Can I ensure that my company is compliant with expanding privacy protections in Montana? What are the requirements?

To ensure that your company is compliant with expanding privacy protections in Montana, you must comply with the requirements outlined in MTCO 2-17-552. These requirements state that a government website operator may not collect personally identifiable information online from a website user unless the operator complies with the provisions of this section. The website must identify who operates the website, provide contact information for the operator, and generally describe the operator’s information practices, including policies to protect the privacy of the user and the steps taken to protect the security of the collected information. If the personally identifiable information may be used for a purpose other than the express purpose of the website or may be given or sold to a third party, except as required by law, then the operator shall ensure that the website includes a clear and conspicuous notice to the user that the information collected could be used for other than the purposes of the website, a general description of the types of third parties that may obtain the information, and a clear, conspicuous, and easily understood online procedure requiring an affirmative expression of the user’s permission before the information is collected ^[1.1].

Additionally, if your company handles individually identifiable health information, you may be exempt from the requirements of MTCO 2-17-552 if you are a covered entity under the provisions of federal regulations that are part of the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) ^[2.1].

It is also important to note that MTCO 2-17-553 states that these privacy protections are not intended to expand or restrict the individual right of privacy or the public right to know or to change the rights and obligations of persons, state agencies, or local governments that are otherwise provided by law ^[1.4].

To ensure compliance with these requirements, your company should consider developing an information technology plan that includes a statement of the company’s mission, goals, and objectives for information technology, an explanation of how the company’s mission, goals, and objectives for information technology support and conform to the state strategic information technology plan, a baseline profile of the company’s current information technology resources and capabilities, an evaluation of the baseline profile that identifies real or potential deficiencies or obsolescence of the company’s information technology resources and capabilities, a list of new projects and resources required to meet the objectives of the company’s information technology plan, and any other information required by law or requested by the department, the governor, or the legislature ^[1.3][1.5].

In summary, to ensure compliance with expanding privacy protections in Montana, your company should comply with the requirements outlined in MTCO 2-17-552, consider any exemptions under HIPAA regulations if applicable, and develop an information technology plan that conforms to state standards and guidelines ^{[1.1][2.1][1.3][1.4][1.5]}.

Source(s):

• [1.1] Collection of personally identifiable information – requirements
• [2.1] EXEMPTION BASED ON FEDERAL STANDARDS FOR PRIVACY AND SECURITY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION
• [1.3] Agency information technology plans – form and content – performance reports
• [1.4] No change of privacy right or public right to know
• [1.5] Rulemaking authority

Jurisdiction

Montana

• Privacy