Montana Code Annotated 2023

TITLE 30. TRADE AND COMMERCE

CHAPTER 14. UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION

Part 28. Consumer Data Privacy Act

Data Processing By Controller -- Limitations

30-14-2812. (Effective October 1, 2024) Data processing by controller -- limitations. (1) A controller shall:

(a) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer;

(b) establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue; and

(c) provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, on revocation of the consent, cease to process the personal data as soon as practicable, but not later than 45 days after the receipt of the request.

(2) A controller may not:

(a) except as otherwise provided in this part, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer's consent;

(b) process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq.;

(c) process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers;

(d) process the personal data of a consumer for the purposes of targeted advertising or sell the consumer's personal data without the consumer's consent under circumstances in which a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age; or

(e) discriminate against a consumer for exercising any of the consumer rights contained in this part, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.

(3) Nothing in subsection (1) or (2) may be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised their right to opt out pursuant to this part or the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

(4) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a consumer may exercise the right to opt out of the processing.

(5) A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

(a) the categories of personal data processed by the controller;

(b) the purpose for processing personal data;

(c) the categories of personal data that the controller shares with third parties, if any;

(d) the categories of third parties, if any, with which the controller shares personal data; and

(e) an active e-mail address or other mechanism that the consumer may use to contact the controller; and

(f) how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision regarding the consumer's request.

(6) (a) A controller shall establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this part considering the ways in which consumers normally interact with the controller, the need for secure and reliable communication of consumer requests, and the ability of the controller to verify the identity of the consumer making the request.

(b) A controller may not require a consumer to create a new account to exercise consumer rights but may require a consumer to use an existing account.

History: En. Sec. 7, Ch. 681, L. 2023.