Mont. Senator Seeks Tighter Thresholds, Closed Loopholes in Privacy Law
More companies could become subject to the Montana Consumer Data Privacy Act under changes contemplated by the original law’s sponsor. Senate Energy and Technology Chair Daniel Zolnikov (R) told Privacy Daily on Thursday he wants to slash the legislation’s applicability thresholds and tighten exemptions. Moreover, under a bill (SB-297) he filed earlier this week, Montana would also add child protections and cut in half the comprehensive privacy law’s 60-day right to cure.
Sign up for a free preview to unlock the rest of this article
Zolnikov is optimistic his updates bill will gain approval because the original privacy bill passed both chambers unanimously, he said. The Senate Judiciary Committee received the bill Wednesday and could have a hearing as soon as next week, he said. Why does Zolnikov want to update a law that just took effect in October? “Well, why not?” Other states have been passing privacy bills, “and if we’re able to clear up language and fix it, we should,” he said.
Montana’s law applies to for-profit entities that control or process personal data of at least 50,000 Montana consumers or control or process data of at least 25,000 consumers and derive more than 25% of its revenue from selling personal data. “Those numbers are pretty high, so we’re going to try to lower those to 25,000 customers and 15,000 customers,” respectively, Zolnikov told us in an interview. The proposed change to thresholds didn’t appear in the bill text online, but the senator told us he planned to add it to the legislation.
Zolnikov said he felt the original customer thresholds were too high when considering the number of customers as a percentage of Montana’s small population size. He stressed that the bill is “still reasonable” and “not anti-small business.”
Also, SB-297 would adjust various exemptions. For instance, it would exempt data rather than entities covered by the Gramm-Leach-Bliley Act. “A lot of states have an exemption for financial entities, and those have been … used as a loophole, so we’re tightening that.”
Additionally, whereas the existing law exempts all nonprofits, the new version would exempt only nonprofits fighting insurance fraud. It would add an exemption for a “state or federally chartered bank or credit union or an affiliate or subsidiary that is principally engaged in financial activities.”
Meanwhile, the bill would edit the law’s section on attorney general enforcement to halve businesses’ right to cure to 30 days. “60 days is a long time,” said Zolnikov. “30 days is more than enough time to fix a problem or [feel] the consequences.” The right to cure expires altogether on April 1, 2026, under current law.
The new kids section in SB-297 is adapted from Connecticut’s privacy law, said Zolnikov. It adds a definition of “heightened risk of harm to minors” under 18. The bill says that would mean “processing the personal data of a minor in a manner that presents a reasonably foreseeable risk that could cause” unfair or deceptive treatment or financial, physical or reputational injury, among other things. Under a proposed new section, a controller that offers online services to a consumer it “actually knows or willfully disregards is a minor shall conduct a data protection assessment for the online service, product, or feature if there is a heightened risk of harm to minors.” That requirement would take effect Oct. 1 this year.
As proposed, the amended law wouldn’t “require a controller or processor to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers, but a controller that chooses to conduct commercially reasonable age estimation to determine which consumers are minors is not liable for an erroneous age estimation.”
Also under the bill, the AG would now be required to post information about consumer rights and business obligations and to have an online mechanism for consumers to submit privacy requests. With reasonable cause, the AG could issue a civil investigative demand that could include a “request that a controller disclose any data protection assessment” relevant to the investigation.
The amendments bill would clarify that, when responding to a consumer request, controllers may not disclose sensitive information including social security, driver’s license and financial account numbers or biometric data. Controllers must “inform the consumer instead with sufficient particularity that the controller has collected this information.”
Additionally, the bill would flesh out Montana rules for privacy policies, including by requiring controllers to include the date a policy was last updated and to make it available in multiple languages and in an accessible format for people with disabilities.
“Whenever a controller makes a material change to the controller's privacy notice or practices, the controller shall notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy.”