The US has five new state privacy laws this year, plus a sixth (Iowa) taking effect in 2025. Several other privacy bills are awaiting signatures from their state governors.
The Montana Consumer Data Privacy Act (SB 384) is among these nearly-enacted bills, and the law will majorly impact many businesses operating in the state.
We’ll explore how the law applies, its key definitions, and the new obligations for businesses operating in Montana.
SB 384 applies to any company targeting Montana consumers that either:
- Annually controls or processes personal data about at least 50,000 Montana residents, excluding personal data “processed solely for the purpose of completing a payment transaction”, or
- Annually controls or processes personal data about at least 25,000 Montana residents and derives over 25% of gross revenue from the sale of personal data.
This is seemingly a relatively low application threshold compared to other state privacy laws, which generally apply to businesses processing over 100,000 consumers but do not exclude processing for the purposes of completing a payment transaction.
Exemptions apply, including to:
- Public bodies.
- Financial institutions regulated by the Gramm-Leach-Bliley Act.
SB 384 also exempts the processing of personal data covered by the Health Insurance Portability and Accountability Act (HIPAA) and various other health-related laws and regulations.
Some key definitions in the SB 384 include:
- Personal data: Information that is “linked or reasonably linkable to an identified or identifiable individual”, excluding “deidentified data or publicly available information”,
- Processing: Any operation performed on personal data, including its “collection, use, storage, disclosure, analysis, deletion, or modification”.
- Controller: An individual or legal entity that “determines the purpose and means of processing personal data”.
- Processor: A person or organization that processes personal data on behalf of a controller.
SB 384 also defines “sensitive data”, which includes:
- Personal data revealing:
- Racial or ethnic origin.
- Religious beliefs.
- Mental or physical health diagnosis.
- Information about a person’s sex life or sexual orientation.
- Citizenship or immigration status.
- Biometric or genetic data processed for the purpose of identifying an individual.
- Personal data collected from a known child.
- Precise geolocation data.
Selling Personal Data, Targeted Advertising
Like several US state laws, SB 384 regulates the “sale” of personal data, which means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party”.
A “sale” does not include the disclosure of personal data:
- To a processor.
- To a third party for the purposes of providing a product or service requested by the consumer.
- To an affiliate of the controller.
- At the direction of the consumer.
- Where the consumer:
- Intentionally made the personal data public via mass media, and
- Did not restrict the disclosure to a restricted audience.
- As part of an acquisition, merger, or bankruptcy.
SB 384 also regulates “targeted advertising”, defined as displaying an advertisement to a consumer when the following conditions are met:
- The advertisement is selected based on personal data.
- The personal data is obtained from the consumer’s activities over time and across nonaffiliated websites or online applications.
- The personal data is obtained to predict the consumer’s preferences or interests.
The definition excludes “first-party” ads based on personal data collected via the controller’s own properties, contextual ads, and ad-measurement.
SB 384 provinces consumers with several rights over their personal data, including the right to:
- Confirm whether a controller is processing the consumer’s personal data.
- Access their personal data.
- Correct inaccuracies in their personal data.
- Delete their personal data.
- Obtain a copy of personal data that the consumer provided to the controller in a portable, machine-readable format.
- Opt out of:
- The sale of their personal data.
- Targeted advertising.
- Profiling “in furtherance of decisions that produce legal or similarly significant effects”.
Controllers must respond to a request by a consumer to exercise these rightsr “without undue delay” and within 45 days, with a 45-day extension available when reasonably necessary.
Consumers can make a request once every 12 months, and controllers must not charge a fee—unless the request is manifestly unfounded, technically infeasible, excessive, or repetitive, in which case the controller can charge a fee to cover the administrative costs.
Controllers must make “commercially reasonable efforts” to verify a consumer’s identity.
If a customer is not satisfied with the response from a controller, they can appeal. The controller is required to respond to the appeal within 60 days, stating their reasoning for the decision. If the customer is still not satisfied, they have the right to file a complaint with the Attorney General.
Obligations on Controllers
SB 384 sets out several positive obligations on controllers, including to:
- Limit the collection of personal data to what is “adequate, relevant and reasonably necessary in relation to a specified purpose”.
- Put in place administrative, technical and physical measures to ensure the security of personal data, in terms of its confidentiality, integrity, and accessibility.
- Put in place a mechanism that enables consumers to withdraw consent and stop processing personal data within 45 days of a consumer revoking consent.
There are also some negative obligations on controllers, including to:
- Not process personal data for reasons that are not reasonably necessary to or compatible with a specific purpose without consent.
- Not process sensitive data without consent.
- Only process children’s personal data in compliance with the Children’s Online Privacy Protection Act (COPPA).
Controllers must maintain a “reasonably accessible, clear, and meaningful privacy notice“ that discloses:
- The categories of personal data processed by the controller.
- The purposes for processing personal data.
- The categories of personal data the controller shares with third parties, if any.
- An active contact email address for the controller.
- How consumers may exercise their consumer rights and appeal.
- The categories of third parties with whom the controller shares personal data, if any.
Obligations on Processors
Processors must also help controllers facilitate consumer rights requests and must notify controllers of security breaches.
A controller may only engage a processor subject to a written agreement that contains:
- Instructions for the processing of personal data.
- The nature and purpose of the processing.
- The types of data
- The duration of the processing.
- The rights and obligations of the controller and processor.
- A section that requires the processor to:
- Bind anyone processing personal data to a duty of confidentiality.
- Delete or return all personal data to the controller as requested at the end of the contract, if allowed by law.
- Provide the controller with any necessary information to demonstrate the processor’s SB 384 compliance.
- Allow reasonable assessments (audits) by the controller, or arrange an independent audit and provide a report on request.
- Only engage subcontractors under a written contract with the same terms as above.
Data Protection Assessments
Controllers must conduct a Data Protection Impact Assessment before engaging in certain activities, including:
- Targeted advertising.
- Selling personal data.
- Certain profiling activities that could result in risk, injury, or intrusion.
- Processing sensitive data.
- Any other processing that presents “a heightened risk of harm to consumers”.
A Data Protection Impact Assessment must identify and weigh:
- The benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against
- The potential risks to the rights of the consumer, taking safeguards into account.
The Attorney General can demand access to a copy of a Data Protection Impact Assessment.
Montana hands enforcement of SB 384 exclusively to the state’s Attorney General, who must provide controllers or processors suspected of violating the law with a 60-day notice period. If the controller can “cure” the violation within this period, it will not face enforcement action.