As noted in Part One of this article, in May 2023, Montana passed the “Montana Consumer Data Privacy Act” (“MCDPA”), which will take effect in October 2024. In Part One, we summarized the applicability of the MCDPA and the rights that are given to Montana consumers while pointing out some oddities and unique features of the MCDPA. In this Part Two, we will look at obligations imposed by the MCDPA on controllers and enforcement mechanisms.

Under the MCDPA, controllers of consumer personal data have a number of positive and negative obligations. These include:

• Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer
• Not processing personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer’s consent
• Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue
• Providing an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent
• Stopping the processing of data no later than 45 days after a consumer’s revocation of consent has been received
• Not processing sensitive data concerning a consumer without obtaining the consumer’s consent — “sensitive data” being genetic or biometric data, precise geolocation data, personal information revealing racial or ethnic origin, religious beliefs, health status, etc.
• Not processing the personal data of a consumer for the purposes of targeted advertising or selling the consumer’s personal data without consent
• Not discriminating or retaliating against a consumer for exercising any of the rights protected by the MCDPA

As noted in Part One, controllers also have an affirmative duty to provide notices to consumers and to obtain consents. The notices must be hyperlinks to the actual text of the controller’s “clear and meaningful privacy policy.” The notice must be “reasonably accessible” — that is prominent and not difficult to locate or activate — and must disclose the categories of personal data processed, the purpose for which the data is collected and processed, the categories of personal data shared with/sold third parties, the categories of third parties, the nature of the consumers’ rights under the MCDPA and how consumers may exercise those rights (including appeal rights). The controller must also provide an active e-mail address or other mechanism that can be used to contact the controller.

In addition to the foregoing, a controller must disclose — clearly and conspicuously — if the controller sells personal data to third parties and/or engages in targeted advertising. If this is true, then the controller is obligated to provide consumers with an “opt-out.” This must be conspicuously located and “easy to use.” This opt-out mechanism must be ready for use by January 1, 2025 (even though the MCDPA takes effect on October 1, 2024). In addition, controllers must prepare a data protection impact assessment with respect to any processing of personal data that presents a heightened risk of harm to a consumer, including targeted advertising, the sale of personal data, the processing of sensitive data, and profiling.

Finally, with respect to control and possession of “de-identified data,” controllers must take “reasonable measures” to ensure that the data cannot be reassembled, re-identified, or otherwise reconstructed so that the data can be identified with an individual

Enforcement of the MCDPA will be handled by the Montana Attorney General’s Office. That is, consumers do not have any private right of action under the MCDPA.

Contact the Consumer Data Privacy Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Controller vs. Processor: How the MCDPA Allocates Responsibilities

Like most contemporary state privacy statutes, the MCDPA uses the controller/processor model. A “controller” is the entity that determines the purposes and means of processing personal data. A “processor” is an entity that processes data on behalf of and at the direction of a controller. The MCDPA imposes the bulk of its obligations on controllers, with a smaller set of obligations flowing through to processors by contract.

Processors must: process data only in accordance with the controller’s documented instructions; maintain the confidentiality of personal data; assist the controller in fulfilling consumer rights requests to the extent the processor holds relevant data; notify the controller of any personal data breach affecting the processor’s systems; and, upon termination, delete or return all personal data to the controller. These obligations must be memorialized in a written data processing agreement (DPA).

The MCDPA’s Consent Framework: Granular and Context-Specific

The MCDPA’s consent requirements are calibrated to the type of data being processed and the purpose of processing. For general personal data processed for general business purposes, no prior consent is required — the controller must provide the required disclosures. However, affirmative opt-in consent is required for: the processing of sensitive personal data for any purpose; processing of personal data for purposes not reasonably compatible with the disclosed collection purpose; and processing of personal data of consumers known to be under the age of 13 (subject to COPPA’s additional requirements) or between ages 13 and 16 for purposes of targeted advertising or profiling.

The MCDPA does not require controllers to recognize universal opt-out signals such as the Global Privacy Control (GPC). Montana consumers who rely on a browser-level privacy signal to opt out will not automatically have that signal honored — the consumer must affirmatively use the controller’s designated opt-out mechanism. This distinguishes the MCDPA from California’s CPRA, which requires GPC recognition.

Enforcement by the Montana Attorney General: Penalties and the Cure Period

Montana’s attorney general has exclusive enforcement authority — consumers have no private right of action. Before initiating a civil action, the AG must issue written notice of alleged violation and provide a 60-day cure period. If the controller or processor remedies the alleged violation within 60 days and provides written confirmation, no civil action may be brought for that specific violation. Civil penalties reach up to $7,500 per violation. In assessing penalties, courts are likely to consider the scale of the violation, the number of affected consumers, the sensitivity of the data involved, and whether the controller had policies and procedures in place that failed through isolated non-compliance or through systemic neglect.

Preparing for Multi-State Privacy Compliance: Integrating MCDPA Into a Broader Program

For businesses that operate nationally, the MCDPA is one of approximately twenty state privacy laws currently in effect. Key elements of a multi-state privacy compliance program that addresses MCDPA obligations include:

• Unified data inventory and data flow mapping. Map all personal data collected, processed, shared, and retained — categorizing data by type, source, purpose, and recipient. This inventory is the foundation for disclosure accuracy, data minimization compliance, and consumer rights request fulfillment.
• Consolidated privacy notice. A single privacy notice covering the disclosure requirements of MCDPA, VCDPA, CPA, CTDPA, TDPSA, and CPRA is achievable with careful drafting. State-specific short notices or just-in-time notices can supplement the consolidated notice for context-specific disclosures.
• Consumer rights request management system. A centralized system for receiving, verifying, routing, and responding to consumer rights requests enables compliance with the varying response timelines of different state laws and maintains audit trails demonstrating compliance.
• Vendor management program. Ensure that all third-party data processors execute DPAs that satisfy the requirements of all applicable state privacy laws. A single DPA template addressing the controller/processor provisions of MCDPA, VCDPA, CPA, CTDPA, TDPSA, and CPRA can be used with all vendors.
• Annual data protection assessments. Conduct and document DPIAs for all high-risk processing activities — including targeted advertising, data sales, and sensitive data processing — on an annual basis, as required by MCDPA and peer statutes.

Revision Legal’s privacy compliance attorneys help businesses build and maintain multi-state privacy compliance programs that are efficient, scalable, and legally defensible. Contact us at (855) 473-8474 to schedule a privacy compliance assessment.