Montana is the third U.S. state to pass a comprehensive consumer privacy law this year. In this article, we’ll go over the protections Montana’s residents have over their personal data, what your business needs to do to comply with MCDPA, and how Ethyca can help.
Montana marks the third U.S. state privacy law to pass its state House and Senate legislature in 2023!
SB 384 or Montana’s Consumer Data Protection Act (MCDPA) is set to go into effect on July 1, 2025, giving businesses two years to prepare for it.
Revamping your privacy operations for California’s CPRA, Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, Utah’s UCPA, Iowa’s ICDPA, and Indiana’s INDCPA in the meantime will give your business a great head start for MCDPA.
Until then, here’s what your business needs to know about Montata’s privacy law.
MCDPA applies to businesses that operate in Montana or target products or services to Montana consumers, and
Like Iowa and Indiana, Montana’s privacy law uses thresholds on the amount of data businesses are processing to determine applicability. Confirm if your business is processing the minimum amount of consumers’ data to see if MCDPA applies to you.
Businesses subject to Montana’s privacy law need to know the consumer rights and consent rights of Montana residents, as well as the consequences of privacy violations. This next section will go over these requirements in more detail.
Like with all other state privacy laws, Montana residents can exercise certain data subject rights including:
Like Iowa’s and Indiana’s privacy law, Montana consumers do not have a private right of action. Montana residents do have the ability to correct their data like in Indiana, whereas Iowa does not grant this right for its residents.
Montana residents also have specific opt-out and opt-in consent rights businesses must follow.
For opt-out consent, consumers are allowed to opt out of the processing of personal data for:
Like Indiana’s privacy law, Montana’s clearly states that residents can opt out of targeted advertising and profiling. Iowa’s privacy law, on the other hand, is more vague about targeted advertising and doesn’t mention profiling at all.
Unlike in both Iowa and Indiana, MCDPA requires businesses to recognize universal opt-out mechanisms for consent intake. Consumers are also allowed to withdraw consent even if they previously gave it. Businesses must have this ready on their websites by January 1, 2025.
In terms of opt-in rights, Montana consumers have the right to opt into the processing of “sensitive data,” which includes:
Businesses will need to describe how users can exercise their opt-in and opt-out rights on their website’s Privacy Notice.
Businesses must respond to consumers’ rights and consent requests within 45 days and can extend for an additional 45 days.The Attorney General of Montana is responsible for issuing notices of privacy violations to businesses. Businesses have a 60-day cure period to correct violations.
The amount of civil penalties business can incur is not specified in the bill’s text. However, the cure period for privacy violations will sunset on April 1, 2026.
Now that you know what consumer and consent rights residents have under Montana’s privacy law, as well as the consequences of violations, let’s go over the additional business obligations your business needs to fulfill and how to fulfill them.
MCDPA states that businesses must limit the purpose of collecting data to only what’s “adequate, relevant, and reasonably necessary.” In other words, Montana’s privacy law requires businesses to practice data minimization.
Data minimization is the practice of only collecting data that is necessary and relevant to fulfill a specific business purpose. Rather than simply collecting less data, data minimization forces businesses to be more deliberate about only collecting the data it needs. The less data your organization collects, the less risk for your company
Implementing data minimization is a fundamental step toward running a privacy-respecting business. It will also make fulfilling consumer’s subject requests rights from above easier. Be sure to identify and publsih what data your business needs to collect, for how long, and how to dispose of it when it’s not in use anymore.
Under MCDPA, businesses are required to publish easy-to-understand privacy notices on their websites for consumers to access. These privacy notices should include:
To make sure you’re including all of the necessary information on your Privacy Notices, work with your legal team to create a privacy notice that’s easily readable on your website.
MCDPA also requires businesses to enter data processing contracts between data processors or entities that “process personal data on behalf of a controller.” An example of a data processor is a third-party SaaS vendor that processes and stores data for your business.
These contracts must dictate the terms of how the processor processes the personal data your business collects. They must also include the purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both controllers and processors.
If your business works with processors or subcontractors that process data on your behalf, be sure to enter a legally binding data processing contract with each of them.
Montana’s privacy law also requires businesses to perform data protection assessments (DPAs). DPAs are meant to help businesses assess and weigh the benefits against potential risks to consumers on the following data processing activities:
MCDPA requires DPAs to be generated after January 1, 2025. The Attorney General can also request a DPA to determine compliance. Make sure you’re ready for Montana’s regulators by documenting DPIAs every time there’s a change in your business’ processing activities.
Like Indiana’s privacy law, MCDPA also gives explicit instructions for processing de-identified data. Businesses that process de-identified data must:
These rights do not apply to pseudonymous data if the business can show that any information necessary to identify the consumer is kept separately with technical and organizational controls.
If your business processes de-identified data, make sure the required safeguards are in place by July 1, 2025.
Ensuring your business complies with all U.S. state privacy laws can feel overwhelming. Luckily, Ethyca makes it easy with the Fides privacy intelligence platform. With Fides, your business will be able to automate privacy requirements for all state privacy laws.
Read on to learn how.
Different U.S. state privacy laws have different opt-in and opt-out requirements your business needs to fulfill. With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.
Using the Fides platform will allow you to set multiple opt-out links on your website footer, customize a Privacy Center for consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with multiple state privacy laws at the same time.
Users can submit their requests through a Privacy Center on your website and verify their identity via SMS or email. With an easy-to-use Admin UI. your business will be able to quickly process and record users’ consent preferences as proof of compliance.
All privacy regulations require businesses to fulfill user subject requests, or data subject requests (DSRs). Unfortunately, this process is often costly, labor-intensive, and causes lots of friction for legal, compliance, and engineering teams.
The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end with Fides. Users can submit their DSR requests via the same Privacy Center they would use to submit their consent preferences.
After requests are submitted, you can approve or deny them with the same Admin UI. Users will then receive an email containing a link to the data they requested in a machine-readable format, or a confirmation that their data has been corrected or erased.
Fides will also maintain a log of the requests your business has received and processed. That way, you can prove to regulators your business’ privacy practices are compliant.
What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. After connecting with all systems, Fides will be able to produce a data map, or a real-time visual representation, of your organization’s data flows.
Unlike tracking data through manual spreadsheets that are immediately out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it goes, and where it’s stored.
In fact, connecting to all of your systems is how Fides can automate consent management and data subject requests in the first place. Using the Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.
Montana follows Iowa and Indiana as the first few privacy laws to pass in 2023. But, more are constantly on the way. Your business will need to look ahead and prepare for all of the coming privacy regulations passing through state legislatures.
Thankfully, you don’t have to do it alone. Ethyca is here to help your business fulfill its privacy obligations every step of the way. If you have any questions about new or current privacy laws, schedule a free 15-minute call with one of our privacy advisors right now.
Ethyca’s VP of Engineering Neville Samuell recently spoke at the University of Texas at Austin’s Texas McCombs School of Business about privacy engineering and its role in today’s digital landscape. Read a summary of the discussion by Neville himself here.
Learn more about all of the updates in the Fides 2.24 release here.
Ethyca’s Senior Software Engineer Adam Sachs goes through the thought process of creating Fideslang, the privacy engineering taxonomy that standardizes privacy compliance in software development.
Learn more about all of the updates in the Fides 2.23 release here.
Our Senior Software Engineer Dawn Pattison walks you through implementing data minimization into your business.
Learn more about all of the updates in the Fides 2.22 release here.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!Request a Demo