Montana has stepped up with its Consumer Data Privacy Act (MTCDPA), which took effect on October 1, 2024.
This legislation aims to give Montana residents more control over their personal data, ensuring their privacy in a rapidly evolving digital world.
Here’s what you need to know:
What is Sensitive Data?
Under the MTCDPA, sensitive data refers to personal information that is more private and includes details such as:
- Racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, and citizenship or immigration status.
- Genetic or biometric data used for unique identification.
- Information collected from children.
- Precise locations of individuals.
Who Needs to Comply with the Montana Consumer Data Privacy Act?
The act applies to businesses operating in Montana or targeting its residents, with specific criteria:
- Those controlling or processing the personal data of at least 50,000 consumers (not including data for payment transactions). OR
- Businesses controlling or processing data of at least 25,000 consumers and earning more than 25% of their gross revenue from selling personal data.
Non-profits and certain other entities are exempt from this law.
Consumer Rights Under the MTCDPA
People of Montanan have the following rights regarding their data:
- Right to Know and Access: You can ask businesses if they’re processing your data and access it.
- Data Portability: Obtain a copy of your data in a format that’s easy to transfer to another service.
- Correction: Request updates or corrections to inaccurate personal data.
- Deletion: Ask for your data to be deleted.
- Opt-Out Rights: Choose to opt out of targeted advertising, the sale of your data, and certain profiling activities.
- Non-Discrimination: Businesses can’t discriminate against you for exercising your privacy rights.
As a business operating under the Montana Consumer Data Privacy Act (MTCDPA), it is imperative to establish and communicate secure and reliable methods for consumers to exercise their privacy rights. This includes the submission of requests regarding their personal data without the necessity for them to create an account. However, if a consumer already has an account with your business, you are encouraged to facilitate the submission of requests through that account.
It is also important to acknowledge that parents and legal guardians have the right to submit requests on behalf of their children, ensuring their privacy is protected under the act.
Upon receiving a consumer request, your business is obligated to respond within 45 days.
This timeframe may be extended under specific circumstances, provided that the consumer is notified of the extension and the reasons for the delay within such term. Furthermore, in the case of appeals against decisions made in response to their requests, your business must ensure that these are processed, and a conclusion is reached within 60 days.
Business Obligations Under the MTCDPA
Businesses must:
- Obtain consent for processing personal data outside the stated purposes in their privacy policy, processing sensitive data, and selling data or performing targeted advertising to young consumers (13–16 years old).
- Comply with the Children’s Online Privacy Protection Act (COPPA) for processing children’s data.
- Provide clear privacy notices detailing the categories of personal data processed, purposes, sharing practices, contact information, and how to exercise your rights.
- Conduct data protection assessments for risky processing activities.
- Recognize and honor universal opt-out signals.
See below for a more in-depth review of what this means for your business 👇
1. Consent for Data Processing
Businesses are required to obtain explicit consent from consumers for several key activities:
- Processing Personal Data Beyond Privacy Policy Purposes: If personal data is to be processed for reasons not initially disclosed in the business’s privacy policy, nor reasonably necessary to or compatible with the purposes specified in the privacy policy, explicit consent from the consumer is necessary.
- Handling Sensitive Data: Before processing sensitive data, businesses must secure explicit consent. Sensitive data includes information on racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship status, genetic, biometric data, children’s data, and precise geolocation.
- Targeted Advertising and Data Sales to Young Consumers: For consumers between 13 and 16 years old, businesses must obtain consent before engaging in targeted advertising or selling their data.
2. Compliance with COPPA
Businesses must ensure that their data processing practices concerning children’s data comply with the Children’s Online Privacy Protection Act (COPPA). This involves obtaining verifiable parental consent before collecting, using, or disclosing personal information from children under 13 and adhering to COPPA’s stringent requirements for protecting children’s online privacy.
3. Privacy Notices
Businesses are required to provide detailed and accessible privacy notices that include:
- Categories of Processed Data: Clearly state the types of personal data that the business processes.
- Processing Purposes: Explain the purposes for which personal data is processed.
- Data Sharing Practices: Disclose any categories of personal data shared with third parties, including the types of third parties with whom the data is shared.
- Contact Information: Offer a direct means of communication (e.g., an email address) for consumers to reach out with questions or requests regarding their data.
- Exercising Consumer Rights: Outline the processes for consumers to exercise their rights under the MTCDPA, including how to access, correct, delete their personal data, or opt out of certain processing activities.
- Appeal Process: Inform consumers about the appeal process in case their requests are denied, ensuring transparency and recourse.
4. Data Protection Assessments
For activities that present a heightened risk of harm to consumers (such as processing sensitive data, targeted advertising, and profiling), businesses must conduct and document data protection assessments. These assessments are crucial for identifying and mitigating risks to consumer privacy and data security.
5. Universal Opt-Out Recognition
Starting January 1, 2025, businesses will be required to recognize and honor universal opt-out signals from consumers electing to opt out of the sale of their personal data or targeted advertising.
This means businesses must be technologically equipped to automatically process these opt-out requests without requiring further action from consumers.
Stay compliant with iubenda
The MTCDPA isn’t the only US privacy law you need to care about — there are others that are already being enforced
Start now!