Montana Code 30-14-2808. Consumer personal data — opt-out — compliance — appeals
30-14-2808. (Effective October 1, 2024) Consumer personal data — opt-out — compliance — appeals. (1) A consumer must have the right to:
Terms Used In Montana Code 30-14-2808
- Appeal: A request made after a trial, asking another court (usually the court of appeals) to decide whether the trial was conducted properly. To make such a request is "to appeal" or "to take an appeal." One who appeals is called the appellant.
- Authenticate: means to use reasonable methods to determine that a request to exercise any of the rights afforded under 30-14-2808(1)(a) through (1)(e) is being made by, or on behalf of, the consumer who is entitled to exercise these consumer rights with respect to the personal data at issue. See Montana Code 30-14-2802
- Child: means an individual under 13 years of age. See Montana Code 30-14-2802
- Complaint: A written statement by the plaintiff stating the wrongs allegedly committed by the defendant.
- Consumer: means an individual who is a resident of this state. See Montana Code 30-14-2802
- Controller: means an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. See Montana Code 30-14-2802
- Decisions that produce legal or similarly significant effects concerning the consumer: means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to necessities such as food and water. See Montana Code 30-14-2802
- Guardian: A person legally empowered and charged with the duty of taking care of and managing the property of another person who because of age, intellect, or health, is incapable of managing his (her) own affairs.
- Person: includes a corporation or other entity as well as a natural person. See Montana Code 1-1-201
- Personal data: means any information that is linked or reasonably linkable to an identified or identifiable individual. See Montana Code 30-14-2802
- Process: means a writ or summons issued in the course of judicial proceedings. See Montana Code 1-1-202
- processing: means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Montana Code 30-14-2802
- Writing: includes printing. See Montana Code 1-1-203
(a)confirm whether a controller is processing the consumer’s personal data and access the consumer’s personal data, unless such confirmation or access would require the controller to reveal a trade secret;
(b)correct inaccuracies in the consumer’s personal data, considering the nature of the personal data and the purposes of the processing of the consumer’s personal data;
(c)delete personal data about the consumer;
(d)obtain a copy of the consumer’s personal data previously provided by the consumer to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the personal data to another controller without hindrance when the processing is carried out by automated means, provided the controller is not required to reveal any trade secret; and
(e)opt out of the processing of the consumer’s personal data for the purposes of:
(i)targeted advertising;
(ii)the sale of the consumer’s personal data, except as provided in 30-14-2812(2); or
(iii)profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
(2)A consumer may exercise rights under this section by a secure and reliable means established by the controller and described to the consumer in the controller’s privacy notice.
(3)(a) A consumer may designate an authorized agent in accordance with 30-14-2809 to exercise the rights of the consumer to opt out of the processing of the consumer’s personal data under subsection (1)(e) on behalf of the consumer.
(b)A parent or legal guardian of a known child may exercise the consumer rights on the known child’s behalf regarding the processing of personal data.
(c)A guardian or conservator of a consumer subject to a guardianship, conservatorship, or other protective arrangement, may exercise the rights on the consumer’s behalf regarding the processing of personal data.
(4)Except as otherwise provided in this part, a controller shall comply with a request by a consumer to exercise the consumer rights authorized pursuant to this section as follows:
(a)A controller shall respond to the consumer without undue delay, but not later than 45 days after receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer’s requests, provided the controller informs the consumer of the extension within the initial 45-day response period and the reason for the extension.
(b)If a controller declines to act regarding the consumer’s request, the controller shall inform the consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for declining to act and provide instructions for how to appeal the decision.
(c)Information provided in response to a consumer request must be provided by a controller, free of charge, once for each consumer during any 12-month period. If requests from a consumer are manifestly unfounded, excessive, technically infeasible, or repetitive, the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request. The controller bears the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or repetitive nature of the request.
(d)If a controller is unable to authenticate a request to exercise any of the rights afforded under subsections (1)(a) through (1)(d) of this section using commercially reasonable efforts, the controller may not be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise the right or rights until the consumer provides additional information reasonably necessary to authenticate the consumer and the consumer’s request to exercise the consumer’s rights. A controller may not be required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes the request is fraudulent, the controller shall send notice to the person who made the request disclosing that the controller believes the request is fraudulent and that the controller may not comply with the request.
(e)A controller that has obtained personal data about a consumer from a source other than the consumer must be deemed in compliance with the consumer’s request to delete the consumer’s data pursuant to subsection (1)(c) by:
(i)retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and not using the retained data for any other purpose pursuant to the provisions of this part; or
(ii)opting the consumer out of the processing of the consumer’s personal data for any purpose except for those exempted pursuant to the provisions of this part.
(5)A controller shall establish a process for a consumer to appeal the controller’s refusal to act on a request within a reasonable period after the consumer’s receipt of the decision. The appeal process must be conspicuously available and like the process for submitting requests to initiate action pursuant to this section. Not later than 60 days after receipt of an appeal, a controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the attorney general to submit a complaint.