Law: Consumer Data Privacy Act (CDPA)

Regulator: The Montana Attorney General (AG)

Summary: The Montana AG signed Senate Bill No. 384 for An Act Establishing the CDPA on May 18, 2023, which will enter into effect October 1, 2024. The CDPA introduces obligations for controllers, including the obligation to implement administrative, technical, and physical data security practices, limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to its purposes, and conduct Data Protection Assessments.

The CDPA also requires a contract between controllers and processors to govern procedures performed on the controller's behalf. Additionally, the CDPA provides for data subject rights, including the right to confirm whether a controller is processing their personal data, access, correct, delete, and obtain a copy of such personal data, as well as the right to opt-out of certain processing activities. Furthermore, the CDPA provides the AG with enforcement powers, but does not provide a private right of action.

In addition, the State has its own data breach requirements under §30-14-1704 of Part 17 of Chapter 14 of Title 30 of the Montana Code Annotated 2017, which require, among other things, that a person or business must disclose any breach of the security of the data system following discovery or notification of the breach. Moreover, the Attorney General's Office of Consumer Protection needs to be simultaneously notified alongside individuals in the event of a personal data breach.