30-14-2812. (Effective October 1, 2024) Data processing by controller — limitations. (1) A controller shall:

Ask a consumer protection question, get an answer ASAP!
Thousands of highly rated, verified consumer protection lawyers.
Help with credit card debt, collections, defective products
Get help with bankruptcy, filing complaints, extended warranties & more
Click here to chat with a lawyer about your rights.

Terms Used In Montana Code 30-14-2812

  • Appeal: A request made after a trial, asking another court (usually the court of appeals) to decide whether the trial was conducted properly. To make such a request is "to appeal" or "to take an appeal." One who appeals is called the appellant.
  • Child: means an individual under 13 years of age. See Montana Code 30-14-2802
  • Consent: means a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. See Montana Code 30-14-2802
  • Consumer: means an individual who is a resident of this state. See Montana Code 30-14-2802
  • Controller: means an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. See Montana Code 30-14-2802
  • Personal data: means any information that is linked or reasonably linkable to an identified or identifiable individual. See Montana Code 30-14-2802
  • Process: means a writ or summons issued in the course of judicial proceedings. See Montana Code 1-1-202
  • processing: means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data. See Montana Code 30-14-2802
  • Sensitive data: means personal data that includes:

    (a)data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;

    (b)the processing of genetic or biometric data for the purpose of uniquely identifying an individual;

    (c)personal data collected from a known child; or

    (d)precise geolocation data. See Montana Code 30-14-2802

  • State: when applied to the different parts of the United States, includes the District of Columbia and the territories. See Montana Code 1-1-201
  • Targeted advertising: means displaying advertisements to a consumer in which the advertisement is selected based on personal data obtained or inferred from that consumer's activities over time and across nonaffiliated internet websites or online applications to predict the consumer's preferences or interests. See Montana Code 30-14-2802

(a)limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer;

(b)establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue; and

(c)provide an effective mechanism for a consumer to revoke the consumer’s consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, on revocation of the consent, cease to process the personal data as soon as practicable, but not later than 45 days after the receipt of the request.

(2)A controller may not:

(a)except as otherwise provided in this part, process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as disclosed to the consumer unless the controller obtains the consumer’s consent;

(b)process sensitive data concerning a consumer without obtaining the consumer’s consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501, et seq.;

(c)process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers;

(d)process the personal data of a consumer for the purposes of targeted advertising or sell the consumer’s personal data without the consumer’s consent under circumstances in which a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age; or

(e)discriminate against a consumer for exercising any of the consumer rights contained in this part, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.

(3)Nothing in subsection (1) or (2) may be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the consumer has exercised their right to opt out pursuant to this part or the offering is in connection with a consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

(4)If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a consumer may exercise the right to opt out of the processing.

(5)A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

(a)the categories of personal data processed by the controller;

(b)the purpose for processing personal data;

(c)the categories of personal data that the controller shares with third parties, if any;

(d)the categories of third parties, if any, with which the controller shares personal data; and

(e)an active e-mail address or other mechanism that the consumer may use to contact the controller; and

(f)how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision regarding the consumer’s request.

(6)(a) A controller shall establish and describe in a privacy notice one or more secure and reliable means for consumers to submit a request to exercise their consumer rights pursuant to this part considering the ways in which consumers normally interact with the controller, the need for secure and reliable communication of consumer requests, and the ability of the controller to verify the identity of the consumer making the request.

(b)A controller may not require a consumer to create a new account to exercise consumer rights but may require a consumer to use an existing account.