Unofficial Draft Copy
**** As of: 11/01/2024, 02:50:50
69th Legislature 2025 Drafter: Joseph Carroll, **** LC 0722
1 **** BILL NO. ****
2 INTRODUCED BY ****
3
4 A BILL FOR AN ACT ENTITLED: “AN ACT ***; PROVIDING DEFINITIONS; AMENDING SECTIONS 30-14-
5 2802, 30-14-2803, 30-14-2804, 30-14-2808, 30-14-2809, 30-14-2812, 30-14-2813, 30-14-2814, 30-14-2815,
6 30-14-2816, AND 30-14-2817, MCA.”
7
8 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
9
10 NEW SECTION. Section 1. Short title. [Sections XX through XX] may be cited as the "Electronic
11 Data Ownership Act".
12
13 NEW SECTION. Section 2. Definitions. As used in [***], unless the context clearly indicates
14 otherwise, the following definitions apply:
15 (1) "electronic data" means [***]
16 (2) "individual" means [***]
17 (3) "person" means
18
19 NEW SECTION. Section 3. Electronic data ownership. (1) Electronic data created by or on behalf
20 of an individual who is a resident of Montana is the property of that individual.
21 (2) A person possessing electronic data owned by an individual holds the property in trust for the
22 individual.
23
24 NEW SECTION. Section 4. Death of owner of electronic data. (1) Electronic data ownership is
25 non-descendible.
26 (2) A person possessing electronic data owned by a deceased individual shall permanently delete
27 the electronic data within a reasonable time of the final distribution of assets through testate or intestate
-1- LC 722
 Unofficial Draft Copy
**** As of: 11/01/2024, 02:50:50
69th Legislature 2025 Drafter: Joseph Carroll, **** LC 0722
1 succession.
2
3 NEW SECTION. Section 5. Prohibited terms in contracts of adhesion. (1) A contract of adhesion
4 may not require a resident of Montana to forfeit, donate, or accept nominal consideration for electronic data.
5 (2) A contract of adhesion may not condition the use of a product or service on the forfeiture,
6 donation, or acceptance of nominal consideration for electronic data.
7
8 NEW SECTION. Section 6. Consideration for sale of electronic data. A seller of electronic data
9 must provide to the owner of the electronic data:
10 (1) actual consideration that is reasonably related to the value of the electronic data.
11 (2) identifying information of the purchaser of the electronic data.
12
13 NEW SECTION. Section 7. Causes of action. (1) An individual whose electronic data is sold in
14 violation of [this act] has a private cause of action against the person that sold the electronic data.
15 (2) The attorney general or a county attorney may apply for an injunction or commence a civil
16 action against any person to compel compliance with the terms of [this act], and may seek punitive damages
17 and reasonable attorney fees.
18
19 Section 8. Section 30-14-2802, MCA, is amended to read:
20 "30-14-2802. Definitions. As used in this part, unless the context clearly indicates otherwise, the
21 following definitions apply:
22 (1) "Affiliate" means a legal entity that shares common branding with another legal entity or controls, is
23 controlled by, or is under common control with another legal entity.
24 (2) "Authenticate" means to use reasonable methods to determine that a request to exercise any of the
25 rights afforded under 30-14-2808(1)(a) through (1)(e) is being made by, or on behalf of, the consumer who is
26 entitled to exercise these consumer rights with respect to the personal data at issue.
27 (3) (a) "Biometric data" means data generated by automatic measurements of an individual's biological
28 characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or
-2- LC 722
 Unofficial Draft Copy
**** As of: 11/01/2024, 02:50:50
69th Legislature 2025 Drafter: Joseph Carroll, **** LC 0722
1 characteristics that are used to identify a specific individual.
2 (b) The term does not include:
3 (i) a digital or physical photograph;
4 (ii) an audio or video recording; or
5 (iii) any data generated from a digital or physical photograph or an audio or video recording, unless that
6 data is generated to identify a specific individual.
7 (4) "Child" means an individual under 13 years of age.
8 (5) (a) "Consent" means a clear affirmative act signifying a consumer's freely given, specific, informed,
9 and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may
10 include a written statement, a statement by electronic means, or any other unambiguous affirmative action.
11 (b) The term does not include:
12 (i) acceptance of a general or broad term of use or similar document that contains descriptions of
13 personal data processing along with other unrelated information;
14 (ii) hovering over, muting, pausing, or closing a given piece of content; or
15 (iii) an agreement obtained using dark patterns.
16 (6) (a) "Consumer" means an individual who is a resident of this state.
17 (b) The term does not include an individual acting in a commercial or employment context or as an
18 employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or
19 government agency whose communications or transactions with the controller occur solely within the context of
20 that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.
21 (7) "Control" or "controlled" means:
22 (a) ownership of or the power to vote more than 50% of the outstanding shares of any class of voting
23 security of a company;
24 (b) control in any manner over the election of a majority of the directors or of individuals exercising
25 similar functions; or
26 (c) the power to exercise controlling influence over the management of a company.
27 (8) "Controller" means an individual who or legal entity that, alone or jointly with others, determines the
28 purpose and means of processing personal data.
-3- LC 722
 Unofficial Draft Copy
**** As of: 11/01/2024, 02:50:50
69th Legislature 2025 Drafter: Joseph Carroll, **** LC 0722
1 (9) "Dark pattern" means a user interface designed or manipulated with the effect of substantially
2 subverting or impairing user autonomy, decision-making, or choice.
3 (10) "Decisions that produce legal or similarly significant effects concerning the consumer" means
4 decisions made by the controller that result in the provision or denial by the controller of financial or lending
5 services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities,
6 health care services, or access to necessities such as food and water.
7 (11) "De-identified data" means data that cannot be used to reasonably infer information about or
8 otherwise be linked to an identified or identifiable individual or a device linked to the individual if the controller
9 that possesses the data:
10 (a) takes reasonable measures to ensure that the data cannot be associated with an individual;
11 (b) publicly commits to process the data in a de-identified fashion only and to not attempt to re-identify
12 the data; and
13 (c) contractually obligates any recipients of the data to satisfy the criteria set forth in subsections (11)(a)
14 and (11)(b).
15 (12) "Identified or identifiable individual" means an individual who can be readily identified, directly or
16 indirectly.
17 (13) "Institution of higher education" means any individual who or school, board, association, limited
18 liability company, or corporation that is licensed or accredited to offer one or more programs of higher learning
19 leading to one or more degrees.
20 (14) "Nonprofit organization" means any organization that is exempt from taxation under section
21 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986 or any subsequent
22 corresponding internal revenue code of the United States as amended from time to time.
23 (15) (a) "Personal data" means any information that is linked or reasonably linkable to an identified or
24 identifiable individual.
25 (b) The term does not include de-identified data or publicly available information.
26 (16) (a) "Precise geolocation data" means information derived from technology, including but not limited
27 to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies
28 the specific location of an individual with precision and accuracy within a radius of 1,750 feet.
-4- LC 722
 Unofficial Draft Copy
**** As of: 11/01/2024, 02:50:50
69th Legislature 2025 Drafter: Joseph Carroll, **** LC 0722
1 (b) The term does not include the content of communications or any data generated by or connected to
2 advanced utility metering infrastructure systems or equipment for use by a utility.
3 (17) "Process" or "processing" means any operation or set of operations performed, whether by manual
4 or automated means, on personal data or on sets of personal data, such as the collection, use, storage,
5 disclosure, analysis, deletion, or modification of personal data.
6 (18) "Processor" means an individual who or legal entity that processes personal data on behalf of a
7 controller.
8 (19) "Profiling" means any form of automated processing performed on personal data to evaluate,
9 analyze, or predict personal aspects related to an identified or identifiable individual's economic situation,
10 health, personal preferences, interests, reliability, behavior, location, or movements.
11 (20) "Protected health information" has the same meaning as provided in the privacy regulations of the
12 federal Health Insurance Portability and Accountability Act of 1996.
13 (21) "Pseudonymous data" means personal data that cannot be attributed to a specific individual
14 without the use of additional information, provided the additional information is kept separately and is subject to
15 appropriate technical and organizational measures to ensure that the personal data is not attributed to an
16 identified or identifiable individual.
17 (22) "Publicly available information" means information that:
18 (a) is lawfully made available through federal, state, or municipal government records or widely
19 distributed media; or
20 (b) a controller has a reasonable basis to believe a consumer has lawfully made available to the public.
21 (23) (a) "Sale of personal data" means the exchange of personal data for monetary or other valuable
22 consideration by the controller to a third party.
23 (b) The term does not include:
24 (i) the disclosure of personal data to a processor that processes the personal data on behalf of the
25 controller;
26 (ii) the disclosure of personal data to a third party for the purposes of providing a product or service
27 requested by the consumer;
28 (iii) the disclosure or transfer of personal data to an affiliate of the controller;
-5- LC 722
 Unofficial Draft Copy
**** As of: 11/01/2024, 02:50:50
69th Legislature 2025 Drafter: Joseph Carroll, **** LC 0722
1 (iv) the disclosure of personal data in which the consumer directs the controller to disclose the personal
2 data or intentionally uses the controller to interact with a third party;
3 (v) the disclosure of personal data that the consumer:
4 (A) intentionally made available to the public via a channel of mass media; and
5 (B) did not restrict to a specific audience; or
6 (vi) the disclosure or transfer of personal data to a third party as an asset that is part of a merger,
7 acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other
8 transaction in which the third party assumes control of all or part of the controller's assets.
9 (24) "Sensitive data" means personal data that includes:
10 (a) data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or
11 diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;
12 (b) the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
13 (c) personal data collected from a known child; or
14 (d) precise geolocation data.
15 (25) (a) "Targeted advertising" means displaying advertisements to a consumer in which the
16 advertisement is selected based on personal data obtained or inferred from that consumer's activities over time
17 and across nonaffiliated internet websites or online applications to predict the consumer's preferences or
18 interests.
19 (b) The term does not include:
20 (i) advertisements based on activities within a controller's own internet websites or online applications;
21 (ii) advertisements based on the context of a consumer's current search query or visit to an internet
22 website or online application;
23 (iii) advertisements directed to a consumer in response to the consumer's request for information or
24 feedback; or
25 (iv) processing personal data solely to measure or report advertising frequency, performance, or reach.
26 (26) "Third party" means an individual or legal entity, such as a public authority, agency, or body, other
27 than the consumer, controller, or processor or an affiliate of the controller or processor.
28 (27) "Trade secret" has the same meaning as provided in 30-14-402."
-6- LC 722
 Unofficial Draft Copy
**** As of: 11/01/2024, 02:50:50
69th Legislature 2025 Drafter: Joseph Carroll, **** LC 0722
1
2 Section 9. Section 30-14-2803, MCA, is amended to read:
3 "30-14-2803. Applicability. The provisions of this part apply to persons that conduct business in this
4 state or persons that produce products or services that are targeted to residents of this state and:
5 (1) control or process the personal data of not less than 50,000 consumers, excluding personal data
6 controlled or processed solely for the purpose of completing a payment transaction; or
7 (2) control or process the personal data of not less than 25,000 consumers and derive more than 25%
8 of gross revenue from the sale of personal data."
9
10 Section 10. Section 30-14-2804, MCA, is amended to read:
11 "30-14-2804. Exemptions. (1) This part does not apply to any:
12 (a) body, authority, board, bureau, commission, district, or agency of this state or any political
13 subdivision of this state;
14 (b) nonprofit organization;
15 (c) institution of higher education;
16 (d) national securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities
17 Exchange Act of 1934, as amended;
18 (e) financial institution or an affiliate of a financial institution governed by, or personal data collected,
19 processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801, et
20 seq.; or
21 (f) covered entity or business associate as defined in the privacy regulations of the federal Health
22 Insurance Portability and Accountability Act of 1996, 45 CFR 160.103.
23 (2) Information and data exempt from this part include:
24 (a) protected health information under the privacy regulations of the federal Health Insurance Portability
2