Applicability of Montana Consumer Data Privacy Act Based on Number of Data Subjects

The factor "Number of Data Subjects" is explicitly used in the Montana Consumer Data Privacy Act (MCDPA) to determine the scope of the law's applicability. This factor establishes thresholds for the number of consumers whose personal data is controlled or processed, impacting whether a business is subject to the MCDPA regulations.

Text of Relevant Provisions

Referenced Provision(s):

"MCDPA Sec.3(1)(1) The provisions of [sections 1 through 12] apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and: (1) control or process the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or"

"MCPDA Sec.3(1)(2) The provisions of [sections 1 through 12] apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and: (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data."

Analysis of Provisions

The Montana Consumer Data Privacy Act (MCDPA) includes specific thresholds to determine the applicability of its provisions based on the number of data subjects whose personal data is controlled or processed by a business.

Breakdown and Explanation:

• MCDPA Sec.3(1)(1):
  • "control or process the personal data of not less than 50,000 consumers": This clause sets a threshold that requires a business to control or process personal data for at least 50,000 consumers within a given period (typically a calendar year) to be subject to the MCDPA.
  • "excluding personal data controlled or processed solely for the purpose of completing a payment transaction": This exclusion ensures that routine payment processing activities do not count towards the 50,000-consumer threshold. This delineates the scope to more substantive data processing activities rather than transactional data handling.
• MCDPA Sec.3(1)(2):
  • "control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data": This provision applies to businesses that control or process the personal data of at least 25,000 consumers if they also derive a significant portion (more than 25%) of their gross revenue from selling personal data. This dual criterion captures entities with substantial data processing activities and a business model reliant on data sales.

Implications

Implications for Business:

• Scope Limitation: The MCDPA’s applicability thresholds exclude smaller businesses that do not meet the 50,000 or 25,000 consumer thresholds, focusing regulatory efforts on larger entities or those heavily involved in data trading.
• Targeted Compliance: Companies approaching or exceeding these thresholds must invest in compliance infrastructure to align with the MCDPA requirements. This includes implementing robust data protection practices, consumer rights management, and transparent data handling procedures.
• Revenue Model Consideration: Businesses deriving substantial revenue from the sale of personal data (over 25% of gross revenue) are specifically targeted by Sec.3(1)(2). This means that even smaller entities with a heavy reliance on data sales must comply with the MCDPA if they meet the 25,000-consumer threshold.
• Exclusion of Payment Data: By excluding data processed solely for payment transactions, the MCDPA narrows its focus to data processing activities that have broader privacy implications, ensuring that transactional data handling does not inadvertently trigger compliance requirements.

Examples:

• Applicable: A large e-commerce platform operating in Montana that processes personal data of 60,000 consumers annually is subject to the MCDPA.
• Not Applicable: A small local retailer processing data for 20,000 consumers annually without significant revenue from data sales remains outside the scope of the MCDPA.

These thresholds ensure that the law targets entities with significant data processing activities or business models heavily dependent on data, thereby focusing regulatory oversight where it is most needed.