30-14-2811. Duties of controllers -- duty of care -- rebuttable presumption, MCA
  1. MCA Contents
  2. TITLE 30
  3. CHAPTER 14
  4. Part 28
  5. 30-14-2811 Duties of controllers -- duty of care -- rebuttable presumption

Montana Code Annotated 2025

TITLE 30. TRADE AND COMMERCE

CHAPTER 14. UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION

Part 28. Consumer Data Privacy Act

Duties Of Controllers -- Duty Of Care -- Rebuttable Presumption

30-14-2811. Duties of controllers -- duty of care -- rebuttable presumption. (1) (a) A controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid a heightened risk of harm to minors caused by the online service, product, or feature.

(b) In an enforcement action brought by the attorney general pursuant to 30-14-2817, there is a rebuttable presumption that a controller used reasonable care as required under this section if the controller complied with this section.

(2) Unless a controller has obtained consent in accordance with subsection (3), a controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor may not:

(a) process a minor's personal data:

(i) for the purposes of:

(A) targeted advertising;

(B) the sale of personal data; or

(C) profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;

(ii) for any processing purpose other than the processing purpose that the controller disclosed at the time the controller collected the minor's personal data or that is reasonably necessary for and compatible with the processing purpose that the controller disclosed at the time the controller collected the minor's personal data; or

(iii) for longer than is reasonably necessary to provide the online service, product, or feature;

(b) use a system design feature to significantly increase, sustain, or extend a minor's use of the online service, product, or feature; or

(c) collect a minor's precise geolocation data unless:

(i) the minor's precise geolocation data is reasonably necessary for the controller to provide the online service, product, or feature;

(ii) the controller only collects and retains the minor's precise geolocation data for the time necessary to provide the online service, product, or feature; and

(iii) the controller provides to the minor a signal indicating that the controller is collecting the minor's precise geolocation data and makes the signal available to the minor for the entire duration of the collection of the minor's precise geolocation data. This subsection (2)(c)(iii) does not apply to a service or application that is used by and under the direction of a ski area operator.

(3) (a) A controller may not engage in the activities described in subsection (2) unless the controller obtains:

(i) the minor's consent; or

(ii) if the minor is a child, the consent of the minor's parent or legal guardian. A controller that complies with the verifiable parental consent requirements established in the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq., as amended, and the regulations, rules, guidance, and exemptions adopted pursuant to this act, as amended, is considered to have satisfied any requirement to obtain parental consent under this subsection (3)(a)(ii).

(b) (i) A controller that offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor may not:

(A) provide a consent mechanism that is designed to substantially subvert or impair or is manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice; or

(B) except as provided in subsection (3)(b)(ii), offer a direct messaging apparatus for use by a minor without providing readily accessible and easy-to-use safeguards to limit the ability of an adult to send unsolicited communications to the minor with whom the adult is not connected.

(ii) Subsection (3)(b)(i)(B) does not apply to an online service, product, or feature of which the predominant or exclusive function is:

(A) electronic mail; or

(B) direct messaging consisting of text, photos, or videos that are sent between devices by electronic means in which messages are:

(I) shared between the sender and the recipient;

(II) only visible to the sender and the recipient; and

(III) not posted publicly.

(4) Subsections (2)(a) and (2)(b) do not apply to a service or application that is used by and under the direction of an educational entity, including a learning management system or a student engagement program.

History: En. Sec. 9, Ch. 567, L. 2025.