June 7, 2023

Volume XIII, Number 158


June 06, 2023

Subscribe to Latest Legal News and Analysis

June 04, 2023

Subscribe to Latest Legal News and Analysis

Montana Governor Signs Big Sky’s Privacy Law

Montana now joins a growing list of states to have a comprehensive privacy law. The law was signed by the governor on May 19, 2023 and will go into effect October 24, 2024. This is before some Iowa (effective January 1, 2025) and Indiana (effective January 1, 2026), which pre-dated it in passage.

The law will apply to those that do business in Montana and either: (1) control or process personal data of at least 50,000 state residents; or (2) derive over 25% of gross revenue from the sale of personal data and control or process personal data of 25,000 or more state residents. As with other laws (outside of California), Montana has a long list of exemptions, including entities covered by HIPAA or GLBA. It also does not cover employee information. Key provisions include:

  • Notice. Like other state laws, a company must tell consumers the categories of data it processes, the purpose, categories of data being sold or shared, and provide consumers with information about exercising their consumer rights.

  • Consumer Rights. Montana provides for similar rights that we’ve seen under other state privacy laws. Namely rights of access, correction, deletion, and portability. Like the new Tennessee law, companies need only provide portability to information the consumer provided. Consumers can have agents make rights requests on their behalf. Companies must respond to these rights requests within 45 days (extendable by 45 days). Companies also have to let consumers opt out of sale of personal data, targeted advertising and profiling. “Sale” includes “other valuable consideration” and not just a monetary exchange (as is the case in California, Connecticut, and Tennessee). Montana will also require that companies recognize opt-out preference signals (mirroring California, Colorado, and Connecticut).

  • Sensitive Personal Data. Businesses in Montana must obtain consent before processing consumer’s sensitive information, just like they do in Colorado, Connecticut, and Virginia. Sensitive information is defined as data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person’s sex life, sexual orientation, citizenship or immigration status. It also includes genetic or biometric data, precise geolocation information, and information about children.

  • Contracts. Like most other states, Montana will require contractual obligations that ensure privacy and technical safeguards are in place to protect consumer information.

  • Enforcement. There is no private right of action under the law or specific statutory damages. Before the attorney general can initiate an action, it must give companies written notice and 60 days to cure the violation. This cure period will sunsets April 1, 2026 (the sunsetting provision is similar to that of Colorado, but unlike Indiana, where the cure period does not sunset).

Putting It Into Practice: Companies now have another state’s law to add to their list for provision of privacy rights and to address from a contractual standpoint. The threshold for applicability is lower in Montana than others, something to keep in mind prior to the October 2024 effective date.

Kathryn Smith also contributed to this article. 

Copyright © 2023, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XIII, Number 144

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...