Tag: Montana

Consumer Privacy Update: What Organizations Need to Know About Impending State Privacy Laws Going into Effect in 2024 and 2025

Over the past several years, the number of states with comprehensive consumer data privacy laws has increased exponentially from just a handful—California, Colorado, Virginia, Connecticut, and Utah—to up to twenty by some counts.

Many of these state laws will go into effect starting Q4 of 2024 through 2025. We have previously written in more detail on New Jersey’s comprehensive data privacy law, which goes into effect January 15, 2025, and Tennessee’s comprehensive data privacy law, which goes into effect July 1, 2025. Some laws have already gone into effect, like Texas’s Data Privacy and Security Act, and Oregon’s Consumer Privacy Act, both of which became effective July of 2024. Now is a good time to take stock of the current landscape as the next batch of state privacy laws go into effect.

Over the next year, the following laws will become effective:

  1. Montana Consumer Data Privacy Act (effective Oct. 1, 2024)
  2. Delaware Personal Data Privacy Act (effective Jan. 1, 2025)
  3. Iowa Consumer Data Protection Act (effective Jan. 1, 2025)
  4. Nebraska Data Privacy Act (effective Jan. 1, 2025)
  5. New Hampshire Privacy Act (effective Jan. 1, 2025)
  6. New Jersey Data Privacy Act (effective Jan. 15, 2025)
  7. Tennessee Information Protection Act (effective July 1, 2025)
  8. Minnesota Consumer Data Privacy Act (effective July 31, 2025)
  9. Maryland Online Data Privacy Act (effective Oct. 1, 2025)

These nine state privacy laws contain many similarities, broadly conforming to the Virginia Consumer Data Protection Act we discussed here.  All nine laws listed above contain the following familiar requirements:

(1) disclosing data handling practices to consumers,

(2) including certain contractual terms in data processing agreements,

(3) performing risk assessments (with the exception of Iowa); and

(4) affording resident consumers with certain rights, such as the right to access or know the personal data processed by a business, the right to correct any inaccurate personal data, the right to request deletion of personal data, the right to opt out of targeted advertising or the sale of personal data, and the right to opt out of the processing sensitive information.

The laws contain more than a few noteworthy differences. Each of the laws differs in terms of the scope of their application. The applicability thresholds vary based on: (1) the number of state residents whose personal data the company (or “controller”) controls or processes, or (2) the proportion of revenue a controller derives from the sale of personal data. Maryland, Delaware, and New Hampshire each have a 35,000 consumer processing threshold. Nebraska, similar to the recently passed data privacy law in Texas, applies to controllers that that do not qualify as small business and process personal data or engage in personal data sales. It is also important to note that Iowa adopted a comparatively narrower definition of what constitutes as sale of personal data to only transactions involving monetary consideration. All states require that the company conduct business in the state.

With respect to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Iowa’s, Montana’s, Nebraska’s, New Hampshire’s, and Tennessee’s laws exempt HIPAA-regulated entities altogether; while Delaware’s, Maryland’s, Minnesota’s, and New Jersey’s laws exempt only protected health information (“PHI”) under HIPAA. As a result, HIPAA-regulated entities will have the added burden of assessing whether data is covered by HIPAA or an applicable state privacy law.

With respect to the Gramm-Leach-Bliley Act (“GLBA”), eight of these nine comprehensive privacy laws contain an entity-level exemption for GBLA-covered financial institutions. By contrast, Minnesota’s law exempts only data regulated by GLBA. Minnesota joins California and Oregon as the three state consumer privacy laws with information-level GLBA exemptions.

Not least of all, Maryland’s law stands apart from the other data privacy laws due to a number of unique obligations, including:

  • A prohibition on the collection, processing, and sharing of a consumer’s sensitive data except when doing so is “strictly necessary to provide or maintain a specific product or service requested by the consumer.”
  • A broad prohibition on the sale of sensitive data for monetary or other valuable consideration unless such sale is necessary to provide or maintain a specific product or service requested by a consumer.
  • Special provisions applicable to “Consumer Health Data” processed by entities not regulated by HIPAA. Note that “Consumer Health Data” laws also exist in Nevada, Washington, and Connecticut as we previously discussed here.
  • A prohibition on selling or processing minors’ data for targeted advertising if the controller knows or should have known that the consumer is under 18 years of age.

While states continue to enact comprehensive data privacy laws, there remains the possibility of a federal privacy law to bring in a national standard. The American Privacy Rights Act (“APRA”) recently went through several iterations in the House Committee on Energy and Commerce this year, and it reflects many of the elements of these state laws, including transparency requirements and consumer rights. A key sticking point, however, continues to be the broad private right of action included in the proposed APRA but absent from all state privacy laws. Only California’s law, which we discussed here, has a private right of action, although it is narrowly circumscribed to data breaches.  Considering the November 2024 election cycle, it is likely that federal efforts to create a comprehensive privacy law will stall until the election cycle is over and the composition of the White House and Congress is known.

©2024 Epstein Becker & Green, P.C. All rights reserved.
For more on Data Privacy, visit the NLR Communications Media Internet section.

Montana Passes 9th Comprehensive Consumer Privacy Law in the U.S.

On May 19, 2023, Montana’s Governor signed Senate Bill 384, the Consumer Data Privacy Act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law. The law is scheduled to take effect on October 1, 2024.

When does the law apply?

The law applies to a person who conducts business in the state of Montana and:

  • Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
  • Controls and processes the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Hereafter these covered persons are referred to as controllers.

The following entities are exempt from coverage under the law:

  • Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state;
  • Nonprofit organization;
  • Institution of higher education;
  • National securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934;
  • A financial institution or an affiliate of a financial institution governed by Title V of the Gramm- Leach-Bliley Act;
  • Covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act (HIPAA);

Who is protected by the law?

Under the law, a protected consumer is defined as an individual who resides in the state of Montana.

However, the term consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.

What data is protected by the law?

The statute protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable individual.

There are several exemptions to protected personal data, including for data protected under HIPAA and other federal statutes.

What are the rights of consumers?

Under the new law, consumers have the right to:

  • Confirm whether a controller is processing the consumer’s personal data
  • Access Personal Data processed by a controller
  • Delete personal data
  • Obtain a copy of personal data previously provided to a controller.
  • Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

What obligations do businesses have?

The controller shall comply with requests by a consumer set forth in the statute without undue delay but no later than 45 days after receipt of the request.

If a controller declines to act regarding a consumer’s request, the business shall inform the consumer without undue delay, but no later than 45 days after receipt of the request, of the reason for declining.

The controller shall also conduct and document a data protection assessment for each of their processing activities that present a heightened risk of harm to a consumer.

How is the law enforced?

Under the statute, the state attorney general has exclusive authority to enforce violations of the statute. There is no private right of action under Montana’s statute.

Jackson Lewis P.C. © 2023

For more Privacy Legal News, click here to visit the National Law Review.

Five States Put Abortion Questions on the Ballot; Health Care and Other Employers Should Stay Tuned

In the wake of the landmark decision in Dobbs v. Jackson Women’s Health Organization, we have been closely monitoring legal developments across the country. In addition to well publicized “trigger laws” that were effectuated as a result of the U.S. Supreme Court’s order, states have taken up a variety of legislative actions in response to the ruling, which placed authority for the regulation of abortion with the states.

On Election Day, five states will have voters consider various proposals in light of Dobbs and its directive that abortion law belongs with the people. Here is a run-down of abortion-related ballot initiatives that will be put to a popular vote on November 8, 2022.

A Constitutional Amendment for California

On the ballot in California is Proposition 1: Constitutional Right to Reproductive Freedom, which would amend the state Constitution at Article I, Section 1.1, to provide that the state cannot “deny or interfere with an individual’s reproductive freedom in their most intimate decisions, which includes their fundamental right to choose to have an abortion and their fundamental right to choose or refuse contraceptives.” Any amendment to the California Constitution requires a simple majority of voters. If the amendment is passed, changes take effect the fifth day after the Secretary of State files the statement of the vote for the election.

Should Proposition 1 pass, it would add express protection for reproductive freedom, including decisions about abortion and contraception, to the state constitution, under its existing guaranteed right to privacy. If the proposition does not pass, it will not affect the status quo of reproductive rights in California: while current protections for abortion and other reproductive medical care would not be constitutionally guaranteed, they would remain in place under state law.

California currently has strong protections for the right to abortion, generally only prohibiting abortion at viability. Since the Dobbs decision earlier this year, California has promoted access to abortion, including launching abortion.ca.gov, a website dedicated towards providing information on reproductive health care services to people both inside and outside of California. Recently, in late September, Governor Gavin Newsom signed a package of 12 bills of abortion protections, aimed towards improving access to abortion and protecting patients and clinicians who undergo or provide them.

With the backdrop of an already-strong California legal reproductive health network, consistent polling indicates the ballot measure is expected to pass by a wide margin. Passage of the proposition will likely signal and establish the state as a refuge for individuals from more restrictive states seeking abortions.

Michigan May Modify its Constitution, Too

Michigan will also turn to its voters to decide whether its state constitution should be amended to include protections for abortion. The Michigan proposal, referred to as “Proposal 3 of 2022 – ‘Reproductive Freedom for All’ Petition,” seeks to protect the right to an abortion with a constitutional amendment that declares a right to reproductive freedom. The petition sets forth proposed language for a new section of the Michigan Constitution, stating, in part, that “[e]very individual has a fundamental right to reproductive freedom, which entails the right to make and effectuate decisions about all matters relating to pregnancy, including but not limited to prenatal care, childbirth, postpartum care, contraception, sterilization, abortion care, miscarriage management, and infertility care.”

Proposal 3 would take effect 45 days following the ballot initiative if approved by the majority of voters. It would (1) establish new individual rights to reproductive freedom, to broadly include the right to make and carry out all decisions relating to pregnancy; (2) permit state regulation of abortion in limited circumstances; (3) forbid discrimination in enforcement of reproductive rights; (4) prohibit adverse action by the state with respect to “potential, perceived, or alleged pregnancy outcomes;” and (5) invalidate state laws that conflict with the Constitution as amended by Proposal 3.

If Proposal 3 is not passed and the state constitution remains as is, the future of the right to an abortion in Michigan will be unclear. Michigan has a pre-Roe ban that, if enforced, would prohibit abortion in nearly all situations and make abortions in non-life saving circumstances potentially prosecuted as manslaughter. However, a Michigan Court of Claims judge granted a permanent injunction in Governor Gretchen Whitmer’s suit to block local prosecutors from enforcing the ban. The ban is subject to an ongoing lawsuit.

Given the uncertainty of the ballot initiative’s outcome, Michigan employers should closely monitor the results of the November 8, 2022 vote.

Vermont’s Vote

In Vermont, abortion remains legal after Dobbs under state law. However, on November 8, 2022, voters will have the opportunity to further protect abortion rights through a ballot initiative. This initiative, referred to as Proposal 5, asks registered Vermont voters whether they are in favor of amending the state’s constitution to add the following language: “That an individual’s right to personal reproductive autonomy is central to the liberty and dignity to determine one’s own life course and shall not be denied or infringed unless justified by a compelling State interest achieved by the least restrictive means.” Passage would guarantee the right to access and obtain an abortion as well as other reproductive care, and prohibit government infringement of reproductive rights absent a compelling state interest, which would need to be achieved through the least restrictive means.

Should Proposal 5 pass, the resulting constitutional amendment is not expected to significantly alter the legal landscape of abortion in Vermont, which currently has strong protection for the right to abortion. If approved, the amendment will become part of Vermont’s constitution on November 22, 2022.

In Contrast, Kentucky Seeks to Constitutionally Exclude Abortion Rights

Kentuckians will cast their votes deciding whether to amend the state’s constitution to explicitly provide that the state constitution offers no protection for a right to abortion. The proposal further clarifies that there is no constitutional right to use public funds for abortion. “Constitutional Amendment 2” poses the following question to voters: “Are you in favor of amending the Constitution of Kentucky by creating a new Section of the Constitution to be numbered Section 26A to state as follows: ‘To protect human life, nothing in this Constitution shall be construed to secure or protect a right to abortion or require the funding of abortion?’”

If the majority of votes are affirmative, a new section will be added to Kentucky’s constitution. This does not constitute an outright abortion ban, but rather prohibits courts from finding an implicit right to an abortion within the state’s constitution. Kentucky laws restricting abortion, including those triggered by Dobbs, are among the most restrictive in the nation. Approval of Constitutional Amendment 2 would not alter these laws or their existing narrow exceptions, which permit the procedure only when necessary to preserve the health or life of the mother.

An advisory from the Kentucky Attorney General provides further color on the ramifications of the amendment, noting that Amendment 2 does not ban abortion, but rather ensures that elected officials of Kentucky’s General Assembly, and not courts, would regulate abortion. The Advisory also explains that implementation of Amendment 2 would not amend other provisions in the state’s constitution.

Montana’s Ballot – NOT a Proposed Constitutional Amendment

Abortion is currently legal in Montana, as a 1999 Supreme Court ruling held that the state constitution protects abortion under its right-of-privacy provision. However, in 2021, a number of restrictive abortion laws were enacted, including a law that prohibits abortions after 20 weeks. These laws are under legal challenge by abortion providers and are temporarily enjoined pending litigation.

Meanwhile, on the ballot for November 8 is a referendum on LR-131, also known as the Born Alive Infant Protection Act. The Act proposes a new statute that would classify any infant born alive as “a legal person” and require the provision of “medically appropriate and reasonable care” to such person. This would include all infants born alive from an induced labor, C-section, or attempted abortion. The Act also includes a provision mandating providers, employees, and volunteers to report a failure to comply to law enforcement, and sets forth criminal penalties. Violation of this law would be a felony with a maximum sentence of 20 years in prison or a fine of up to $50,000. The proposed law is aimed at health care workers, and does not impose liability on parents or other parties.

Health care providers have raised concerns that the broad language of the bill could lead to unintended consequences, particularly for OB/GYN practitioners. Health care providers would be required to take “medically appropriate and reasonable care” to keep any infant alive, but these terms are not defined in the bill. Health care workers that could be held liable include doctors, nurses, and “any individual who may be asked to participate in any way in a health care service of procedure.”

If approved by the Montana electorate, the law would take effect on January 1, 2023. Hospitals and other health care providers would need to reexamine their operating procedures to comply with the bill, should it pass, including compliance with the mandatory reporting requirement.

Keeping Up With The Changes

We continue to track litigation, legislative developments, and the entirety of the post-Dobbs legal landscape as it continues to shift. Our 50-state survey and other resources provide employers, health care providers, life sciences stakeholders, and others impacted by these rapidly changing circumstances with in-depth analysis and monthly updates. Election Day results will be another element of this evolving story.

Article By Susan Gross Sholinsky, Amy K. Dow, and Catherine Kang of Epstein Becker & Green, P.C.

For more labor and employment legal news, click here to visit the National Law Review.

©2022 Epstein Becker & Green, P.C. All rights reserved.