Updates Will Broaden Montana's Comprehensive Privacy Law
Montana’s comprehensive privacy law will apply to more businesses and add regulations for children’s data, effective Oct. 1. Gov. Greg Gianforte (R) last week signed a bill (SB-297) amending the Montana Consumer Data Privacy Act to make those and other changes.
Sign up for a free preview to unlock the rest of this article
Also, last week, Gianforte signed SB-282, which aims to prohibit state and local governments from purchasing individuals’ private electronic communications and data without a search warrant.
Sponsored by the Montana comprehensive privacy law's author, Sen. Daniel Zolnikov (R), SB-297 also halves the comprehensive privacy law’s 60-day right to cure, while tightening its exemptions (see 2502130054). It passed both chambers of the legislature with no opposition earlier this year (see 2504140016).
Montana’s law currently applies to for-profit entities that control or process the personal data of at least 50,000 Montana consumers or control or process data of at least 25,000 consumers and derive more than 25% of revenue from selling personal data. Under the amending law, the customer thresholds will drop to 26,000 and 15,000, respectively.
No longer will the law have an entity-level exemption for those covered by the Gramm-Leach-Bliley Act, but data covered by GLBA will remain exempted. SB-297 also limits the privacy law’s nonprofit exemption to those nonprofits that fight insurance fraud. It would add an exemption for a “state or federally chartered bank or credit union or an affiliate or subsidiary that is principally engaged in financial activities.”
For kids privacy, Montana is adopting “the Colorado/Connecticut framework on minors’ data,” Shook Hardy lawyer Josh Hansen posted Sunday on LinkedIn. “Notable measures include limiting processing without consent, requiring data protection assessments, and imposing a duty of reasonable care to avoid a heightened risk of harm.”
Starting Oct. 1, a controller that “offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall conduct a data protection assessment for the online service, product, or feature if there is a heightened risk of harm to minors,” says SB-297. The requirement only applies to “processing activities created or generated after” Oct. 1 is not retroactive.
SB-297 “incorporates elements of further reaching state laws into" Montana's comprehensive privacy law "while declining to break new ground,” said Jordan Francis, Future of Privacy Forum policy counsel, in a blog post Monday. “For example, [it] adopts heightened protections for minors like those in Connecticut and Colorado as well as privacy notice requirements and a narrowed right of access like in Minnesota’s law.”