The Montana Legislative House has introduced the Consumer Data Privacy Act, which seeks to protect the personal data of consumers in the state. The bill, if passed, will impose notice obligations on organizations and provide for enforcement by the attorney general.


The provisions of the act apply to persons conducting business in Montana or producing products or services targeted to residents of the state. The act will cover businesses that control or process the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or businesses that control or process the personal data of 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.


The act exempts various organizations, including bodies, authorities, boards, bureaus, commissions, districts, or agencies of Montana or any political subdivision of the state, nonprofit organizations, institutions of higher education, national securities associations under the Federal Securities Exchange Act of 1934, financial institutions or data subject to the Financial Services Modernization Act of 1999, and covered entities or business associates as defined in the privacy regulations of the Federal Health Insurance Portability and Accountability Act of 1996.

Compliance by Controller or Processor

The act allows controllers or processors to comply with federal, state, or municipal ordinances or regulations and to cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably believes may violate federal, state, or municipal ordinances or regulations. The act also permits controllers or processors to engage in public or peer-reviewed scientific or statistical research in the public interest.

De-identified Data

Any controller in possession of de-identified data must take reasonable measures to ensure that the de-identified data cannot be associated with an individual. The controller must publicly commit to maintaining and using de-identified data without attempting to re-identify the de-identified data and contractually obligate any recipients of the de-identified data to comply with all provisions of the act.

Handling Individual Rights Requests

Under the act, a consumer has the right to confirm whether a controller is processing and accessing their personal data. The consumer may also correct inaccuracies in their personal data and delete personal data about them. A consumer may obtain a copy of the consumer’s personal data previously provided by the consumer to the controller in a portable, technically feasible, and readily usable format. A consumer may opt out of the processing of the consumer’s personal data for targeted advertising, the sale of the consumer’s personal data, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

Consumers may exercise their rights by a secure and reliable means established by the controller and described to the consumer in the controller’s privacy notice. The consumer may also designate an authorized agent to exercise their rights to opt out of the processing on behalf of the consumer. A parent or legal guardian of a known child may exercise individual consumer rights on behalf of the child regarding the processing of personal data.

Privacy Notice Considerations

A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the categories of personal data processed by the controller, the purpose for processing personal data, the categories of personal data that the controller shares with third parties (if any), an active e-mail address or other mechanism that the consumer may use to contact the controller, and how consumers may exercise their consumer rights.

Data Protection Assessment

Under the act, a controller shall conduct and document a data protection assessment for each processing activity that presents a heightened risk of harm to a consumer.


The attorney general will oversee enforcement actions. If a controller violates any provisions of the act, the attorney general will issue a notice of violation to the controller before initiating any action. The controller will then have 60 days to correct the violation from the receipt of the notice. If the controller fails to correct the violation within the specified timeframe, the attorney general may bring an action against them.

Skip to content