Contracts and Compliance
When working with processors, Data controller must make contracts that define the processor’s role including:
- Processing instructions, purpose, type of data, and duration of processing.
- Obligations such as keeping data confidentiality and ensuring data protection.
- Clear requirements for deletion or returning data when requested by the controller (you), unless otherwise legally required.
- The right for you, as the controller, to assess the processor’s compliance or receive an independent assessment report.
Both controllers and processors are responsible for their roles in data processing, and if a processor oversteps its role, it may be deemed to be a controller and face potential legal actions.
Deidentified Data
Businesses must ensure that deidentified data cannot be linked back to individuals and make a public commitment to not trying to reidentify such data. If you share deidentified data with third parties, they must follow the same guidelines.
Enforcement and Compliance
The attorney general of Montana may enforce violations of the Montana Privacy Act and before taking legal action, the attorney general must issue a notice of violation, allowing businesses 60 days to correct the issue. If the violation is corrected within this time limit, no further action will be taken. However, if the violation still continues beyond the period of 60 days, legal action can be taken.
Conclusion
Compliance with the Montana Consumer Data Privacy Act is essential for maintaining consumer trust and avoiding potential legal penalties. By understanding and implementing solutions for consumer’s privacy, businesses can prove their commitment to data privacy, minimize risks, and build long-term customer relationships. Businesses running in Montana must evaluate data practices, update privacy policies, and ensure your processes meet the Montana Consumer Data Privacy Act’s requirements before the upcoming deadlines.