Montana Jurisdiction: Revenue-Based Applicability in the Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act (MCDPA) includes a revenue-based applicability criterion that extends the law's scope to businesses whose financial operations are significantly tied to the sale of personal data.

Text of Relevant Provisions

MCDPA Sec.3(1)(2):

"The provisions of [sections 1 through 12] apply to persons that conduct business in this state or persons that produce products or services that are targeted to residents of this state and: (2) control or process the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data."

Analysis of Provisions

• MCDPA Sec.3(1)(2) specifies that the Montana Consumer Data Privacy Act applies to any entity that controls or processes the personal data of at least 25,000 consumers and derives more than 25% of its gross revenue from the sale of personal data. This threshold ensures that the law targets businesses that engage in significant data processing activities, particularly those that monetize consumer data as a substantial part of their business model.
• The 25,000 consumer threshold indicates that the law applies to businesses with a considerable reach within the state, ensuring that even medium-sized enterprises engaged in data sales are subject to the MCDPA's requirements. The 25% revenue threshold further narrows the scope to companies whose business models are heavily reliant on data sales, thereby focusing regulatory efforts on entities that pose a higher risk to consumer privacy.

Implications

• Businesses operating in Montana that meet these thresholds must comply with the MCDPA, which includes obligations such as data subject rights, transparency, and data security requirements. For instance, a company that processes data for targeted advertising and derives a quarter of its income from selling consumer data would need to ensure full compliance with the Act.
• The revenue-based applicability criterion requires businesses to evaluate their revenue sources and data processing activities carefully. Companies that meet the criteria must implement compliance measures to avoid potential legal liabilities. This approach ensures that the MCDPA applies to businesses where the monetization of personal data is a significant aspect of their operations, reflecting the law's focus on protecting consumer privacy in situations of heightened risk.