- 2025
69th Legislature 2025 SB0297.2
- 1 - Authorized Print Version – SB 297
1 SENATE BILL NO. 297
2 INTRODUCED BY D. ZOLNIKOV
3
4 A BILL FOR AN ACT ENTITLED: “AN ACT GENERALLY REVISING PRIVACY LAWS; PROVIDING
5 DEFINITIONS; REQUIRING NOTIFICATION TO CONSUMERS THAT CERTAIN INFORMATION HAS BEEN
6 COLLECTED; REQUIRING AN OPT-OUT OPTION FOR CONSUMERS; REQUIRING A PRIVACY NOTICE
7 FROM CONTROLLERS; REQUIRING THE ATTORNEY GENERAL TO POST RIGHTS AND
8 RESPONSIBILITIES INFORMATION ONLINE; SPECIFYING CONTROLLER DUTIES; SPECIFYING
9 RESPONSIBILITIES BY ROLE; AMENDING SECTIONS 20-7-1324, 30-14-2802, 30-14-2803, 30-14-2804, 30-
10 14-2808, 30-14-2812, 30-14-2816, AND 30-14-2817, MCA; AND REPEALING SECTION 15, CHAPTER 681,
11 LAWS OF 2023.”
12
13 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
14
15 Section 20-7-1324, MCA, is amended to read:
16 "20-7-1324. As used in 20-7-1323 through 20-7-1326, the following definitions apply:
17 (1) "Deidentified information" means information that cannot be used to identify an individual pupil.
18 (2) "K-12 online application" means an internet website, online service, cloud computing service,
19 online application, or mobile application that is used primarily for K-12 school purposes and that was designed
20 and is marketed for K-12 school purposes.
21 (3) (a) "K-12 school purposes" means activities that customarily take place at the direction of a
22 school, teacher, or school district or aid in the administration of school activities, including but not limited to
23 instruction in the classroom or at home, administrative activities, and collaboration between pupils, school
24 personnel, or parents, or that are for the use and benefit of a school.
25 (b) The term does not include courses that are provided for the purpose of postsecondary credit or
26 work-based learning courses provided by a work-based learning partner pursuant to 20-7-1510.
27 (4) "Operator" means the operator of a K-12 online application who knows or reasonably should
28 know that the application is used primarily for K-12 school purposes. - 2025
69th Legislature 2025 SB0297.2
- 2 - Authorized Print Version – SB 297
1 (5) (a) "Protected information" means personally identifiable information or materials, in any media
2 or format, that describes or otherwise identifies a pupil and that is:
3 (i) created or provided by a pupil, or the pupil's parent or legal guardian, to an operator in the
4 course of the pupil's, parent's, or legal guardian's use of the operator's K-12 online application;
5 (ii) created or provided by an employee or agent of a school district to an operator in the course of
6 the employee's or agent's use of the operator's K-12 online application; or
7 (iii) gathered by an operator through the operator's K-12 online application.
8 (b) The term includes but is not limited to:
9 (i) information in the pupil's educational record or e-mail messages;
10 (ii) first and last name, home address, telephone number, e-mail address, or other information that
11 allows physical or online contact;
12 (iii) discipline records, test results, special education data, juvenile dependency records, grades, or
13 evaluations;
14 (iv) criminal, medical, or health records;
15 (v) social security number;
16 (vi) biometric information;
17 (vii) disability;
18 (viii) socioeconomic information;
19 (ix) food purchases;
20 (x) political affiliation;
21 (xi) religious information; or
22 (xii) text messages, documents, pupil identifiers, search activity, photos, voice recordings, or
23 geolocation information.
24 (6) (a) "Pupil records" means:
25 (i) any information directly related to a pupil that is maintained by a school district; or
26 (ii) any information acquired directly from a pupil through the use of instructional software or
27 applications assigned to the pupil by a teacher or other school district employee.
28 (b) The term does not include deidentified information, including aggregated deidentified - 2025
69th Legislature 2025 SB0297.2
- 3 - Authorized Print Version – SB 297
1 information used:
2 (i) by a third party to improve educational products for adaptive learning purposes and for
3 customizing pupil learning;
4 (ii) to demonstrate the effectiveness of a third party's products in the marketing of those products;
5 or
6 (iii) for the development and improvement of educational sites, services, or applications.
7 (7) (a) "Pupil-generated content" means materials created by a pupil, including but not limited to
8 essays, research reports, portfolios, creative writing, music or other audio files, photographs, and account
9 information that enables ongoing ownership of pupil content.
10 (b) The term does not include pupil responses to a standardized assessment for which pupil
11 possession and control would jeopardize the validity and reliability of that assessment.
12 (8) "Third party" refers to a provider of digital educational software or services, including cloud-
13 based services, for the digital storage, management, and retrieval of pupil records."
14
15 Section 30-14-2802, MCA, is amended to read:
16 "30-14-2802. As used in this part, unless the context clearly indicates otherwise, the
17 following definitions apply:
18 (1) "Adult" means an individual who is 18 years of age or older.
19 (1)(2) "Affiliate" means a legal entity that shares common branding with another legal entity or
20 controls, is controlled by, or is under common control with another legal entity.
21 (2)(3) "Authenticate" means to use reasonable methods to determine that a request to exercise any
22 of the rights afforded under 30-14-2808(1)(a) through (1)(e) is being made by, or on behalf of, the consumer
23 who is entitled to exercise these consumer rights with respect to the personal data at issue.
24 (3)(4) (a) "Biometric data" means data generated by automatic measurements of an individual's
25 biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises, or other unique biological
26 patterns or characteristics that are used to identify a specific individual.
27 (b) The term does not include:
28 (i) a digital or physical photograph; - 2025
69th Legislature 2025 SB0297.2
- 4 - Authorized Print Version – SB 297
1 (ii) an audio or video recording; or
2 (iii) any data generated from a digital or physical photograph or an audio or video recording, unless
3 that data is generated to identify a specific individual.
4 (4)(5) "Child" means an individual under 13 years of age.
5 (5)(6) (a) "Consent" means a clear affirmative act signifying a consumer's freely given, specific,
6 informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The
7 term may include a written statement, a statement by electronic means, or any other unambiguous affirmative
8 action.
9 (b) The term does not include:
10 (i) acceptance of a general or broad term of use or similar document that contains descriptions of
11 personal data processing along with other unrelated information;
12 (ii) hovering over, muting, pausing, or closing a given piece of content; or
13 (iii) an agreement obtained using dark patterns.
14 (6)(7) (a) "Consumer" means an individual who is a resident of this state.
15 (b) The term does not include an individual acting in a commercial or employment context or as an
16 employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or
17 government agency whose communications or transactions with the controller occur solely within the context of
18 that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.
19 (7)(8) "Control" or "controlled" means:
20 (a) ownership of or the power to vote more than 50% of the outstanding shares of any class of
21 voting security of a company;
22 (b) control in any manner over the election of a majority of the directors or of individuals exercising
23 similar functions; or
24 (c) the power to exercise controlling influence over the management of a company.
25 (8)(9) "Controller" means an individual who or legal entity that, alone or jointly with others, determines
26 the purpose and means of processing personal data.
27 (9)(10) "Dark pattern" means a user interface designed or manipulated with the effect of substantially
28 subverting or impairing user autonomy, decision-making, or choice. - 2025
69th Legislature 2025 SB0297.2
- 5 - Authorized Print Version – SB 297
1 (10)(11)"Decisions that produce legal or similarly significant effects concerning the consumer" means
2 decisions made by the controller that result in the provision or denial by the controller of financial or lending
3 services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities,
4 health care services, or access to necessities such as food and water.
5 (11)(12)"De-identified data" means data that cannot be used to reasonably infer information about or
6 otherwise be linked to an identified or identifiable individual or a device linked to the individual if the controller
7 that possesses the data:
8 (a) takes reasonable measures to ensure that the data cannot be associated with an individual;
9 (b) publicly commits to process the data in a de-identified fashion only and to not attempt to re-
10 identify the data; and
11 (c) contractually obligates any recipients of the data to satisfy the criteria set forth in subsections
12 (11)(a) (12)(a) and (11)(b) (12)(b).
13 (13) "Heightened risk of harm to minors" means processing the personal data of a minor in a
14 manner that presents a reasonably foreseeable risk that could cause:
15 (a) unfair or deceptive treatment of or an unlawful disparate impact on a minor;
16 (b) financial, physical, or reputational injury to a minor;
17 (c) unauthorized disclosure of the personal data of a minor as a result of a security breach as
18 described in 30-14-1704; or
19 (d) physical or other intrusion on the solitude or seclusion or the private affairs or concerns of a
20 minor if the intrusion would be considered offensive to a reasonable person.
21 (12)(14)"Identified or identifiable individual" means an individual who can be readily identified, directly
22 or indirectly.
23 (13)(15)"Institution of higher education" means any individual who or school, board, association, limited
24 liability company, or corporation that is licensed or accredited to offer one or more programs of higher learning
25 leading to one or more degrees.
26 (16) "Minor" means a consumer who is under 18 years of age.
27 (14)(17)"Nonprofit organization" means any organization that is exempt from taxation under section
28 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal Revenue Code of 1986 or any subsequent - 2025
69th Legislature 2025 SB0297.2
- 6 - Authorized Print Version – SB 297
1 corresponding internal revenue code of the United States as amended from time to time.
2 (18) (a) "Online service, product, or feature" means a service, product, or feature that is provided
3 online.
4 (b) The term does not include:
5 (i) a telecommunications service as defined in 47 U.S.C. 153(53), as amended;
6 (ii) broadband internet access service as defined in 47 CFR 54.400(l), as amended; or
7 (iii) the delivery or use of a physical product.
8 (15)(19)(a) "Personal data" means any information that is linked or reasonably linkable to an identified
9 or identifiable individual.
10 (b) The term does not include de-identified data or publicly available information.
11 (16)(20)(a) "Precise geolocation data" means information derived from technology, including but not
12 limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly
13 identifies the specific location of an individual with precision and accuracy within a radius of 1,750 feet.
14 (b) The term does not include the content of communications or any data generated by or
15 connected to advanced utility metering infrastructure systems or equipment for use by a utility.
16 (17)(21)"Process" or "processing" means any operation or set of operations performed, whether by
17 manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage,
18 disclosure, analysis, deletion, or modification of personal data.
19 (18)(22)"Processor" means an individual who or legal entity that processes personal data on behalf of a
20 controller.
21 (19)(23)"Profiling" means any form of automated processing performed on personal data to evaluate,
22 analyze, or predict personal aspects related to an identified or identifiable individual's economic situation,
23 health, personal preferences, interests, reliability, behavior, location, or movements.
24 (20)(24)"Protected health information" has the same meaning as provided in the privacy regulations of
25 the federal Health Insurance Portability and Accountability Act of 1996.
26 (21)(25)"Pseudonymous data" means personal data that cannot be attributed to a specific individual
27 without the use of additional information, provided the additional information is kept separately and is subject to
28 appropriate technical and organizational measures to ensure that the personal data is not attributed to an - 2025
69th Legislature 2025 SB0297.2
- 7 - Authorized Print Version – SB 297
1 identified or identifiable individual.
2 (22)(26)"Publicly available information" means information that:
3 (a) is lawfully made available through federal, state, or municipal government records or widely
4 distributed media; or
5 (b) a controller has a reasonable basis to believe a consumer has lawfully made available to the
6 public.
7 (23)(27)(a) "Sale of personal data" means the exchange of personal data for monetary or other
8 valuable consideration by the controller to a third party.
9 (b) The term does not include:
10 (i) the disclosure of personal data to a processor that processes the personal data on behalf of
11 the controller;
12 (ii) the disclosure of personal data to a third party for the purposes of providing a product or
13 service requested by the consumer;
14 (iii) the disclosure or transfer of personal data to an affiliate of the controller;
15 (iv) the disclosure of personal data in which the consumer directs the controller to disclose the
16 personal data or intentionally uses the controller to interact with a third party;
17 (v) the disclosure of personal data that the consumer:
18 (A) intentionally made available to the public via a channel of mass media; and
19 (B) did not restrict to a specific audience; or
20 (vi) the disclosure or transfer of personal data to a third party as an asset that is part of a merger,
21 acquisition, bankruptcy, or other transaction, or a proposed merger, acquisition, bankruptcy, or other
22 transaction in which the third party assumes control of all or part of the controller's assets.
23 (24)(28)"Sensitive data" means personal data that includes:
24 (a) data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or
25 diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;
26 (b) the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
27 (c) personal data collected from a known child; or
28 (d) precise geolocation data. - 2025
69th Legislature 2025 SB0297.2
- 8 - Authorized Print Version – SB 297
1 (25)(29)(a) "Targeted advertising" means displaying advertisements to a consumer in which the
2 advertisement is selected based on personal data obtained or inferred from that consumer's activities over time
3 and across nonaffiliated internet websites or online applications to predict the consumer's preferences or
4 interests.
5 (b) The term does not include:
6 (i) advertisements based on activities within a controller's own internet websites or online
7 applications;
8 (ii) advertisements based on the context of a consumer's current search query or visit to an
9 internet website or online application;
10 (iii) advertisements directed to a consumer in response to the consumer's request for information
11 or feedback; or
12 (iv) processing personal data solely to measure or report advertising frequency, performance, or
13 reach.
14 (26)(30)"Third party" means an individual or legal entity, such as a public authority, agency, or body,
15 other than the consumer, controller, or processor or an affiliate of the controller or processor.
16 (27)(31)"Trade secret" has the same meaning as provided in 30-14-402."
17
18 Section 30-14-2803, MCA, is amended to read:
19 "30-14-2803.
20 persons that conduct business in this state or persons that produce products or services that are targeted to
21 residents of this state and:
22 (1)(a) control or process the personal data of not less than 50,000 25,000 consumers, excluding
23 personal data controlled or processed solely for the purpose of completing a payment transaction; or
24 (2)(b) control or process the personal data of not less than 25,000 15,000 consumers and derive
25 more than 25% of gross revenue from the sale of personal data.
26 (2) [Sections 9 through 11] apply to persons that conduct business in this state or deliver
27 commercial products or services that are intentionally targeted to residents of this state."
28 - 2025
69th Legislature 2025 SB0297.2
- 9 - Authorized Print Version – SB 297
1 Section 30-14-2804, MCA, is amended to read:
2 "30-14-2804. (1) This part does not apply to any:
3 (a) body, authority, board, bureau, commission, district, or agency of this state or any political
4 subdivision of this state;
5 (b) nonprofit organization that is established to detect and prevent fraudulent acts in connection
6 with insurance;
7 (c) institution of higher education;
8 (d) national securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities
9 Exchange Act of 1934, as amended;
10 (e) state or federally chartered bank or credit union or an affiliate or subsidiary that is principally
11 engaged in financial activities as described in 12 U.S.C. 1843(k);
12 (e)(f) financial institution or an affiliate of a financial institution governed by, or personal data
13 collected, processed, sold, or disclosed in accordance with, Title V of the Gramm-Leach-Bliley Act, 15 U.S.C.
14 6801, et seq.; or
15 (f)(g) covered entity or business associate as defined in the privacy regulations of the federal Health
16 Insurance Portability and Accountability Act of 1996, 45 CFR 160.103.
17 (2) Information and data exempt from this part include:
18 (a) protected health information under the privacy regulations of the federal Health Insurance
19 Portability and Accountability Act of 1996;
20 (b) patient-identifying information for the purposes of 42 U.S.C. 290dd-2;
21 (c) identifiable private information for the purposes of the federal policy for the protection of human
22 subjects of 1991, 45 CFR, part 46;
23 (d) identifiable private information that is otherwise information collected as part of human subjects
24 research pursuant to the good clinical practice guidelines issued by the international council for harmonisation
25 of technical requirements for pharmaceuticals for human use;
26 (e) the protection of human subjects under 21 CFR, parts 6, 50, and 56, or personal data used or
27 shared in research as defined in the federal Health Insurance Portability and Accountability Act of 1996, 45
28 CFR 164.501, that is conducted in accordance with the standards set forth in this subsection (2)(e), or other - 2025
69th Legislature 2025 SB0297.2
- 10 - Authorized Print Version – SB 297
1 research conducted in accordance with applicable law;
2 (f) information and documents created for the purposes of the Health Care Quality Improvement
3 Act of 1986, 42 U.S.C. 11101, et seq.;
4 (g) patient safety work products for the purposes of the Patient Safety and Quality Improvement
5 Act of 2005, 42 U.S.C. 299b-21, et seq., as amended;
6 (h) information derived from any of the health care-related information listed in this subsection (2)
7 that is:
8 (i) de-identified in accordance with the requirements for de-identification pursuant to the privacy
9 regulations of the federal Health Insurance Portability and Accountability Act of 1996; or
10 (ii) included in a limited data set as described in 45 CFR 164.514(e), to the extent that the
11 information is used, disclosed, and maintained in a manner specified in 45 CFR 164.514(e).
12 (i) information originating from and intermingled to be indistinguishable with or information treated
13 in the same manner as information exempt under this subsection (2) that is maintained by a covered entity or
14 business associate as defined in the privacy regulations of the federal Health Insurance Portability and
15 Accountability Act of 1996, 45 CFR 160.103, or a program or qualified service organization, as specified in 42
16 U.S.C. 290dd-2, as amended;
17 (j) information used for public health activities and purposes as authorized by the federal Health
18 Insurance Portability and Accountability Act of 1996, community health activities, and population health
19 activities;
20 (k) the collection, maintenance, disclosure, sale, communication, or use of any personal
21 information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general
22 reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that
23 provides information for use in a consumer report and by a user of a consumer report, but only to the extent
24 that the activity is regulated by and authorized under the Fair Credit Reporting Act, 15 U.S.C. 1681, as
25 amended;
26 (l) personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy
27 Protection Act of 1994, 18 U.S.C. 2721, et seq., as amended;
28 (m) personal data regulated by the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. - 2025
69th Legislature 2025 SB0297.2
- 11 - Authorized Print Version – SB 297
1 1232g, et seq., as amended;
2 (n) personal data collected, processed, sold, or disclosed in compliance with the Farm Credit Act
3 of 1993, 12 U.S.C. 2001, et seq., as amended;
4 (o) data processed or maintained:
5 (i) by an individual applying to, employed by, or acting as an agent or independent contractor of a
6 controller, processor, or third party to the extent that the data is collected and used within the context of that
7 role;
8 (ii) as the emergency contact information of an individual under this part and used for emergency
9 contact purposes; or
10 (iii) that is necessary to retain to administer benefits for another individual relating to the individual
11 who is the subject of the information under subsection (2)(a) and is used for the purposes of administering the
12 benefits; and
13 (p) personal data collected, processed, sold, or disclosed in relation to price, route, or service, as
14 these terms are used in the Airline Deregulation Act of 1978, 49 U.S.C. 40101, et seq., as amended, by an air
15 carrier subject to the Airline Deregulation Act of 1978, to the extent this part is preempted by the Airline
16 Deregulation Act of 1978, 49 U.S.C. 41713, as amended.
17 (3) Controllers and processors that comply with the verifiable parental consent requirements of the
18 Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq., shall be considered compliant with
19 any obligation to obtain parental consent pursuant to this part."
20
21 Section 30-14-2808, MCA, is amended to read:
22 "30-14-2808. (1) A consumer must
23 have the right to:
24 (a) confirm whether a controller is processing the consumer's personal data and access the
25 consumer's personal data, unless such confirmation or access would require the controller to reveal a trade
26 secret;
27 (b) correct inaccuracies in the consumer's personal data, considering the nature of the personal
28 data and the purposes of the processing of the consumer's personal data; - 2025
69th Legislature 2025 SB0297.2
- 12 - Authorized Print Version – SB 297
1 (c) delete personal data about the consumer;
2 (d) obtain a copy of the consumer's personal data previously provided by the consumer to the
3 controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to
4 transmit the personal data to another controller without hindrance when the processing is carried out by
5 automated means, provided the controller is not required to reveal any trade secret; and
6 (e) opt out of the processing of the consumer's personal data for the purposes of:
7 (i) targeted advertising;
8 (ii) the sale of the consumer's personal data, except as provided in 30-14-2812(2); or
9 (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant
10 effects concerning the consumer.
11 (2) A consumer may exercise rights under this section by a secure and reliable means established
12 by the controller and described to the consumer in the controller's privacy notice.
13 (3) (a) A consumer may designate an authorized agent in accordance with 30-14-2809 to exercise
14 the rights of the consumer to opt out of the processing of the consumer's personal data under subsection (1)(e)
15 on behalf of the consumer.
16 (b) A parent or legal guardian of a known child may exercise the consumer rights on the known
17 child's behalf regarding the processing of personal data.
18 (c) A guardian or conservator of a consumer subject to a guardianship, conservatorship, or other
19 protective arrangement, may exercise the rights on the consumer's behalf regarding the processing of personal
20 data.
21 (4) Except as otherwise provided in this part, a controller shall comply with a request by a
22 consumer to exercise the consumer rights authorized pursuant to this section as follows:
23 (a) A controller shall respond to the consumer without undue delay, but not later than 45 days after
24 receipt of the request. The controller may extend the response period by 45 additional days when reasonably
25 necessary, considering the complexity and number of the consumer's requests, provided the controller informs
26 the consumer of the extension within the initial 45-day response period and the reason for the extension.
27 (b) If a controller declines to act regarding the consumer's request, the controller shall inform the
28 consumer without undue delay, but not later than 45 days after receipt of the request, of the justification for - 2025
69th Legislature 2025 SB0297.2
- 13 - Authorized Print Version – SB 297
1 declining to act and provide instructions for how to appeal the decision.
2 (c) Information provided in response to a consumer request must be provided by a controller, free
3 of charge, once for each consumer during any 12-month period. If requests from a consumer are manifestly
4 unfounded, excessive, technically infeasible, or repetitive, the controller may charge the consumer a
5 reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.
6 The controller bears the burden of demonstrating the manifestly unfounded, excessive, technically infeasible, or
7 repetitive nature of the request.
8 (d) If a controller is unable to authenticate a request to exercise any of the rights afforded under
9 subsections (1)(a) through (1)(d) of this section using commercially reasonable efforts, the controller may not
10 be required to comply with a request to initiate an action pursuant to this section and shall provide notice to the
11 consumer that the controller is unable to authenticate the request to exercise the right or rights until the
12 consumer provides additional information reasonably necessary to authenticate the consumer and the
13 consumer's request to exercise the consumer's rights. A controller may not be required to authenticate an opt-
14 out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and
15 documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller
16 believes the request is fraudulent, the controller shall send notice to the person who made the request
17 disclosing that the controller believes the request is fraudulent and that the controller may not comply with the
18 request.
19 (e) A controller that has obtained personal data about a consumer from a source other than the
20 consumer must be deemed in compliance with the consumer's request to delete the consumer's data pursuant
21 to subsection (1)(c) by:
22 (i) retaining a record of the deletion request and the minimum data necessary for the purpose of
23 ensuring the consumer's personal data remains deleted from the controller's records and not using the retained
24 data for any other purpose pursuant to the provisions of this part; or
25 (ii) opting the consumer out of the processing of the consumer's personal data for any purpose
26 except for those exempted pursuant to the provisions of this part.
27 (5) A controller shall establish a process for a consumer to appeal the controller's refusal to act on
28 a request within a reasonable period after the consumer's receipt of the decision. The appeal process must be - 2025
69th Legislature 2025 SB0297.2
- 14 - Authorized Print Version – SB 297
1 conspicuously available and like the process for submitting requests to initiate action pursuant to this section.
2 Not later than 60 days after receipt of an appeal, a controller shall inform the consumer in writing of any action
3 taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If
4 the appeal is denied, the controller shall also provide the consumer with an online mechanism, if available, or
5 other method through which the consumer may contact the attorney general to submit a complaint."
6 (6) In response to a consumer request under subsection (1)(a), a controller may not disclose the
7 following information about a consumer but shall inform the consumer instead with sufficient particularity that
8 the controller has collected this information:
9 (a) social security number;
10 (b) driver's license number or other government-issued identification number;
11 (c) financial account number;
12 (d) health insurance account number or medical identification number;
13 (e) account password, security questions, or answer; or
14 (f) biometric data.
15
16 Section 30-14-2812, MCA, is amended to read:
17 "30-14-2812. (1) A controller shall:
18 (a) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in
19 relation to the purposes for which the personal data is processed, as disclosed to the consumer;
20 (b) establish, implement, and maintain reasonable administrative, technical, and physical data
21 security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the
22 volume and nature of the personal data at issue; and
23 (c) provide an effective mechanism for a consumer to revoke the consumer's consent under this
24 section that is at least as easy as the mechanism by which the consumer provided the consumer's consent and,
25 on revocation of the consent, cease to process the personal data as soon as practicable, but not later than 45
26 days after the receipt of the request.
27 (2) A controller may not:
28 (a) except as otherwise provided in this part, process personal data for purposes that are not - 2025
69th Legislature 2025 SB0297.2
- 15 - Authorized Print Version – SB 297
1 reasonably necessary to or compatible with the disclosed purposes for which the personal data is processed as
2 disclosed to the consumer unless the controller obtains the consumer's consent;
3 (b) process sensitive data concerning a consumer without obtaining the consumer's consent or, in
4 the case of the processing of sensitive data concerning a known child, without processing the sensitive data in
5 accordance with the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq.;
6 (c) process personal data in violation of the laws of this state and federal laws that prohibit
7 unlawful discrimination against consumers;
8 (d) process the personal data of a consumer for the purposes of targeted advertising or sell the
9 consumer's personal data without the consumer's consent under circumstances in which a controller has actual
10 knowledge or willfully disregards that the consumer is at least 13 years of age but younger than 16 years of
11 age; or
12 (e) discriminate against a consumer for exercising any of the consumer rights contained in this
13 part, including denying goods or services, charging different prices or rates for goods or services, or providing a
14 different level of quality of goods or services to the consumer.
15 (3) Nothing in subsection (1) or (2) may be construed to require a controller to provide a product or
16 service that requires the personal data of a consumer that the controller does not collect or maintain or prohibit
17 a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer,
18 including offering goods or services for no fee, if the consumer has exercised their right to opt out pursuant to
19 this part or the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards,
20 premium features, discounts, or club card program.
21 (4) If a controller sells personal data to third parties or processes personal data for targeted
22 advertising, the controller shall clearly and conspicuously disclose the processing, as well as the way a
23 consumer may exercise the right to opt out of the processing in its privacy notice and provide access to a clear
24 and conspicuous method outside the privacy notice for a consumer to opt out of the sale or processing. This
25 method may include but is not limited to an internet hyperlink clearly labeled "your opt-out rights" or "your
26 privacy rights" that directly effectuates the opt-out request or takes consumers to a web page where the
27 consumer can make the opt-out request.
28 (5) A controller shall provide consumers with a reasonably accessible, clear, and meaningful - 2025
69th Legislature 2025 SB0297.2
- 16 - Authorized Print Version – SB 297
1 privacy notice that includes:
2 (a) the categories of personal data processed by the controller;
3 (b) the purpose for processing personal data;
4 (c) the categories of personal data that the controller sells to or shares with third parties, if any;
5 (d) the categories of third parties, if any, with which the controller sells or shares personal data;
6 and
7 (e) an active e-mail address or other mechanism that the consumer may use to contact the
8 controller; and
9 (f) an explanation of the rights provided by 30-14-2808(1) and how consumers may exercise their
10 consumer rights, including how a consumer may appeal a controller's decision regarding the consumer's
11 request. ; and
12 (g) the date the privacy notice was last updated.
13 (6) The privacy notice must be made available to the public in each language in which the
14 controller provides a product or service that is subject to the privacy notice or carries out activities related to the
15 product or service.
16 (7) The controller shall provide the privacy notice in a manner that is reasonably accessible to and
17 usable by individuals with disabilities.
18 (8) Whenever a controller makes a material change to the controller's privacy notice or practices,
19 the controller shall notify consumers affected by the material change with respect to any prospectively collected
20 personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially
21 different collection, processing, or transfer of previously collected personal data under the changed policy. The
22 controller shall take all reasonable electronic measures to provide notification regarding material changes to
23 affected consumers, taking into account available technology and the nature of the relationship.
24 (9) A controller is not required to provide a separate Montana-specific privacy notice or section of a
25 privacy notice if the controller's general privacy notice contains all the information required by this section.
26 (10) The privacy notice must be posted online through a conspicuous hyperlink using the word
27 "privacy" on the controller's website homepage or on a mobile device's application store page or download
28 page. A controller that maintains an application on a mobile device or other device shall also include a hyperlink - 2025
69th Legislature 2025 SB0297.2
- 17 - Authorized Print Version – SB 297
1 to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. A
2 controller that does not operate a website shall make the privacy notice conspicuously available to consumers
3 through a medium regularly used by the controller to interact with consumers, including but not limited to mail.
4 (6)(11) (a) A controller shall establish and describe in a privacy notice one or more secure and reliable
5 means for consumers to submit a request to exercise their consumer rights pursuant to this part considering the
6 ways in which consumers normally interact with the controller, the need for secure and reliable communication
7 of consumer requests, and the ability of the controller to verify the identity of the consumer making the request.
8 (b) A controller may not require a consumer to create a new account to exercise consumer rights
9 but may require a consumer to use an existing account."
10
11 Section 30-14-2816, MCA, is amended to read:
12 "30-14-2816. (1) Nothing in this part may be construed to
13 restrict a controller's or processor's ability to:
14 (a) comply with federal, state, or municipal ordinances or regulations;
15 (b) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by
16 federal, state, municipal, or other government authorities;
17 (c) cooperate with law enforcement agencies concerning conduct or activity that the controller or
18 processor reasonably and in good faith believes may violate federal, state, or municipal ordinances or
19 regulations;
20 (d) investigate, establish, exercise, prepare for, or defend legal claims;
21 (e) provide a product or service specifically requested by a consumer;
22 (f) perform under a contract to which a consumer is a party, including fulfilling the terms of a
23 written warranty;
24 (g) take steps at the request of a consumer prior to entering a contract;
25 (h) take immediate steps to protect an interest that is essential for the life or physical safety of the
26 consumer or another individual and when the processing cannot be manifestly based on another legal basis;
27 (i) prevent, detect, protect against, or respond to security incidents, identity theft, fraud,
28 harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of - 2025
69th Legislature 2025 SB0297.2
- 18 - Authorized Print Version – SB 297
1 systems, or investigate, report, or prosecute those responsible for any of these actions;
2 (j) engage in public or peer-reviewed scientific or statistical research in the public interest that
3 adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an
4 institutional review board that determines or similar independent oversight entities that determine:
5 (A)(i) whether the deletion of the information is likely to provide substantial benefits that do not
6 exclusively accrue to the controller;
7 (B)(ii) the expected benefits of the research outweigh the privacy risks; and
8 (C)(iii) whether the controller has implemented reasonable safeguards to mitigate privacy risks
9 associated with research, including any risks associated with re-identification;
10 (k) assist another controller, processor, or third party with any of the obligations under this part; or
11 (l) process personal data for reasons of public interest in public health, community health, or
12 population health, but solely to the extent that the processing is:
13 (A)(i) subject to suitable and specific measures to safeguard the rights of the consumer whose
14 personal data is being processed; and
15 (B)(ii) under the responsibility of a professional subject to confidentiality obligations under federal,
16 state, or local law.
17 (2) The obligations imposed on controllers or processors under this part may not restrict a
18 controller's or processor's ability to collect, use, or retain personal data for internal use to:
19 (a) conduct internal research to develop, improve, or repair products, services, or technology;
20 (b) effectuate a product recall;
21 (c) identify and repair technical errors that impair existing or intended functionality; or
22 (d) perform internal operations that are reasonably aligned with the expectations of the consumer
23 or reasonably anticipated based on the consumer's existing relationship with the controller or are otherwise
24 compatible with processing data in furtherance of the provision of a product or service specifically requested by
25 a consumer or the performance of a contract to which the consumer is a party.
26 (3) The obligations imposed on controllers or processors under this part may not apply when
27 compliance by the controller or processor with this part would violate an evidentiary privilege under the laws of
28 this state. Nothing in this part may be construed to prevent a controller or processor from providing personal - 2025
69th Legislature 2025 SB0297.2
- 19 - Authorized Print Version – SB 297
1 data concerning a consumer to a person covered by an evidentiary privilege under the laws of this state as part
2 of a privileged communication.
3 (4) A controller or processor that discloses personal data to a processor or third-party controller in
4 accordance with this part may not be considered to have violated this part if the processor or third-party
5 controller that receives and processes the personal data violates this part provided, at the time the disclosing
6 controller or processor disclosed the personal data, the disclosing controller or processor did not have actual
7 knowledge that the receiving processor or third-party controller would violate this part. A receiving processor or
8 third-party controller receiving personal data from a disclosing controller or processor in compliance with this
9 part is likewise not in violation of this part for the transgressions of the disclosing controller or processor from
10 which the receiving processor or third-party controller receives the personal data.
11 (5) Nothing in this part may be construed to:
12 (a) impose any obligation on a controller or processor that adversely affects the rights or freedoms
13 of any person, including but not limited to the rights of any person:
14 (i) to freedom of speech or freedom of the press guaranteed in the first amendment to the United
15 States constitution; or
16 (ii) under Rule 504 of the Montana Rules of Evidence; or
17 (b) apply to a person's processing of personal data during the person's personal or household
18 activities. ; or
19 (c) require a controller or processor to implement an age verification or age-gating system or
20 otherwise affirmatively collect the age of consumers, but a controller that chooses to conduct commercially
21 reasonable age estimation to determine which consumers are minors is not liable for an erroneous age
22 estimation.
23 (6) Personal data processed by a controller pursuant to this section may be processed to the
24 extent that the processing is:
25 (a) reasonably necessary and proportionate to the purposes listed in this section; and
26 (b) adequate, relevant, and limited to what is necessary in relation to the specific purposes listed in
27 this section. The controller or processor must, when applicable, consider the nature and purpose of the
28 collection, use, or retention of the personal data collected, used, or retained pursuant to subsection (2). The - 2025
69th Legislature 2025 SB0297.2
- 20 - Authorized Print Version – SB 297
1 personal data must be subject to reasonable administrative, technical, and physical measures to protect the
2 confidentiality, integrity, and accessibility of the personal data and to reduce reasonably foreseeable risks of
3 harm to consumers relating to the collection, use, or retention of personal data.
4 (7) If a controller processes personal data pursuant to an exemption in this section, the controller
5 bears the burden of demonstrating that the processing qualifies for the exemption and complies with the
6 requirements in subsection (6).
7 (8) Processing personal data for the purposes expressly identified in this section may not solely
8 make a legal entity a controller with respect to the processing."
9
10 Section 30-14-2817, MCA, is amended to read:
11 "30-14-2817.
12 and powers provided by Title 30, chapter 14, parts 1 and 2, to enforce violations pursuant to this part.
13 (2) The attorney general shall post on the attorney general's website:
14 (a) information relating to:
15 (i) the responsibilities of a controller pursuant to this part;
16 (ii) the responsibilities of a processor pursuant to this part; and
17 (iii) a consumer's rights pursuant to this part; and
18 (b) an online mechanism through which a consumer may submit a complaint regarding consumer
19 data privacy to the attorney general.
20 (3) (a) If the attorney general has reasonable cause to believe that a person has engaged in or is
21 engaging in a violation of this part, the attorney general may issue a civil investigative demand pursuant to 30-
22 14-113.
23 (b) As part of a civil investigative demand, the attorney general may request that a controller
24 disclose any data protection assessment that is relevant to an investigation conducted by the attorney general.
25 The attorney general may evaluate the data protection assessment for compliance with the requirements
26 pursuant to this part.
27 (2)(4) (a) The attorney general shall, prior to initiating any action for a violation of any provision of this
28 part, issue a notice of violation to the controller 30 days prior to bringing the action, identifying the specific - 2025
69th Legislature 2025 SB0297.2
- 21 - Authorized Print Version – SB 297
1 provisions of this part that the attorney general alleges have been or are being violated.
2 (b) If the controller fails to correct the violation within 60 30 days of receipt of the notice of violation,
3 the attorney general may bring an action pursuant to this section.
4 (c) If The attorney general may not bring an action against the controller if within the 60- day 30-
5 day period the controller corrects the noticed violation and provides the attorney general an express written
6 statement that:
7 (i) the alleged violations have been corrected and that no such further violations will occur, no
8 action must be initiated against the controller. ;
9 (ii) the controller has notified the consumer that the consumer's privacy violation was addressed, if
10 the consumer's contact information has been made available to the controller; and
11 (iii) the controller has made changes necessary to ensure that no further violations will occur.
12 (5) Actions brought by the department to enforce this part are subject to the statute of limitations
13 pursuant to 27-2-231.
14 (3)(6) Nothing in this part may be construed as providing the basis for or be subject to a private right
15 of action for violations of this part or any other law. (Subsection (2) terminates April 1, 2026--sec. 15, Ch. 681,
16 L. 2023.)"
17
18 NEW SECTION. Section 9. (1) (a)
19 A controller that offers an online service, product, or feature to a consumer whom the controller actually knows
20 or willfully disregards is a minor shall use reasonable care to avoid a heightened risk of harm to minors caused
21 by the online service, product, or feature.
22 (b) In an enforcement action brought by the attorney general pursuant to 30-14-2817, there is a
23 rebuttable presumption that a controller used reasonable care as required under this section if the controller
24 complied with this section.
25 (2) Unless a controller has obtained consent in accordance with subsection (3), a controller that
26 offers an online service, product, or feature to a consumer whom the controller actually knows or willfully
27 disregards is a minor may not:
28 (a) process a minor's personal data: - 2025
69th Legislature 2025 SB0297.2
- 22 - Authorized Print Version – SB 297
1 (i) for the purposes of:
2 (A) targeted advertising;
3 (B) the sale of personal data; or
4 (C) profiling in furtherance of decisions that produce legal or similarly significant effects concerning
5 a consumer;
6 (ii) for any processing purpose other than the processing purpose that the controller disclosed at
7 the time the controller collected the minor's personal data or that is reasonably necessary for and compatible
8 with the processing purpose that the controller disclosed at the time the controller collected the minor's personal
9 data; or
10 (iii) for longer than is reasonably necessary to provide the online service, product, or feature;
11 (b) use a system design feature to significantly increase, sustain, or extend a minor's use of the
12 online service, product, or feature; or
13 (c) collect a minor's precise geolocation data unless:
14 (i) the minor's precise geolocation data is reasonably necessary for the controller to provide the
15 online service, product, or feature;
16 (ii) the controller only collects and retains the minor's precise geolocation data for the time
17 necessary to provide the online service, product, or feature; and
18 (iii) the controller provides to the minor a signal indicating that the controller is collecting the
19 minor's precise geolocation data and makes the signal available to the minor for the entire duration of the
20 collection of the minor's precise geolocation data. This subsection (2)(c)(iii) does not apply to a service or
21 application that is used by and under the direction of a ski area operator.
22 (3) (a) A controller may not engage in the activities described in subsection (2) unless the
23 controller obtains:
24 (i) the minor's consent; or
25 (ii) if the minor is a child, the consent of the minor's parent or legal guardian. A controller that
26 complies with the verifiable parental consent requirements established in the Children's Online Privacy
27 Protection Act of 1998, 15 U.S.C. 6501, et seq., as amended, and the regulations, rules, guidance, and
28 exemptions adopted pursuant to this act, as amended, is considered to have satisfied any requirement to obtain - 2025
69th Legislature 2025 SB0297.2
- 23 - Authorized Print Version – SB 297
1 parental consent under this subsection (3)(a)(ii).
2 (b) (i) A controller that offers an online service, product, or feature to a consumer whom the
3 controller actually knows or willfully disregards is a minor may not:
4 (A) provide a consent mechanism that is designed to substantially subvert or impair or is
5 manipulated with the effect of substantially subverting or impairing user autonomy, decision-making, or choice;
6 or
7 (B) except as provided in subsection (3)(b)(ii), offer a direct messaging apparatus for use by a
8 minor without providing readily accessible and easy-to-use safeguards to limit the ability of an adult to send
9 unsolicited communications to the minor with whom the adult is not connected.
10 (ii) Subsection (3)(b)(i)(B) does not apply to an online service, product, or feature of which the
11 predominant or exclusive function is:
12 (A) electronic mail; or
13 (B) direct messaging consisting of text, photos, or videos that are sent between devices by
14 electronic means in which messages are:
15 (I) shared between the sender and the recipient;
16 (II) only visible to the sender and the recipient; and
17 (III) not posted publicly.
18 (4) Subsections (2)(a) and (2)(b) do not apply to a service or application that is used by and under
19 the direction of an educational entity, including a learning management system or a student engagement
20 program.
21
22 NEW SECTION. Section 10. (1) A
23 processor shall adhere to the instructions of a controller and shall assist the controller to meet the controller's
24 obligations under [sections 9 and 11], taking into account the nature of the processing and the information
25 available to the processor. The processor shall assist the controller by:
26 (a) taking appropriate technical and organizational measures, insofar as this is possible, for the
27 fulfillment of the controller's obligations under [section 9]; and
28 (b) providing information to enable the controller to conduct and document data protection - 2025
69th Legislature 2025 SB0297.2
- 24 - Authorized Print Version – SB 297
1 assessments pursuant to [section 11].
2 (2) A contract between a controller and a processor must satisfy the requirements of 30-14-
3 2813(2).
4 (3) Nothing in this section may be construed to relieve a controller or processor from the liabilities
5 imposed on the controller or processor by virtue of the controller's or processor's role in the processing
6 relationship as described in [sections 9 and 11].
7 (4) Determining whether a person is acting as a controller or processor with respect to a specific
8 processing of personal data is a fact-based determination that depends on the context in which personal data is
9 to be processed. A person that is not limited in the person's processing of personal data pursuant to a
10 controller's instructions or that fails to adhere to the instructions is a controller and not a processor with respect
11 to a specific processing of personal data. A processor that continues to adhere to a controller's instructions with
12 respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly
13 with others, determining the purposes and means of the processing of personal data, the processor is a
14 controller with respect to the processing and may be subject to an enforcement action under 30-14-2817.
15
16 NEW SECTION. Section 11.
17 (1) A controller that, on or after October 1, 2025, offers an online service, product, or feature to a
18 consumer whom the controller actually knows or willfully disregards is a minor shall conduct a data protection
19 assessment for the online service, product, or feature if there is a heightened risk of harm to minors. The
20 controller shall conduct the data protection assessment:
21 (a) in a manner that is consistent with the requirements established in 30-14-2814; and
22 (b) to address:
23 (i) the purpose of the online service, product, or feature;
24 (ii) the categories of a minor's personal data that the online service, product, or feature processes;
25 (iii) the purposes for which the controller processes a minor's personal data with respect to the
26 online service, product, or feature; and
27 (iv) a heightened risk of harm to minors that is a reasonably foreseeable result of offering the
28 online service, product, or feature to minors. - 2025
69th Legislature 2025 SB0297.2
- 25 - Authorized Print Version – SB 297
1 (2) A controller that conducts a data protection assessment pursuant to subsection (1) shall:
2 (a) review the data protection assessment as necessary to account for a material change to the
3 processing operations of the online service, product, or feature that is the subject of the data protection
4 assessment; and
5 (b) maintain documentation concerning the data protection assessment for the longer of:
6 (i) 3 years after the date on which the processing operations cease; or
7 (ii) the date the controller ceases offering the online service, product, or feature.
8 (3) A single data protection assessment may address a comparable set of processing operations
9 that include similar activities.
10 (4) If a controller conducts a data protection assessment for the purpose of complying with another
11 applicable law or regulation, the data protection assessment is considered to satisfy the requirements
12 established in this section if the data protection assessment is reasonably similar in scope and effect to the data
13 protection assessment that would otherwise be conducted pursuant to this section.
14 (5) If a controller conducts a data protection assessment pursuant to subsection (1) or a data
15 protection assessment review pursuant to subsection (2)(a) and determines that the online service, product, or
16 feature that is the subject of the assessment poses a heightened risk of harm to minors, the controller shall
17 establish and implement a plan to mitigate or eliminate the heightened risk.
18 (6) (a) A data protection assessment conducted pursuant to this section:
19 (i) is confidential, except as provided in subsection (6)(b); and
20 (ii) is not a public record and is exempt from public inspection and copying under the Freedom of
21 Information Act, 5 U.S.C. 552.
22 (b) (i) A controller shall make a data protection assessment conducted pursuant to this section
23 available to the attorney general on request. The attorney general may evaluate the data protection
24 assessment for compliance with this section and with other laws.
25 (ii) The disclosure of a data protection assessment pursuant to a request from the attorney general
26 does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise
27 exist with respect to the assessment and any information in the assessment.
28 (7) Data protection assessment requirements apply to processing activities created or generated - 2025
69th Legislature 2025 SB0297.2
- 26 - Authorized Print Version – SB 297
1 after October 1, 2025, and are not retroactive.
2
3 NEW SECTION. Section 12. (1) A violation of this part is a violation of Title
4 30, chapter 14, parts 1 and 2.
5 (2) A person who violates the provisions of this part following the 30-day period described in 30-
6 14-2817(3) or who breaches a written statement provided to the attorney general under 30-14-2817(4)(c) is
7 liable for a civil penalty in an amount not to exceed $7,500 for each violation.
8 (3) The attorney general may bring an action in the name of this state to:
9 (a) recover a civil penalty under this section;
10 (b) restrain or enjoin the person from violating this part; or
11 (c) recover the civil penalty and seek injunctive relief.
12 (4) The attorney general may recover reasonable attorney fees and other reasonable expenses
13 incurred in investigating and bring an action under this section.
14 (5) The attorney general shall deposit a civil penalty collected under this section in a special
15 revenue account to the credit of the department pursuant to 30-14-143.
16
17 NEW SECTION. Section 13. Actions brought by the department to enforce
18 this part are subject to the statute of limitations pursuant to 27-2-231.
19
20 NEW SECTION. Section 14. Actions brought by the department to enforce
21 this part are subject to the statute of limitations pursuant to 27-2-231.
22
23 NEW SECTION. Section 15. Section 15, Chapter 681, Laws of 2023, is repealed.
24
25 NEW SECTION. Section 16. (1) [Sections 9 through 12] are intended to
26 be codified as an integral part of Title 30, chapter 14, part 28, and the provisions of Title 30, chapter 14, part 28,
27 apply to [sections 9 through 12].
28 (2) [Section 13] is intended to be codified as an integral part of Title 30, chapter 14, part 1, and the - 2025
69th Legislature 2025 SB0297.2
- 27 - Authorized Print Version – SB 297
1 provisions of Title 30, chapter 14, part 1, apply to [section 13].
2 (3) [Section 14] is intended to be codified as an integral part of Title 30, chapter 14, part 2, and the
3 provisions of Title 30, chapter 14, part 2, apply to [section 14].
4 - END -