Montana became the 9th American state to pass a comprehensive data privacy law after governor Greg Gianforte signed the Montana Consumer Data Privacy Act (MCDPA) into law on May 19th. Just trailing Tennessee’s TIPA, Montana is the fourth state to pass data privacy legislation this year, and yet another to do so quickly, with the bill originally drafted in November 2022 and then introduced in February 2023. 

Montana has taken a few specific areas and items into account to make MCDPA unique, but otherwise it follows Virginia’s VCDPA and Connecticut’s CTDPA privacy laws relatively closely. 

The state is also wasting no time in getting this law into effect, with an implementation date of October 1, 2024, before the set dates for Iowa, Indiana, and Tennessee, the other states to pass data privacy laws this year.

Montana Data Privacy Law at a Glance

The Montana data privacy law takes a different approach to who needs to comply than the rest of state data laws, lowering the threshold from 100,000 (the same for all the other states) to 50,000. 

Considering Montana’s population is only just over 1 million people, the 50,000 threshold is appropriate, as the percentage of state population as a threshold is the highest among the nine states with comprehensive laws, with a company needing to process the data of nearly 1 in 20 Montanans to comply. 

Montana also eschews a monetary threshold, unlike Tennessee’s law, which passed just a week prior. With just the following two applicability thresholds, the MCDPA is set to apply to more businesses relative to TIPA:

1. Control or process personal information of +50,000 Montana consumers 

OR

2. Earn +25% of gross revenue from the sale of personal data and control and/or process the personal data of +25,000 Montanans

The term “consumer" does not include employees, meaning California’s amended CCPA is still the only state privacy law to cover employee data.

The definitions of “personal data” and “sensitive data” track within the MCDPA track with the other recent state laws, with the latter including:

• racial/ethnic origin
• religious beliefs
• mental or physical health diagnoses
• sexual orientation
• citizenship or immigration status
• genetic or biometric information used to uniquely identify an individual
• information from a known child (under the age of 13)  
• precise geolocation data (within a radius of 1,750 feet) 

Montana Data Privacy Law Exemptions

As is the case with Tennessee, Indiana, and going farther back, Virginia and Connecticut, Montana’s data privacy law also carves out quite a few exemptions. 

While Montana’s lower applicability threshold makes the bill more progressive, the continuation of long lists of exemptions does take some of the oomph out of it (even if the state does not include the insurance industry, as TIPA did). 

Montana exemptions:

• Entities covered by HIPAA
• Personal data subject to the Gramm-Leach-Billey Act (GLBA)
• Government or administrative bodies within Montana
• Nonprofit organizations
• Higher education institutions
• Financial institutions
• HIPAA-protected and/or authorized health information
• Other health care-related information
• Children’s Online Privacy Protection Act (COPPA)
• Data covered by the Fair Credit Reporting Act
• Data covered by the Driver's Privacy Protection Act
• Data covered by the Family Educational Rights and Privacy Act
• Data covered by the Farm Credit Act
  

Montana Consumer Data Rights

Montana, similar to Connecticut’s law, pushes the envelope giving consumers more rights than the majority of current state privacy legislation. 

In addition to the typical right to confirm data processing, rights to access, correct, or delete data, and right to data portability, Montana becomes the second state after Connecticut to include the right to revoke consent directly within the bill (Colorado features an amendment granting this right as well).

Montana’s data privacy law also allows any Montana resident to request that a data controller delete all personal data the controller has on them, rather than just personal data that the controller collected directly from the consumer. As the bill also does not require Montanans to prove their identity to opt-out of targeted advertising and the selling of their personal data, giving Montana consumers a rather robust collection of data rights.

There is no private right of action in MCDPA, meaning individuals cannot sue companies for any perceived violation.

Montana Data Privacy Law Requirements

Montana, like most states, follows several principles found in the GDPR, including data minimization, accountability, and data security standards. Data protection impact assessments, a key in the GDPR, are required, further solidifying Iowa’s outlier status in not needing them.

For privacy notices and consent banners, this means clearness and transparency. For opt-out rights, this means stating exactly what the process entails and not hiding the opt-out option. 

Montana also aligns on DSRs with most states, giving a 45-day period to respond and address any consumer request. This is the default number in American data privacy, as California and Virginia set this when they became the first two states to pass comprehensive laws.

MCDPA and Children’s Data

Montana defines the age of a child at 13, below the GDPR, which sets it at 16. This means that on its face, fewer children are covered by extra precautions within the regulation, but Montana expected that and added in several amendments to give children additional protections. 

Under MCDPA, data controllers cannot process the personal data of a consumer for targeted advertising or selling the consumer’s personal data without consumer consent when controllers know the consumer is between 13 and 16 years of age. 

This creates an opt-in for these scenarios, matching California’s and Connecticut’s laws’ similar provisions for underaged consumers.

Montana Data Privacy Enforcement

Fines and enforcement for the MCDPA follow the established blueprint, with fines at $7500 per violation and enforcement led  by the Attorney General’s office.

As there is no private right of action, that means only the AG can bring cases against companies not complying with the regulation.

Montana has set its cure period at 60 days, a relatively generous figure. However, that cure period will sunset and be removed on April 1, 2026, so companies will have roughly three years to become compliant before any violation is automatically fined.