****
68th Legislature 2023 SB 384.1
1 SENATE BILL NO. 384
2 INTRODUCED BY D. ZOLNIKOV, K. REGIER
3
4 A BILL FOR AN ACT ENTITLED: “AN ACT ESTABLISHING THE CONSUMER DATA PRIVACY ACT;
5 PROVIDING DEFINITIONS; ESTABLISHING APPLICABILITY; PROVIDING FOR CONSUMER RIGHTS TO
6 PERSONAL DATA; ESTABLISHING REQUIREMENTS AND LIMITATIONS FOR A CONTROLLER OF
7 PERSONAL DATA; ESTABLISHING REQUIREMENTS AND LIMITATIONS FOR A PROCESSOR OF
8 PERSONAL DATA; PROVIDING FOR DATA PROTECTION ASSESSMENTS; PROVIDING EXEMPTIONS
9 AND COMPLIANCE REQUIREMENTS; PROVIDING FOR ENFORCEMENT; AND PROVIDING EFFECTIVE
10 DATES.”
11
12 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
13
14 NEW SECTION. Section 1. Short title. [Sections 1 through 12] may be cited as the "Consumer Data
15 Privacy Act".
16
17 NEW SECTION. Section 2. Definitions. As used in [sections 1 through 12], unless the context
18 clearly indicates otherwise, the following definitions apply:
19 (1) "Affiliate" means a legal entity that shares common branding with another legal entity or
20 controls, is controlled by, or is under common control with another legal entity.
21 (2) "Authenticate" means to use reasonable methods to determine that a request to exercise any
22 of the rights afforded under [section 5(1)(a) through (1)(e)] is being made by, or on behalf of, the consumer who
23 is entitled to exercise these consumer rights with respect to the personal data at issue.
24 (3) (a) "Biometric data" means data generated by automatic measurements of an individual's
25 biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological
26 patterns or characteristics that are used to identify a specific individual.
27 (b) The term does not include:
28 (i) a digital or physical photograph;
-1- Authorized Print Version – SB 384
****
68th Legislature 2023 SB 384.1
1 (ii) an audio or video recording; or
2 (iii) any data generated from a digital or physical photograph or an audio or video recording, unless
3 that data is generated to identify a specific individual.
4 (4) "Child" means an individual under 13 years of age.
5 (5) (a) "Consent" means a clear affirmative act signifying a consumer's freely given, specific,
6 informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The
7 term may include a written statement, a statement by electronic means, or any other unambiguous affirmative
8 action.
9 (b) The term does not include:
10 (i) acceptance of a general or broad term of use or similar document that contains descriptions of
11 personal data processing along with other unrelated information;
12 (ii) hovering over, muting, pausing, or closing a given piece of content; or
13 (iii) an agreement obtained using dark patterns.
14 (6) (a) "Consumer" means an individual who is a resident of this state.
15 (b) The term does not include an individual acting in a commercial or employment context or as an
16 employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or
17 government agency whose communications or transactions with the controller occur solely within the context of
18 that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.
19 (7) "Control" or "controlled" means:
20 (a) ownership of or the power to vote more than 50% of the outstanding shares of any class of
21 voting security of a company;
22 (b) control in any manner over the election of a majority of the directors or of individuals exercising
23 similar functions; or
24 (c) the power to exercise controlling influence over the management of a company.
25 (8) "Controller" means an individual who or legal entity that, alone or jointly with others, determines
26 the purpose and means of processing personal data.
27 (9) "Dark pattern" means a user interface designed or manipulated with the effect of substantially
28 subverting or impairing user autonomy, decision-making, or choice.
-2- Authorized Print Version – SB 384
****
68th Legislature 2023 SB 384.1
1 (10) "Decisions that produce legal or similarly significant effects concerning the consumer" means
2 decisions made by the controller that result in the provision or denial by the controller of financial or lending
3 services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities,
4 health care services, or access to necessities such as food and water.
5 (11) "Deidentified data" means data that cannot be used to reasonably infer information about or
6 otherwise be linked to an identified or identifiable individual or a device linked to the individual if the controller
7 that possesses the data:
8 (a) takes reasonable measures to ensure that the data cannot be associated with an individual;
9 (b) publicly commits to process the data in a deidentified fashion only and to not attempt to
10 reidentify the data; and
11 (c) contractually obligates any recipients of the data to satisfy the criteria set forth in subsections
12 (11)(a) and (11)(b).
13 (12) "Identified or identifiable individual" means an individual who can be readily identified, directly
14 or indirectly, in particular by reference to an identifier such as a name, an identification number, specific
15 geolocation data, or an online identifier.
16 (13) "Institution of higher education" means any individual who or school, board, association, limited
17 liability company, or corporation that is licensed or accredited to offer one or more programs of higher learning
18 leading to one or more degrees.
19 (14) "Nonprofit organization" means any organization that is exempt from taxation under section
20 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986 or any subsequent
21 corresponding internal revenue code of the United States as amended from time to time.
22 (15) (a) "Personal data" means any information that is linked or reasonably linkable to an identified
23 or identifiable individual.
24 (b) The term does not include deidentified data or publicly available information.
25 (16) (a) "Precise geolocation data" means information derived from technology, including but not
26 limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly
27 identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.
28 (b) The term does not include the content of communications or any data generated by or
-3- Authorized Print Version – SB 384
****
68th Legislature 2023 SB 384.1
1 connected to advanced utility metering infrastructure systems or equipment for use by a utility.
2 (17) "Process" or "processing" means any operation or set of operations performed, whether by
3 manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage,
4 disclosure, analysis, deletion, or modification of personal data.
5 (18) "Processor" means an individual who or legal entity that processes personal data on behalf of a
6 controller.
7 (19) "Profiling" means any form of automated processing performed on personal data to evaluate,
8 analyze, or predict personal aspects related to an identified or identifiable individual's economic situation,
9 health, personal preferences, interests, reliability, behavior, location, or movements.
10 (20) "Protected health information" has the same meaning as provided in the privacy regulations of
11 the federal Health Insurance Portability and Accountability Act of 1996.
12 (21) "Pseudonymous data" means personal data that cannot be attributed to a specific individual
13 without the use of additional information, provided the additional information is kept separately and is subject to
14 appropriate technical and organizational measures to ensure that the personal data is not attributed to an
15 identified or identifiable individual.
16 (22) "Publicly available information" means information that:
17 (a) is lawfully made available through federal, state, or municipal government records or widely
18 distributed media; and
19 (b) a controller has a reasonable basis to believe a consumer has lawfully made available to the
20 public.
21 (23) (a) "Sale of personal data" means the exchange of personal data for monetary or other
22 valuable consideration by the controller to a third party.
23 (b) The term does not include:
24 (i) the disclosure of personal data to a processor that processes the personal data on behalf of
25 the controller;
26 (ii) the disclosure of personal data to a third party for the purposes of providing a product or
27 service requested by the consumer;
28 (iii) the disclosure or transfer of personal data to an affiliate of the controller;
-4- Authorized Print Version – SB 384
****
68th Legislature 2023 SB 384.1
1 (iv) the disclosure of personal data in which the consumer directs the controller to disclose the
2 personal data or intentionally uses the controller to interact with a third party;
3 (v) the disclosure of personal data that the consumer:
4 (A) intentionally made available to the public via a channel of mass media; and
5 (B) did not restrict to a specific audience; or
6 (vi) the disclosure or transfer of personal data to a third party as an asset that is part of a merger,
7 acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other
8 transaction in which the third party assumes control of all or part of the controller's assets.
9 (24) "Sensitive data" means personal data that includes:
10 (a) data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or
11 diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;
12 (b) the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
13 (c) personal data collected from a known child; or
14 (d) precise geolocation data.
15 (25) (a) "Targeted advertising" means displaying advertisements to a consumer in which the
16 advertisement is selected based on personal data obtained or inferred from that consumer's activities over time
17 and across nonaffiliated internet websites or online applications to predict the consumer's preferences or
18 interests.
19 (b) The term does not include:
20 (i) advertisements based on activities within a controller's own internet websites or online
21 applications;
22 (ii) advertisements based on the context of a consumer's current search query or visit to an
23 internet website or online application;
24 (iii) advertisements directed to a consumer in response to the consumer's request for information
25 or feedback; or
26 (iv) processing personal data solely to measure or report advertising frequency, performance, or
27 reach.
28 (26) "Third party" means an individual or legal entity, such as a public authority, agency, or body,
-5- Authorized Print Version – SB 384
****
68th Legislature 2023 SB 384.1
1 other than the consumer, controller, or processor or an affiliate of the controller or processor.
2
3 NEW SECTION. Section 3. Applicability. The provisions of [sections 1 through 12] apply to persons
4 that conduct business in this state or persons that produce products or services that are targeted to residents of
5 this state and:
6 (1) control or process the personal data of not less than 100,000 consumers, excluding personal
7 data controlled or processed solely for the purpose of completing a payment transaction; or
8 (2) control or process the personal data of not less than 25,000 consumers and derive more than
9 25% of gross revenue from the sale of personal data.
10
11 NEW SECTION. Section 4. Exemptions. (1) [Sections 1 through 12] do not apply to any:
12 (a) body, authority, board, bureau, commission, district, or agency of this state or any political
13 subdivision of this state;
14 (b) nonprofit organization;
15 (c) institution of higher education;
16 (d) national securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities
17 Exchange Act of 1934, as amended;
18 (e) financial institution or data subject to Title V of the Financial Services Modernization Act of
19 1999, 15 U.S.C. 6801, et seq.; or
20 (f) covered entity or business associate as defined in the privacy regulations of the federal Health
21 Insurance Portability and Accountability Act of 1996, 45 CFR 160.103.
22 (2) Information and data exempt from [sections 1 through 12] include:
23 (a) protected health information under the privacy regulations of the federal Health Insurance
24 Portability and Accountability Act of 1996;
25 (b) patient-identifying information for the purposes of 42 U.S.C. 290dd-2;
26 (c) identifiable private information for the purposes of the federal policy for the protection of human
27 subjects of 1991, 45 CFR, part 46;
28 (d) identifiable private information that is otherwise information collected as part of human subjects
-6- Authorized Print Version – SB 384
****
68th Legislature 2023 SB 384.1
1 research pursuant to the good clinical practice guidelines issued by the international council for harmonisation
2 of technical requirements for pharmaceuticals for human use;
3 (e) the protection of human subjects under 21 CFR, parts 6, 50, and 56, or personal data used or
4 shared in research as defined in the federal Health Insurance Portability and Accountability Act of 1996, 45
5 CFR 164.501, that is conducted in accordance with the standards set forth in this subsection (2)(e), or other
6 research conducted in accordance with applicable law;
7 (f) information and documents created for the purposes of the Health Care Quality Improvement
8 Act of 1986, 42 U.S.C. 11101, et seq.;
9 (g) patient safety work products for the purposes of the Patient Safety and Quality Improvement
10 Act of 2005, 42 U.S.C. 299b-21, et seq., as amended;
11 (h) information derived from any of the health care-related information listed in this subsection (2)
12 that is deidentified in accordance with the requirements for deidentification pursuant to the privacy regulations
13 of the federal Health Insurance Portability and Accountability Act of 1996;
14 (i) information originating from and intermingled to be indistinguishable with or information treated
15 in the same manner as information exempt under this subsection (2) that is maintained by a covered entity or
16 business associate as defined in the privacy regulations of the federal Health Insurance Portability and
17 Accountability Act of 1996, 45 CFR 160.103, or a program or qualified service organization, as specified in 42
18 U.S.C. 290dd-2, as amended;
19 (j) information used for public health activities and purposes as authorized by the federal Health
20 Insurance Portability and Accountability Act of 1996, community health activities, and population health
21 activities;
22 (k) the collection, maintenance, disclosure, sale, communication, or use of any personal
23 information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general
24 reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that
25 provides information for use in a consumer report and by a user of a consumer report, but only to the extent
26 that the activity is regulated by and authorized un