Applicability of Data Protection Law in Montana to Organizations Doing Business in the Jurisdiction

The factor of "doing business in the jurisdiction" is used in the Montana Consumer Data Privacy Act (MCDPA) to define the scope of applicability. This factor ensures that organizations with a commercial presence or targeting products and services to residents in Montana are subject to the state's data protection regulations.

Text of Relevant Provisions

MCDPA Sec.3(1):

"The provisions of [sections 1 through 12] apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and: (1) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data."

Analysis of Provisions

The Montana Consumer Data Privacy Act (MCDPA) extends its applicability to entities based on their commercial activities within the state. Section 3(1) sets forth specific conditions under which the law applies:

• Commercial Presence: The MCDPA applies to any person or entity that "conducts business in this state" or "produces products or services that are targeted to residents of this state." This broad definition ensures that any entity with significant commercial activities in Montana falls within the scope of the law.
• Data Processing and Revenue Thresholds: The provision specifies that the law applies to entities that:
  • Control or process the personal data of not less than 50,000 consumers, excluding data controlled or processed solely for completing a payment transaction.
  • Control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

These criteria are intended to focus the law's applicability on entities with significant data processing activities, ensuring that smaller entities are not unduly burdened while still protecting a substantial number of consumers.

The inclusion of this factor reflects a legislative intent to safeguard the privacy of Montana residents by regulating entities that either have a significant operational presence in the state or actively target Montana residents with their products or services. This ensures that consumer data is protected regardless of whether the data processing occurs within or outside state boundaries.

Implications

For Businesses and Data Processors:

• Extended Compliance: Entities operating or targeting residents in Montana must comply with the MCDPA if they meet the specified criteria. This includes adhering to data protection standards and implementing appropriate measures for consumer data protection.
• Regulatory Oversight: The Montana Attorney General's office is responsible for enforcing compliance with the MCDPA, ensuring that businesses adhere to the stipulated data protection requirements.
• Case Examples:
  • A national retailer with a significant number of customers in Montana must comply with the MCDPA if it processes or sells personal data of residents.
  • An online service provider targeting Montana residents and engaging in the sale of personal data must comply with the MCDPA.
• Compliance Challenges: Businesses must navigate the complexities of the MCDPA, including updating privacy policies, implementing data subject rights, and ensuring data security measures are in place.

By defining "persons that conduct business in this state" and targeting products or services to residents, the Montana Consumer Data Privacy Act ensures robust consumer privacy protections for residents, extending its reach to both local and out-of-state entities that engage significantly with Montana consumers.