DATA PROTECTION IMPACT ASSESSMENT (DPIA)

(State overlay: MT)

1. Project Overview

• Project name/ID: [name]; owner: [business owner]; sponsor: [executive].
• Purpose and objectives: [describe].
• Timeline and launch date: [dates].

2. Scope of Processing

• Data subjects: [customers/employees/vendors/end users].
• Personal data categories: [contact, IDs, financial, location, biometric, health, minors].
• Sensitive data (MCDPA definition): Check all that apply: (1) Personal data revealing racial or ethnic origin; (2) Religious beliefs; (3) Mental or physical health diagnosis; (4) Citizenship or immigration status; (5) Genetic data processed for purpose of uniquely identifying consumer; (6) Biometric data processed for purpose of uniquely identifying consumer; (7) Personal data of known child (under 13 years of age). CRITICAL: Parental/guardian consent required for processing personal data of children ages 13-16 for sale, profiling, and targeted advertising (effective October 1, 2025 per SB 297). Opt-in consent required for processing sensitive data.
• Volume and retention: [records/year], [retention schedule and deletion triggers per business purpose; limit collection to reasonably necessary for disclosed purposes].
• Processing activities: [collection, storage, analysis, sharing/sale/sharing status]. MCDPA definitions: "Sale" = exchange of personal data for monetary or other valuable consideration; "Targeted advertising" = displaying advertisement selected based on personal data obtained from consumer's activities over time to predict preferences or interests; "Profiling" = automated processing to evaluate, analyze, or predict consumer characteristics including economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

3. Legal Basis, Notices, and Rights

• Primary state privacy law(s): Montana Consumer Data Privacy Act (MCDPA), Mont. Code Ann. § 30-14-2701 et seq., effective October 1, 2024; significantly amended by SB 297 effective October 1, 2025.
• Applicability thresholds: CRITICAL - LOWERED BY SB 297: Entity conducting business in Montana that controls or processes personal data of: (1) 25,000+ Montana consumers (formerly 50,000; NOW LOWEST THRESHOLD OF ANY STATE); OR (2) 15,000+ consumers (formerly 25,000) AND derives more than 25% of gross revenue from sale of personal data. No minimum revenue threshold. Montana is first Republican-controlled legislature to enact comprehensive consumer privacy law with universal opt-out requirement.
• Entity type exemptions: GLBA-covered financial institutions for activities subject to GLBA, HIPAA-covered entities/business associates for protected health information, higher education institutions, nonprofit organizations, government entities, tribal entities, certain employment/business-to-business contexts.
• Consumer rights covered: (1) Right to confirm whether controller is processing personal data and access personal data; (2) Right to correct inaccuracies in personal data; (3) Right to delete personal data; (4) Right to obtain copy of personal data in portable and readily usable format; (5) Right to opt out of sale of personal data, targeted advertising, and profiling in furtherance of decisions producing legal or similarly significant effects. Response timeline: 45 days (with one 45-day extension if reasonably necessary; must inform consumer of extension and reason). Authentication: Reasonable efforts to verify consumer identity.
• Consent/opt-out mechanics required for sensitive data, minors, targeted ads, sale/sharing: (1) Opt-in consent required for processing sensitive data (consumers must affirmatively indicate agreement); (2) CRITICAL SB 297: Effective October 1, 2025, parental/guardian consent required for processing personal data of children ages 13-16 for sale, profiling, and targeted advertising; (3) Children under 13: Sensitive data requiring opt-in consent per COPPA; (4) Dark patterns prohibited for obtaining consent; (5) Must recognize universal opt-out mechanisms (e.g., Global Privacy Control) effective January 1, 2025; (6) Consumer must take affirmative action to set up universal opt-out mechanism.
• Notice/labeling requirements: Privacy notice must be reasonably accessible, clear, and meaningful, disclosing: categories of personal data processed, purposes, how to exercise consumer rights, categories of personal data shared with third parties, categories of third parties, how to opt out of sale/targeted advertising. Must provide mechanism for submitting requests.
• Contracts with processors/service providers: Contract required between controller and processor. Must include: clear instructions for data processing; nature and purpose of processing; type of personal data; duration of processing; rights and obligations of both parties; requirement that processor assists controller in meeting MCDPA obligations; requirement that processor deletes or returns data upon completion of services or at controller's direction.

4. Data Flow and Transfers

• Source systems: [list]; storage/hosting locations: [cloud region/data centers].
• Cross-border transfers: [EU/UK/other]; transfer tool: [SCCs/IDTA/CBPR if applicable].
• Recipients/vendors: [processors/subprocessors/controllers]; due diligence status and DPAs in place.
• Access controls: RBAC groups, least privilege, joiner/mover/leaver process.

5. Security and Controls

• Technical controls: Encryption in transit/at rest [specify algorithms/key lengths], key management [HSM/KMS], network segmentation, endpoint protections [EDR/AV], logging/monitoring [SIEM], DLP, backups [frequency/retention/testing], vulnerability management [scanning cadence/remediation SLAs].
• Organizational controls: Written information security policies, annual training cadence, vendor due diligence [security questionnaires/assessments], incident response playbook [tested annually], change management, privacy-by-design reviews.
• Authentication/authorization: [MFA method: TOTP/FIDO2/SMS]; [SSO/SAML provider]; session timeouts [specify]; privileged access reviews [quarterly/semi-annual].
• Reasonable security: Controllers must establish and maintain reasonable data security safeguards (administrative, technical, physical) to protect confidentiality and integrity of consumer data.

6. Risks and Impact Assessment

• Risks/threats: [unauthorized access, data minimization failure, purpose creep, profiling risk, transfer risk, children/minors risk (ages 13-16 require heightened protections per SB 297), sensitive data processing].
• Likelihood: [low/medium/high]; Impact: [low/medium/high]; Risk rating matrix: [insert].
• Profiling-specific risks: Unfair or deceptive treatment, financial/physical/reputational injury, intrusion on solitude or seclusion offensive to reasonable person.
• SB 297 minor-specific risks: Controllers must conduct DPAs specifically for minors and implement plan to mitigate or eliminate heightened risks.

7. Mitigations and Residual Risk

• Planned mitigations: [controls, timelines, owners].
• Testing/validation: [pen test, DPIA/ROPA updates, privacy-by-design checklist].
• Residual risk after mitigations: [rating]; decision: [accept/mitigate further/block].

8. Incident Response and Breach Notification

• Breach notification statute: Mont. Code Ann. § 30-14-1704 (Computer security breach); enacted 2006, amended 2015.
• Timeline: Notice to affected Montana residents required WITHOUT UNREASONABLE DELAY, consistent with legitimate needs of law enforcement or consistent with measures necessary to determine scope of breach and restore reasonable integrity of data system. No specific day limit (unlike many states with fixed deadlines).
• Notification triggers: Breach of security of data system = unauthorized acquisition of computerized data that compromises security, confidentiality, or integrity of personal information. Personal information = Montana resident's first name or first initial and last name in combination with one or more of: (a) SSN; (b) Driver's license number; (c) Financial account number or credit/debit card number with required security code/access code/password to permit account access.
• Encryption safe harbor: Notification not required if personal information was encrypted and encryption key was not and is not reasonably believed to have been acquired by unauthorized person.
• Regulator/AG notice: Person/business required to notify consumers must SIMULTANEOUSLY submit electronic copy of notification and statement providing date and method of distribution to Attorney General's consumer protection office (excluding personally identifying information). If notification made to more than one individual, single copy submitted indicating number of Montana residents who received notification.
• Content requirements: Notice to consumers must be clear and conspicuous, providing: description of incident; types of personal information subject to breach; steps taken to investigate; contact information for consumer inquiries; any applicable remediation services offered.
• Third-party data maintainers: Person/business maintaining computerized data including personal information not owned must notify owner/licensee of information of any breach IMMEDIATELY FOLLOWING DISCOVERY.
• Law enforcement delay: Notification may be delayed if law enforcement determines notification will impede criminal investigation and requests delay. Notification must be made after law enforcement determines notification will not compromise investigation.
• Coordination with other states/GLBA/HIPAA requirements if multi-state: [Coordinate breach notification obligations; GLBA and HIPAA have separate timelines and requirements].

9. State Overlay Checklist (MT)

• Applicability thresholds and exemptions: CRITICAL - SB 297 LOWERED THRESHOLDS: 25,000+ Montana consumers (formerly 50,000; NOW LOWEST OF ANY STATE) OR 15,000+ consumers + >25% revenue from sale (formerly 25,000). No revenue minimum. First Republican-controlled legislature to require universal opt-out. Exemptions: GLBA institutions (for GLBA activities), HIPAA covered entities (for PHI), higher education, nonprofits, government entities, tribal entities, certain employment/B2B contexts.
• Sensitive data definition and consent/opt-out requirements: 7 categories of sensitive data (see Section 2 above): racial/ethnic origin, religious beliefs, mental/physical health diagnosis, citizenship/immigration, genetic/biometric data for unique identification, child data (under 13). Opt-in consent required. Dark patterns prohibited. CRITICAL SB 297: Effective October 1, 2025, parental/guardian consent required for ages 13-16 for sale, profiling, targeted advertising.
• Consumer rights and response timelines/appeals: Confirm/access, correct, delete, portability, opt-out of sale/targeted ads/profiling. Response: 45 days + one 45-day extension (with notice and reason). Appeals: Consumer may appeal denial; controller must respond to appeal within 60 days; must inform consumer of right to contact AG.
• Opt-out of sale/targeted advertising/profiling requirements: Must provide consumer-friendly and easy-to-use method for opting out. CRITICAL: Must recognize universal opt-out mechanisms (e.g., Global Privacy Control) effective January 1, 2025 (Montana is first Republican-controlled legislature to require this). Consumer must take affirmative action to set up mechanism. Profiling opt-out required for decisions with legal/similarly significant effects.
• Processor/service provider contract requirements (flow-downs, audit rights, deletion/return): Contract required. Must include: processing instructions, nature/purpose, data type, duration, parties' rights/obligations, processor assistance with MCDPA obligations, deletion/return upon completion or at controller's direction.
• Data Protection Assessment / Risk Assessment triggers: Required for processing activities presenting heightened risk of harm: (1) Processing personal data for targeted advertising; (2) Sale of personal data; (3) Processing that presents certain risks: unfair/deceptive treatment, financial/physical/reputational injury, intrusion on solitude/seclusion offensive to reasonable person. CRITICAL SB 297: Controllers must conduct DPAs specifically for minors and implement plan to mitigate or eliminate heightened risks. Prospective DPAs required for processing activities "created or generated" after January 1, 2025. Attorney General may require controllers to present DPAs to evaluate compliance. Assessments conducted per other state laws comply if "reasonably similar in scope and effect."
• Security measures expectations (reasonable security; specific mandates if any): Controllers must establish and maintain reasonable data security safeguards (administrative, technical, physical) to protect confidentiality and integrity of consumer data. Document security controls in DPAs.
• Breach notice timeline and content requirements: Without unreasonable delay to residents; concurrent notice to AG (electronic copy with distribution details). Content: incident description, PI types, investigation steps, contact info, remediation services. No fixed deadline (unlike states with 30/45/60 day requirements).
• Children/minors rules (e.g., COPPA; state-specific if any): Personal data of known children under 13 is sensitive data requiring opt-in consent. CRITICAL SB 297: Effective October 1, 2025, parental/guardian consent required for processing personal data of children ages 13-16 for sale, profiling, and targeted advertising. Must conduct DPAs specifically for minors with mitigation plans. Comply with COPPA for under 13.
• Non-discrimination/retaliation prohibitions under state law: Controller may not discriminate against consumer for exercising MCDPA rights, including denying goods/services, charging different prices/rates, or providing different level/quality. Financial incentives, loyalty programs permitted with reasonable relationship to value of consumer's data.
• Recordkeeping: ROPA/DPIA retention and appeal tracking: Maintain DPAs and make available to AG upon request. Document minor-specific DPAs and mitigation plans (SB 297 requirement). Maintain documentation of consumer request responses and appeal determinations. CRITICAL: 60-day cure period SUNSETS April 1, 2026; AG provides 60-day written notice of violation before April 1, 2026; after April 1, 2026, AG may initiate enforcement action without cure opportunity. Attorney General has exclusive enforcement authority. No private right of action.

10. Approvals and Accountability

• Privacy lead/DPO review: [name/date].
• Security review: [name/date].
• Legal review (state law overlay): [name/date].
• Business owner certification: [name/date].
• Executive approver: [name/title/date].

11. Attachments

• Data flow diagrams/architecture.
• Records of processing activities entry.
• Vendor list and processor agreements.
• Data protection assessments (required for targeted advertising, sales, heightened risk processing; include minor-specific DPAs per SB 297).
• Security safeguards documentation (administrative, technical, physical).
• Sensitive data consent mechanisms.
• Parental/guardian consent mechanisms for ages 13-16 (effective October 1, 2025).
• Universal opt-out mechanism implementation (required January 1, 2025; Montana is first Republican state to require).
• Minor mitigation plans (SB 297 requirement).
• State-specific notices/links and breach templates.