As noted in Part One of this article, in May 2023, Montana passed the “Montana Consumer Data Privacy Act” (“MCDPA”), which will take effect in October 2024. In Part One, we summarized the applicability of the MCDPA and the rights that are given to Montana consumers while pointing out some oddities and unique features of the MCDPA. In this Part Two, we will look at obligations imposed by the MCDPA on controllers and enforcement mechanisms.

Under the MCDPA, controllers of consumer personal data have a number of positive and negative obligations. These include:

• Limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer
• Not processing personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer’s consent
• Establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue
• Providing an effective mechanism for a consumer to revoke the consumer’s consent that is at least as easy as the mechanism by which the consumer provided the consumer’s consent
• Stopping the processing of data no later than 45 days after a consumer’s revocation of consent has been received
• Not processing sensitive data concerning a consumer without obtaining the consumer’s consent — “sensitive data” being genetic or biometric data, precise geolocation data, personal information revealing racial or ethnic origin, religious beliefs, health status, etc.
• Not processing the personal data of a consumer for the purposes of targeted advertising or selling the consumer’s personal data without consent
• Not discriminating or retaliating against a consumer for exercising any of the rights protected by the MCDPA

As noted in Part One, controllers also have an affirmative duty to provide notices to consumers and to obtain consents. The notices must be hyperlinks to the actual text of the controller’s “clear and meaningful privacy policy.” The notice must be “reasonably accessible” — that is prominent and not difficult to locate or activate — and must disclose the categories of personal data processed, the purpose for which the data is collected and processed, the categories of personal data shared with/sold third parties, the categories of third parties, the nature of the consumers’ rights under the MCDPA and how consumers may exercise those rights (including appeal rights). The controller must also provide an active e-mail address or other mechanism that can be used to contact the controller.

In addition to the foregoing, a controller must disclose — clearly and conspicuously — if the controller sells personal data to third parties and/or engages in targeted advertising. If this is true, then the controller is obligated to provide consumers with an “opt-out.” This must be conspicuously located and “easy to use.” This opt-out mechanism must be ready for use by January 1, 2025 (even though the MCDPA takes effect on October 1, 2024). In addition, controllers must prepare a data protection impact assessment with respect to any processing of personal data that presents a heightened risk of harm to a consumer, including targeted advertising, the sale of personal data, the processing of sensitive data, and profiling.

Finally, with respect to control and possession of “de-identified data,” controllers must take “reasonable measures” to ensure that the data cannot be reassembled, re-identified, or otherwise reconstructed so that the data can be identified with an individual

Enforcement of the MCDPA will be handled by the Montana Attorney General’s Office. That is, consumers do not have any private right of action under the MCDPA.

Contact the Consumer Data Privacy Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.