How Your Business Can Prepare For Montana’s Consumer Data Protection Act (MCDPA)

Introduction 

Montana marks the third U.S. state privacy law to pass its state House and Senate legislature in 2023!

SB 384 or Montana’s Consumer Data Protection Act (MCDPA) is set to go into effect on July 1, 2025, giving businesses two years to prepare for it.

Revamping your privacy operations for California’s CPRA, Virginia’s CDPA, Colorado’s CPA, Connecticut’s CTDPA, Utah’s UCPA, Iowa’s ICDPA, and Indiana’s INDCPA in the meantime will give your business a great head start for MCDPA. 

Until then, here’s what your business needs to know about Montata’s privacy law.

Does Montana’s Privacy Law Apply to My Business?

MCDPA applies to businesses that operate in Montana or target products or services to Montana consumers, and

• Control or process the personal data of no less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
• Control or process the personal data of no less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Like Iowa and Indiana, Montana’s privacy law uses thresholds on the amount of data businesses are processing to determine applicability. Confirm if your business is processing the minimum amount of consumers’ data to see if MCDPA applies to you. 

What Your Business Needs to Know About Montana’s Privacy Law

Businesses subject to Montana’s privacy law need to know the consumer rights and consent rights of Montana residents, as well as the consequences of privacy violations. This next section will go over these requirements in more detail. 

Consumer Rights:

Like with all other state privacy laws, Montana residents can exercise certain data subject rights including:

• Right to know and access.
• Right to correction.
• Right to deletion.
• Right to appeal.
• Right to portability.

Like Iowa’s and Indiana’s privacy law, Montana consumers do not have a private right of action. Montana residents do have the ability to correct their data like in Indiana, whereas Iowa does not grant this right for its residents. 

Consent Requirements

Montana residents also have specific opt-out and opt-in consent rights businesses must follow.

For opt-out consent, consumers are allowed to opt out of the processing of personal data for:

• Targeted advertising.
• The sale of personal data.
• Profiling through automated decision making (ADM).

Like Indiana’s privacy law, Montana’s clearly states that residents can opt out of targeted advertising and profiling. Iowa’s privacy law, on the other hand, is more vague about targeted advertising and doesn’t mention profiling at all. 

Unlike in both Iowa and Indiana, MCDPA requires businesses to recognize universal opt-out mechanisms for consent intake. Consumers are also allowed to withdraw consent even if they previously gave it. Businesses must have this ready on their websites by January 1, 2025.

In terms of opt-in rights, Montana consumers have the right to opt into the processing of “sensitive data,” which includes:

• Racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person’s sex life, sexual orientation, or citizenship or immigration status.
• Genetic or biometric data for the purpose of uniquely identifying an individual.
• Personal data collected from a known child (under 13 years old).
• Precise geolocation data.

Businesses will need to describe how users can exercise their opt-in and opt-out rights on their website’s Privacy Notice.

Violations and Enforcement

Businesses must respond to consumers’ rights and consent requests within 45 days and can extend for an additional 45 days.The Attorney General of Montana is responsible for issuing notices of privacy violations to businesses. Businesses have a 60-day cure period to correct violations.

The amount of civil penalties business can incur is not specified in the bill’s text. However, the cure period for privacy violations will sunset on April 1, 2026.

What Your Business Needs to Do to Comply with Montana’s Privacy Law

Now that you know what consumer and consent rights residents have under Montana’s privacy law, as well as the consequences of violations, let’s go over the additional business obligations your business needs to fulfill and how to fulfill them. 

Practice Data Minimization

MCDPA states that businesses must limit the purpose of collecting data to only what’s “adequate, relevant, and reasonably necessary.” In other words, Montana’s privacy law requires businesses to practice data minimization.

Data minimization is the practice of only collecting data that is necessary and relevant to fulfill a specific business purpose. Rather than simply collecting less data, data minimization forces businesses to be more deliberate about only collecting the data it needs. The less data your organization collects, the less risk for your company 

Implementing data minimization is a fundamental step toward running a privacy-respecting business. It will also make fulfilling consumer’s subject requests rights from above easier. Be sure to identify and publsih what data your business needs to collect, for how long, and how to dispose of it when it’s not in use anymore.

Publish a Clear Privacy Notice

Under MCDPA, businesses are required to publish easy-to-understand privacy notices on their websites for consumers to access. These privacy notices should include:

• The categories of data processed.
• The purpose for processing.
• The categories of personal data shared with third-parties.
• An email address or mechanism to be used to contact the business.
• How users can submit requests to exercise their consumer rights and opt-out rights.

To make sure you’re including all of the necessary information on your Privacy Notices, work with your legal team to create a privacy notice that’s easily readable on your website.

Enter Data Processing Contracts 

MCDPA also requires businesses to  enter data processing contracts between data processors or entities that “process personal data on behalf of a controller.” An example of a data processor is a third-party SaaS vendor that processes and stores data for your business. 

These contracts must dictate the terms of how the processor processes the personal data your business collects. They must also include the purpose of processing, the type of data being processed, the duration of processing, and the rights and obligations of both controllers and processors. 

If your business works with processors or subcontractors that process data on your behalf, be sure to enter a legally binding data processing contract with each of them.

Perform Data Protection Impact Assessments (DPIAs)

Montana’s privacy law also requires businesses to perform data protection assessments (DPAs). DPAs are meant to help businesses assess and weigh the benefits against potential risks to consumers on the following data processing activities:

• Processing personal data for targeted advertising. 
• Selling personal data. 
• Processing of personal data for purposes of profiling,
• Processing of sensitive data.
• Using de-identified data
• Any processing activities that could increase the risk of harm to consumers. 

MCDPA requires DPAs to be generated after January 1, 2025. The Attorney General can also request a DPA to determine compliance. Make sure you’re ready for Montana’s regulators by documenting DPIAs every time there’s a change in your business’ processing activities.

Process De-identified and Pseudonymous Data Securely

Like Indiana’s privacy law, MCDPA also gives explicit instructions for processing de-identified data. Businesses that process de-identified data must:

1. Take reasonable measures to ensure that the data cannot be associated with an individual.
2. Publicly commit to maintaining and using de-identified data without attempting to re-identify the data.

These rights do not apply to pseudonymous data if the business can show that any information necessary to identify the consumer is kept separately with technical and organizational controls.

If your business processes de-identified data, make sure the required safeguards are in place by July 1, 2025.

How Ethyca Can Help Your Business Comply with Montana’s Privacy Law

Ensuring your business complies with all U.S. state privacy laws can feel overwhelming. Luckily, Ethyca makes it easy with the Fides privacy intelligence platform. With Fides, your business will be able to automate privacy requirements for all state privacy laws.

Read on to learn how.

Easy Consent Management

Different U.S. state privacy laws have different opt-in and opt-out requirements your business needs to fulfill. With the Fides privacy intelligence platform, your business can easily manage users’ consent preferences for any privacy law.

Using the Fides platform will allow you to set multiple opt-out links on your website footer, customize a Privacy Center for consent intake, and set single or multiple opt-in or opt-out consent preferences to comply with multiple state privacy laws at the same time.

Users can submit their requests through a Privacy Center on your website and verify their identity via SMS or email. With an easy-to-use Admin UI. your business will be able to quickly process and record users’ consent preferences as proof of compliance.

Automated Data Subject Requests Fulfillment

All privacy regulations require businesses to fulfill user subject requests, or data subject requests (DSRs). Unfortunately, this process is often costly, labor-intensive, and causes lots of friction for legal, compliance, and engineering teams.

The Fides privacy intelligence platform streamlines these workflows. Your business will be able to automate DSR processing end-to-end with Fides. Users can submit their DSR requests via the same Privacy Center they would use to submit their consent preferences.

After requests are submitted, you can approve or deny them with the same Admin UI. Users will then receive an email containing a link to the data they requested in a machine-readable format, or a confirmation that their data has been corrected or erased.

Fides will also maintain a log of the requests your business has received and processed. That way, you can prove to regulators your business’ privacy practices are compliant.

Real-Time Data System Inventorying

What makes the Fides privacy intelligence platform so powerful is its ability to connect to all internal and third-party databases and systems. After connecting with all systems, Fides will be able to produce a data map, or a real-time visual representation, of your organization’s data flows.

Unlike tracking data through manual spreadsheets that are immediately out of date, Fides’ automated data map will give you an accurate inventory of all the data in your systems, i.e. what the data is, where it goes, and where it’s stored.

In fact, connecting to all of your systems is how Fides can automate consent management and data subject requests in the first place. Using the Fides privacy intelligence platform will integrate privacy across your entire business. That’s the true power of privacy intelligence.

Conclusion

Montana follows Iowa and Indiana as the first few privacy laws to pass in 2023. But, more are constantly on the way. Your business will need to look ahead and prepare for all of the coming privacy regulations passing through state legislatures. 

Thankfully, you don’t have to do it alone. Ethyca is here to help your business fulfill its privacy obligations every step of the way. If you have any questions about new or current privacy laws, schedule a free 15-minute call with one of our privacy advisors right now.