A BILL FOR AN ACT ENTITLED: "AN ACT providing online personal information protections; requiring privacy policy postings; providing penalties and fees; and PROVIDING AN EFFECTIVE DATE."
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
NEW SECTION. Section 1. Definitions. As used in [sections 1 through 3], the following definitions apply:
(1) "Consumer" means an individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.
(2) (a) "Operator" means a person or entity that owns a website or an online service that collects and maintains personally identifiable information from a consumer residing in the state that is operated for commercial purposes.
(b) The term does not include a third party that operates, hosts, or manages, but does not own, a website or online service on the owner's behalf.
(3) "Personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form. The term includes but is not limited to the following:
(b) a home or other physical address, including a street name and a name of a city or town;
(h) socioeconomic information;
(k) text messages, documents, search activity, photos, voice recordings, or geolocation information;
(l) any other identifier that permits the physical or online contacting of a specific individual; and
(m) information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with identification information.
NEW SECTION. Section 2. Online privacy policy requirements. (1) An operator that collects personally identifiable information about individual consumers residing in the state shall conspicuously post a privacy policy on its website, or in the case of an operator of an online service, make that policy available.
(2) Subject to subsection (1), an operator's privacy policy must:
(a) identify the categories of personally identifiable information that the operator collects through the website or online service about individual consumers who use or visit the website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;
(b) if the operator maintains a process for an individual consumer who uses or visits its website or online service to review and request changes to any of the individual consumer's personally identifiable information that is collected, provide a description of that process;
(c) describe the process by which the operator notifies consumers who use or visit its website or online service of material changes to the operator's privacy policy for that website or online service;
(d) identify its effective date;
(e) disclose how the operator responds to web browser "do not track" signals or other mechanisms that provide consumers the ability to exercise choice regarding the collection of personally identifiable information about an individual consumer's online activities over time and across third-party sites or services, if the operator engages in that collection; and
(f) disclose whether other parties may collect personally identifiable information about an individual consumer's online activities over time and across different websites when a consumer uses the operator's website or online service.
(3) This section does not limit the authority of a law enforcement agency to obtain any content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction.
(4) This section does not impose a duty on:
(a) a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance of this section on those applications or software; or
(b) a provider of an interactive computer service, as defined in 47 U.S.C. 230, to review or enforce compliance with this section by third-party content providers.
NEW SECTION. Section 3. Privacy policy noncompliance penalties. (1) An operator in violation of [section 2] 30 days following a notice of noncompliance is guilty of a misdemeanor and, if convicted by a court of competent jurisdiction, shall be fined not less than $200 or more than $500.
(2) Operators that seek to appeal a noncompliance ruling shall pay an initial filing fee not to exceed $50.
NEW SECTION. Section 4. Codification instruction. [Sections 1 through 3] are intended to be codified as an integral part of Title 30, and the provisions of Title 30 apply to [sections 1 through 3].
NEW SECTION. Section 5. Effective date. [This act] is effective July 1, 2021.