Montana Consumer Data Privacy Act

1. Is the organization or data activity explicitly exempt (e.g., state entity, nonprofit, higher education, securities association, GLBA-regulated financial institution, HIPAA-covered entity, FCRA, FERPA, DPPA, Farm Credit Act, Airline Deregulation Act, employee/benefits/emergency contact data, or HIPAA/public health/research-related data)?

2. Does your data processing of children's information adhere to COPPA parental consent regulations?

1. Do you provide consumers (or their agents/guardians) a secure way to exercise rights to access, correct, delete, port, and opt-out of data use (ads, sale, profiling)?

2. Can you authenticate requests using commercially reasonable methods, without over-collecting data?

3. Do you meet statutory timelines (respond in 45 days, extendable once; appeal decided within 60 days)?

4. Do you handle repetitive/excessive/fraudulent requests appropriately (fee, denial, or notice)?

5. Is a free response provided once per consumer per year, with reasonable charges or opt-out of further processing if deletion not feasible?

6. Do you provide an accessible appeals process with clear instructions and AG complaint referral on denial?

1. Do you accept opt-out requests from authorized agents (via links, browser/device settings, or extensions) and verify both the consumer's identity and the agent's authority using commercially reasonable methods?

2. Do you provide a clear, conspicuous website link for opt-out and, by Jan 1, 2025, honor opt-out preference signals that are consumer-friendly, affirmative (not default), legally consistent, and able to confirm Montana residency?

3. When an opt-out conflicts with existing privacy settings or loyalty/reward programs, do you honor the opt-out first while notifying the consumer of the conflict and offering a choice, and if charging or offering financial incentives, do you provide clear, upfront disclosures of terms?

1. Do you collect only data that is adequate, relevant, and reasonably necessary for disclosed purposes, and maintain reasonable administrative, technical, and physical safeguards proportionate to the data's volume and sensitivity?

2. Do you obtain valid consent before processing sensitive data (including COPPA compliance for children), ensure purposes are compatible with disclosed uses, and provide an easy revocation mechanism that ceases processing within 45 days?

3. Do you avoid unlawful discrimination, refrain from processing targeted ads or selling data of 13–15 year olds without consent, and ensure consumers are not penalized for exercising rights (except for voluntary loyalty/reward programs)?

4. If you sell personal data or process for targeted advertising, do you clearly and conspicuously disclose this and provide simple, accessible opt-out mechanisms?

5. Does your privacy notice clearly state: categories of data collected, processing purposes, categories of data shared, categories of third parties, contact details (email/other), and consumer rights & appeal instructions?

1. Do you help controllers meet obligations (consumer rights requests, security, breach notifications, data protection assessments)?

2. Is there a binding contract covering instructions, scope, confidentiality, return/deletion of data, compliance evidence, subcontractor obligations, and audit rights?

3. Do you allow or arrange independent audits/assessments and provide compliance reports to controllers?

4. Do you process data strictly per controller instructions, without independently deciding purposes/means?

1. Do you ensure that deidentified or pseudonymous data cannot reasonably be re-identified, commit not to attempt re-identification, and maintain technical/organizational safeguards (e.g., separation of identifiers) that support legal exemptions?

2. Where consumer rights requests cannot be fulfilled due to deidentification, pseudonymization, or unreasonable burden, do you maintain lawful processes to decline while exercising oversight of third-party recipients and acting on breaches of commitments?

1. Do you process data strictly when required by law (subpoenas, investigations, claims), to perform contracts or consumer requests, or to protect safety/security (fraud, cybersecurity, emergencies)?

2. When using data for research, public health, or internal operations (product improvement, recalls, fixes), do you ensure oversight/approval, proportionality, and alignment with consumer expectations?

3. Do you respect evidentiary privileges, avoid restricting free speech/press, and distinguish personal/household use from business obligations?

4. When disclosing data, do you ensure you're not liable for recipients' misuse if you lacked actual knowledge, and do contracts/due diligence impose compliance obligations?

5. When invoking any exemption, can you show processing is necessary, proportionate, safeguarded, and backed by documentation?