30-14-2819. Data protection assessments for heightened risk of harm to minors, MCA
  1. MCA Contents
  2. TITLE 30
  3. CHAPTER 14
  4. Part 28
  5. 30-14-2819 Data protection assessments for heightened risk of harm to minors

Montana Code Annotated 2025

TITLE 30. TRADE AND COMMERCE

CHAPTER 14. UNFAIR TRADE PRACTICES AND CONSUMER PROTECTION

Part 28. Consumer Data Privacy Act

Data Protection Assessments For Heightened Risk Of Harm To Minors

30-14-2819. Data protection assessments for heightened risk of harm to minors. (1) A controller that, on or after October 1, 2025, offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall conduct a data protection assessment for the online service, product, or feature if there is a heightened risk of harm to minors. The controller shall conduct the data protection assessment:

(a) in a manner that is consistent with the requirements established in 30-14-2814; and

(b) to address:

(i) the purpose of the online service, product, or feature;

(ii) the categories of a minor's personal data that the online service, product, or feature processes;

(iii) the purposes for which the controller processes a minor's personal data with respect to the online service, product, or feature; and

(iv) a heightened risk of harm to minors that is a reasonably foreseeable result of offering the online service, product, or feature to minors.

(2) A controller that conducts a data protection assessment pursuant to subsection (1) shall:

(a) review the data protection assessment as necessary to account for a material change to the processing operations of the online service, product, or feature that is the subject of the data protection assessment; and

(b) maintain documentation concerning the data protection assessment for the longer of:

(i) 3 years after the date on which the processing operations cease; or

(ii) the date the controller ceases offering the online service, product, or feature.

(3) A single data protection assessment may address a comparable set of processing operations that include similar activities.

(4) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment is considered to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.

(5) If a controller conducts a data protection assessment pursuant to subsection (1) or a data protection assessment review pursuant to subsection (2)(a) and determines that the online service, product, or feature that is the subject of the assessment poses a heightened risk of harm to minors, the controller shall establish and implement a plan to mitigate or eliminate the heightened risk.

(6) (a) A data protection assessment conducted pursuant to this section:

(i) is confidential, except as provided in subsection (6)(b); and

(ii) is not a public record and is exempt from public inspection and copying under the Freedom of Information Act, 5 U.S.C. 552.

(b) (i) A controller shall make a data protection assessment conducted pursuant to this section available to the attorney general on request. The attorney general may evaluate the data protection assessment for compliance with this section and with other laws.

(ii) The disclosure of a data protection assessment pursuant to a request from the attorney general does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information in the assessment.

(7) Data protection assessment requirements apply to processing activities created or generated after October 1, 2025, and are not retroactive.

History: En. Sec. 11, Ch. 567, L. 2025.