30-14-2812. Data processing by controller -- limitations, MCA
  1. MCA Contents
  2. TITLE 30
  3. CHAPTER 14
  4. Part 28
  5. 30-14-2812 Data processing by controller -- limitations

Montana Code Annotated 2025

TITLE 30. TRADE AND COMMERCE

CHAPTER 14. UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION

Part 28. Consumer Data Privacy Act

Data Processing By Controller -- Limitations

30-14-2812. Data processing by controller -- limitations. (1) A controller shall:

(a) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer;

(b) establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue; and

(c) provide an effective mechanism for a consumer to revoke the consumer's consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, on revocation of the consent, cease to process the personal data as soon as practicable, but not later than 45 days after the receipt of the request.

(2) A controller may not:

(a) except as otherwise provided in this part, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer's consent;

(b) process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq.;

(c) process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers;

(d) process the personal data of a consumer for the purposes of targeted advertising or sell the consumer's personal data without the consumer's consent under circumstances in which a controller has actual knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 16 years of age; or

(e) discriminate against a consumer for exercising any of the consumer rights contained in this part, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.

(3) Nothing in subsection (1) or (2) may be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised their right to opt out pursuant to this part or the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

(4) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the processing in its privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale or processing. This method may include but is not limited to an internet hyperlink clearly labeled "your opt-out rights" or "your privacy rights" that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request.

(5) A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

(a) the categories of personal data processed by the controller;

(b) the purpose for processing personal data;

(c) the categories of personal data that the controller sells to or shares with third parties, if any;

(d) the categories of third parties, if any, with which the controller sells or shares personal data; and

(e) an active e-mail address or other mechanism that the consumer may use to contact the controller;

(f) an explanation of the rights provided by 30-14-2808(1) and how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision regarding the consumer's request; and

(g) the date the privacy notice was last updated.

(6) The privacy notice must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service.

(7) The controller shall provide the privacy notice in a manner that is reasonably accessible to and usable by individuals with disabilities.

(8) Whenever a controller makes a material change to the controller's privacy notice or practices, the controller shall notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy. The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship.

(9) A controller is not required to provide a separate Montana-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all of the information required by this section.

(10) The privacy notice must be posted online through a conspicuous hyperlink using the word "privacy" on the controller's website homepage or on a mobile device's application store page or download page. A controller that maintains an application on a mobile device or other device shall also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail.

(11) (a) A controller shall establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this part considering the ways in which consumers normally interact with the controller, the need for secure and reliable communication of consumer requests, and the ability of the controller to verify the identity of the consumer making the request.

(b) A controller may not require a consumer to create a new account to exercise consumer rights but may require a consumer to use an existing account.

History: En. Sec. 7, Ch. 681, L. 2023; amd. Sec. 6, Ch. 567, L. 2025.