+44 (0) 121 582 0192 [email protected]


Montana joins the growing list of states enacting robust data privacy laws with its new Montana Consumer Data Privacy Act. regulation set to take effect on 1st July 2024. This law represents a significant shift towards stronger consumer data protection, reflecting a global trend of heightened awareness and control over personal information.


Scope of the Law

The Montana data privacy law extends its reach to entities operating within the state, handling Montana residents’ data. It encompasses a wide range of data processing activities, setting stringent standards for data handling and consumer rights. it closely aligns with the Connecticut Data Privacy Law. There is at present or likely to be in the near future a Federal Data Privacy Law.


Definitions of Personal and Sensitive Personal Data

Under this law, ‘Personal Data’ is broadly defined to include any information that can be directly or indirectly linked to an individual.

Sensitive Data / Sensitive Personal Information Definition

Sensitive data, also known as sensitive personal information, encompasses distinct categories of personal data that pose a higher risk of harm if mishandled. These categories are particularly sensitive due to their intimate nature or the potential for misuse. They include information that discloses:

  1. An individual’s racial or ethnic background.
  2. Religious or philosophical beliefs.
  3. Mental or physical health status, including any medical diagnoses.
  4. Details regarding a person’s sexual orientation or sexual life.
  5. Citizenship or immigration status.
  6. Processing of genetic or biometric data used to uniquely identify a person.
  7. Personal information obtained from children under the age of 13.
  8. Exact geolocation data, pinpointing a location to within 1,750 feet (approximately 533.4 meters).


Definition of Consent under the Law

Consent is a cornerstone of the Montana law. It is defined as a clear, affirmative act signifying agreement to data processing. This approach prioritises explicit, informed consent, ensuring individuals understand and agree to how their data is used.


Definition of Data Controllers and Data Processors and Their Obligations

Data Controllers are entities that determine the purposes and means of processing personal data, while Data Processors are those who process data on behalf of controllers. Both have specific obligations under the law, with controllers bearing the primary responsibility for data protection and processors required to act in accordance with the controllers’ directives and legal requirements.


Explanation of the Definition of the Sale of Personal Data

The sale of personal data under the Montana law is defined as exchanging personal information for monetary or other valuable considerations. This broad definition requires organisations to carefully assess their data-sharing practices to ensure compliance.


Definition of Targeted Advertising

Targeted advertising is another critical aspect of the law. It refers to displaying advertisements to individuals based on their personal data obtained from their activity over time and across different websites or services.


Who Has to Comply with the Privacy Law

The law applies to businesses that meet certain thresholds, such as the amount of data processed or revenue generated. It’s not limited to companies based in Montana but includes any organisation processing data of Montana residents, making its reach both broad and impactful.


Consumers’ Data Protection Rights 

Under the new data protection legislation, consumers are endowed with several key rights regarding their personal information:

  1. Right to Access: This allows consumers to confirm whether a data controller is processing their personal information and, subject to certain exceptions, to access that data.
  2. Right to Correction: Consumers can request corrections to any personal information held by the controller that is inaccurate or outdated, provided the data was supplied by the consumer.
  3. Right to Deletion: This right enables consumers to have their personal data, held by the controller, deleted, though there are some exceptions to this rule.
  4. Right to Data Portability: Consumers have the right to obtain a copy of their personal data, which they have previously provided to the controller, in a format that is easily accessible and usable, with certain exceptions.
  5. Right Against Discrimination: Data controllers are prohibited from discriminating unlawfully against consumers, especially in cases where consumers exercise their rights under the law.
  6. Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling related to automated decisions that have a significant impact on them legally or in a similarly substantial manner.


Preparing and Complying with the New Law

Organisations must take proactive steps to align with Montana’s data privacy requirements. This includes conducting thorough data audits to understand what data is collected, how it’s processed, and with whom it’s shared. Additionally, updating privacy policies, implementing stronger data security measures, and ensuring transparent communication with consumers about their data rights are crucial.


Integrating the New Law into Existing Personal Data Privacy Compliance Strategies

To effectively incorporate Montana’s data privacy law into existing compliance frameworks, organisations need to evaluate their current data handling practices against the new requirements. This might involve updating data processing agreements, revising data protection impact assessments, and enhancing consumer rights protocols.


How Formiti Can Assist with Compliance

Formiti Data International Ltd, with its expertise in global data protection laws, offers a bespoke solution through its US State Privacy Service. This service is designed to help businesses navigate the complexities of state-specific data privacy regulations, including Montana’s. Utilising Formiti’s Elastic Data Privacy Framework, organisations can achieve a flexible and robust approach to compliance, adaptable to the evolving landscape of data privacy laws.



As data privacy continues to take center stage in legislative efforts globally, Montana’s new law is a testament to this trend. Organisations must adapt to these changes not as a mere legal obligation but as a commitment to protecting consumer privacy. With the support of experts like Formiti and the utilisation of comprehensive frameworks, businesses can navigate these changes efficiently, ensuring compliance and maintaining consumer trust.