Summary of the New Montana Consumer Data Privacy Act (Part Two) featured image

Summary of the New Montana Consumer Data Privacy Act (Part Two)

by John DiGiacomo

Partner

Internet Law

As noted in Part One of this article, in May 2023, Montana passed the “Montana Consumer Data Privacy Act” (“MCDPA”), which will take effect in October 2024. In Part One, we summarized the applicability of the MCDPA and the rights that are given to Montana consumers while pointing out some oddities and unique features of the MCDPA. In this Part Two, we will look at obligations imposed by the MCDPA on controllers and enforcement mechanisms.

Under the MCDPA, controllers of consumer personal data have a number of positive and negative obligations. These include:

  • Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer
  • Not processing personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer’s consent
  • Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue
  • Providing an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent
  • Stopping the processing of data no later than 45 days after a consumer’s revocation of consent has been received
  • Not processing sensitive data concerning a consumer without obtaining the consumer’s consent — “sensitive data” being genetic or biometric data, precise geolocation data, personal information revealing racial or ethnic origin, religious beliefs, health status, etc.
  • Not processing the personal data of a consumer for the purposes of targeted advertising or selling the consumer’s personal data without consent
  • Not discriminating or retaliating against a consumer for exercising any of the rights protected by the MCDPA

As noted in Part One, controllers also have an affirmative duty to provide notices to consumers and to obtain consents. The notices must be hyperlinks to the actual text of the controller’s “clear and meaningful privacy policy.” The notice must be “reasonably accessible” — that is prominent and not difficult to locate or activate — and must disclose the categories of personal data processed, the purpose for which the data is collected and processed, the categories of personal data shared with/sold third parties, the categories of third parties, the nature of the consumers’ rights under the MCDPA and how consumers may exercise those rights (including appeal rights). The controller must also provide an active e-mail address or other mechanism that can be used to contact the controller.

In addition to the foregoing, a controller must disclose — clearly and conspicuously — if the controller sells personal data to third parties and/or engages in targeted advertising. If this is true, then the controller is obligated to provide consumers with an “opt-out.” This must be conspicuously located and “easy to use.” This opt-out mechanism must be ready for use by January 1, 2025 (even though the MCDPA takes effect on October 1, 2024). In addition, controllers must prepare a data protection impact assessment with respect to any processing of personal data that presents a heightened risk of harm to a consumer, including targeted advertising, the sale of personal data, the processing of sensitive data, and profiling.

Finally, with respect to control and possession of “de-identified data,” controllers must take “reasonable measures” to ensure that the data cannot be reassembled, re-identified, or otherwise reconstructed so that the data can be identified with an individual

Enforcement of the MCDPA will be handled by the Montana Attorney General’s Office. That is, consumers do not have any private right of action under the MCDPA.

Contact the Consumer Data Privacy Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case