Montana: Sectoral Exceptions Regulated by Other Laws

Sectoral exceptions in the Montana Consumer Data Privacy Act (MCDPA) aim to avoid duplicative regulation by exempting entities and data types already subject to stringent data protection standards under other federal or sectoral laws. This approach ensures that industries such as healthcare, finance, and education are not overburdened with overlapping compliance requirements.

Text of Relevant Provisions

MCDPA Sec.4(2)(m):

"(2) Information and data exempt from [sections 1 through 12] include: (m) personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g, et seq., as amended;"

MCDPA Sec.4(2)(f):

"(2) Information and data exempt from [sections 1 through 12] include: (f) information and documents created for the purposes of the Health Care Quality Improvement Act of 1986, 42 U.S.C. 11101, et seq.;"

MCDPA Sec.4(2)(l):

"(2) Information and data exempt from [sections 1 through 12] include: (l) personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721, et seq., as amended;"

MCDPA Sec.4(2)(p):

"(2) Information and data exempt from [sections 1 through 12] include: (p) personal data collected, processed, sold, or disclosed in relation to price, route, or service, as these terms are used in the Airline Deregulation Act of 1978, 49 U.S.C. 40101, et seq., as amended, by an air carrier subject to the Airline Deregulation Act of 1978, to the extent [sections 1 through 12] are preempted by the Airline Deregulation Act of 1978, 49 U.S.C. 41713, as amended."

MCDPA Sec.4(1)(d):

"(1) [Sections 1 through 12] do not apply to any: (d) national securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934, as amended;"

MCDPA Sec.4(1)(e):

"(1) [Sections 1 through 12] do not apply to any: (e) financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801, et seq.;"

MCDPA Sec.4(2)(k):

"(2) Information and data exempt from [sections 1 through 12] include: (k) the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. 1681, as amended;"

MCDPA Sec.4(2)(n):

"(2) Information and data exempt from [sections 1 through 12] include: (n) personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act of 1993, 12 U.S.C. 2001, et seq., as amended;"

MCDPA Sec.4(2)(j):

"(2) Information and data exempt from [sections 1 through 12] include: (j) information used for public health activities and purposes as authorized by the federal Health Insurance Portability and Accountability Act of 1996, community health activities, and population health activities;"

MCDPA Sec.4(2)(i):

"(2) Information and data exempt from [sections 1 through 12] include: (i) information originating from and intermingled to be indistinguishable with or information treated in the same manner as information exempt under this subsection (2) that is maintained by a covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 160.103, or a program or qualified service organization, as specified in 42 U.S.C. 290dd-2, as amended;"

MCDPA Sec.4(2)(h)(ii):

"(2) Information and data exempt from [sections 1 through 12] include: (h) information derived from any of the health care-related information listed in this subsection (2) that is: (ii) included in a limited data set as described in 45 CFR 164.514(e), to the extent that the information is used, disclosed, and maintained in a manner specified in 45 CFR 164.514(e)."

MCDPA Sec.4(2)(h)(i):

"(2) Information and data exempt from [sections 1 through 12] include: (h) information derived from any of the health care-related information listed in this subsection (2) that is: (i) deidentified in accordance with the requirements for deidentification pursuant to the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996;"

MCDPA Sec.4(2)(g):

"(2) Information and data exempt from [sections 1 through 12] include: (g) patient safety work products for the purposes of the Patient Safety and Quality Improvement Act of 2005, 42 U.S.C. 299b-21, et seq., as amended;"

MCDPA Sec.4(2)(d):

"(2) Information and data exempt from [sections 1 through 12] include: (d) identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonisation of technical requirements for pharmaceuticals for human use;"

MCDPA Sec.4(2)(c):

"(2) Information and data exempt from [sections 1 through 12] include: (c) identifiable private information for the purposes of the federal policy for the protection of human subjects of 1991, 45 CFR, part 46;"

MCDPA Sec.4(2)(b):

"(2) Information and data exempt from [sections 1 through 12] include: (b) patient-identifying information for the purposes of 42 U.S.C. 290dd-2;"

MCDPA Sec.4(2)(a):

"(2) Information and data exempt from [sections 1 through 12] include: (a) protected health information under the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996;"

MCDPA Sec.4(1)(f):

"(1) [Sections 1 through 12] do not apply to any: (f) covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 160.103."

Analysis of Provisions

Financial Institutions (MCDPA Sec.4(1)(e))

"This part does not apply to any: (e) financial institution or an affiliate of a financial institution governed by, or personal data collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801, et seq.;"

This provision exempts financial institutions governed by the Gramm-Leach-Bliley Act (GLBA), which imposes strict requirements on these entities for protecting and sharing non-public personal information. This exemption ensures that financial institutions adhere to a single comprehensive federal framework, avoiding conflicting or duplicative state regulations.

Healthcare Entities (MCDPA Sec.4(1)(f))

"This part does not apply to any: (f) covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act of 1996, 45 CFR 160.103."

This provision exempts covered entities and business associates governed by HIPAA, which sets rigorous standards for the privacy, security, and breach notification of health information. This allows healthcare entities to comply with HIPAA without facing additional state requirements that could lead to regulatory conflicts.

Educational Data (MCDPA Sec.4(2)(m))

"Information and data exempt from [sections 1 through 12] include: (m) personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g, et seq., as amended;"

This provision exempts personal data regulated by FERPA, which protects the privacy of student education records. FERPA imposes specific obligations on educational institutions regarding access to and disclosure of student information, thus precluding the need for additional state

• level regulation.

Consumer Reporting (MCDPA Sec.4(2)(k))

"Information and data exempt from [sections 1 through 12] include: (k) the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report and by a user of a consumer report, but only to the extent that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. 1681, as amended;"

This provision exempts activities regulated by the Fair Credit Reporting Act (FCRA), which governs the collection and use of consumer credit information. By adhering to FCRA, consumer reporting agencies and related entities ensure compliance with robust federal standards without overlapping state laws.

Public Health and Research Data (MCDPA Sec.4(2)(j) and Sec.4(2)(d))

"Information and data exempt from [sections 1 through 12] include: (j) information used for public health activities and purposes as authorized by the federal Health Insurance Portability and Accountability Act of 1996, community health activities, and population health activities;"

"Information and data exempt from [sections 1 through 12] include: (d) identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the international council for harmonisation of technical requirements for pharmaceuticals for human use;"

These provisions exempt data used in public health activities and human subjects research. HIPAA and other federal regulations already impose strict standards on the handling of such data, ensuring its protection and proper use. This avoids duplication and potential conflicts with state regulations.

Implications

For Financial Institutions:

• Streamlined Compliance: Financial institutions can focus on compliance with GLBA without the additional complexity of state regulations.
• Operational Efficiency: Simplifies regulatory requirements, reducing the administrative burden and risk of non-compliance.

For Healthcare Entities:

• Unified Regulatory Framework: Ensures that healthcare providers and associates comply with a single set of federal regulations (HIPAA), avoiding state-level conflicts.
• Reduced Administrative Overhead: Eliminates the need to reconcile different regulatory requirements, streamlining data protection practices.

For Educational Institutions:

• FERPA Compliance: Educational institutions continue to follow FERPA guidelines without additional state-level data protection mandates.
• Clear Regulatory Obligations: Maintains clarity in data protection responsibilities, ensuring consistent application of privacy standards.

For Consumer Reporting Agencies:

• Adherence to FCRA: Consumer reporting agencies and related entities remain compliant with FCRA, avoiding conflicting state regulations.
• Focus on Federal Standards: Ensures robust protection of consumer credit information under a comprehensive federal framework.

For Public Health and Research Entities:

• Consistent Data Protection: Entities engaged in public health and research activities follow established federal regulations (HIPAA, federal research guidelines), ensuring consistent data protection practices.
• Avoidance of Duplicative Regulations: Reduces regulatory burden by exempting data already governed by strict federal standards, facilitating efficient data use and protection.

These sectoral exemptions provide clarity and efficiency in regulatory compliance, allowing entities to focus on adhering to comprehensive federal standards without the added complexity of state-specific requirements. This approach benefits both the entities involved and the consumers whose data is being protected.