On May 19, 2023, Governor Greg Gianforte signed into law the Montana Consumer Data Privacy Act (MCDPA). With that, the number of states to adopt comprehensive data privacy statutes expanded to nine. And the regulatory headache that consumers and companies alike must endure grew by an equal measure.
In other ways similar to legislation passed in Virginia and Connecticut, the MCDPA forges its own unique path with regard to applicability. Perhaps as a reflection of Big Sky Country's relatively low population level, the MCDPA covers a wider range of businesses: those that possess the personal information of just 50,000 (rather than the more common 100,000) residents. Consequently, some smaller businesses that were exempt under other state statutes may now be on the hook for costly compliance programs.
The MCDPA establishes a familiar set of consumer rights: to know, to access, to correct, to delete, and to port collected personal data. In addition, consumers (1) can opt out of targeted advertising, data sales, and "profiling in furtherance of solely automated decisions that produce legal or similarly significant effects," and (2) must opt-in before a business can make use of "sensitive" personal data.
Businesses must abide by "privacy by design" principles, which include purpose-specific constraints on data usage and an obligation to adopt reasonable security measures. They also must conduct data protection assessments before engaging in a number of activities that "present[] a heightened risk of harm to a consumer." And starting in January 2025, they must recognize browser-based universal opt-out mechanisms.
Notably, the MCDPA will go into effect before laws recently adopted in Iowa (January 1, 2025) and Indiana (July 1, 2026): on October 1, 2024.
Meanwhile, it appears likely that Texas will be next: the Texas Data Privacy and Security Act has reached Governor Greg Abbott's desk.