npm - open-agreements - Versions diffs - 0.7.7 → 0.8.0 - Mend

open-agreements 0.7.7 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (704) hide show

package/skills/legal-explainers/data-privacy-law-explainer/content/missouri.md ADDED Viewed

@@ -0,0 +1,179 @@
+---
+jurisdiction: "Missouri"
+slug: missouri
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/missouri
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/missouri · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Missouri Consumer Privacy Law[^about]
+Missouri has no omnibus consumer-privacy statute; the main commercial spine is breach notice, MMPA deception, and the insurance-sector IDSA.
+## At a glance
+| Question | Missouri |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Missouri has not enacted a comprehensive consumer-privacy law. The 2026 session saw biometric and privacy-adjacent bills, but no omnibus access/delete/correct/opt-out framework passed before the May 15, 2026 adjournment, so the main commercial state framework is the breach-notification statute, the MMPA's deception rules and qualified private right of action, and, for insurance licensees, the Insurance Data Security Act's phased duties; everything else rides the federal overlay. |
+| **Main law** | Mo. Rev. Stat. § 407.1500 (breach notification) plus the Merchandising Practices Act (§§ 407.010–407.025) and, for insurance licensees, the Insurance Data Security Act (§§ 375.1400–375.1427, effective January 1, 2026) — Missouri has no comprehensive consumer-privacy statute |
+| **Privacy policy required?** | No general Missouri mandate fixes a privacy policy's contents — they are driven by FTC Act § 5 and the sectoral overlay (GLBA, HIPAA, COPPA), with the MMPA supplying the state deception hook for a policy that misstates actual practices; an insurance licensee must hand its privacy policy to the insurance director after a cybersecurity event |
+| **Who does it cover?** | Breach statute: any person that owns or licenses personal information of Missouri residents, or that conducts business in Missouri and owns or licenses a resident's personal information, with no size threshold. MMPA: anyone selling or advertising merchandise — defined to include services and intangibles — in or from Missouri. Insurance Data Security Act: persons licensed or registered under Missouri insurance law |
+| **Can consumers sue?** | Yes |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the breach statute (the Attorney General has exclusive authority, with a civil penalty up to $150,000 per breach) and expressly none under the Insurance Data Security Act; but MMPA § 407.025 gives consumers a private action — punitive damages, fee-shifting, and class actions included — subject to heightened reasonable-consumer and objective-damages proof requirements added in 2020 |
+| **Who enforces it?** | Missouri Attorney General (breach statute and MMPA); Director of the Department of Commerce and Insurance (Insurance Data Security Act) |
+## Which privacy laws apply to your business in Missouri? {#which-privacy-laws-apply}
+**Short answer.** There is no comprehensive Missouri consumer-privacy law. The main commercial privacy spine is three state statutes, with narrower Missouri sectoral rules still possible outside this workflow. The breach-notification statute applies to any person that owns or licenses personal information of Missouri residents, or that conducts business in Missouri and owns or licenses a resident's personal information, with no revenue or volume threshold [^stat-1500-trigger]. The Merchandising Practices Act (MMPA) makes deception, fraud, misrepresentation, unfair practices, and material omissions in connection with the sale or advertisement of merchandise unlawful — the hook that reaches privacy promises [^stat-020-unlawful]. And for the insurance sector, the Insurance Data Security Act establishes the exclusive state standards for licensees' data security, cybersecurity-event investigation, and notification to the director [^stat-1400-exclusive].
+Because Missouri has no omnibus statute, its residents hold no general state-law rights to access, delete, correct, or port their personal data, no right to opt out of sale or targeted advertising, and businesses face no state notice-at-collection, consent, data-protection-assessment, or universal opt-out-signal duties. The 2026 session saw biometric and privacy-adjacent bills, including H.B. 1970, H.B. 3537, and S.B. 1359, but they would not have created an omnibus access/delete/correct/opt-out framework and none passed before the General Assembly adjourned on May 15, 2026.
+What fills the gap is layered. The MMPA's reach is broad in practice because *merchandise* is defined to include services and intangibles, not just goods [^stat-010-merchandise] — so data-driven services sold to Missouri consumers sit squarely inside it. The Insurance Data Security Act is new: enacted in 2025 as H.B. 974, the Act became effective January 1, 2026 [^stat-hb974-effective]; its four-business-day director-notice duty is live, while security-program compliance runs to January 1, 2027 and third-party-service-provider safeguards run to January 1, 2028 [^stat-idsa-phase-in]. The rest of a Missouri-facing program rides the federal overlay — Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide, the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities and their business associates, and the Children's Online Privacy Protection Act governs services directed to children under 13. This note is written to stay durable: a program built to the breach statute, the MMPA, and that overlay upgrades rather than restarts if Missouri later enacts an omnibus law.
+## What must your Missouri privacy policy contain? {#privacy-policy-contents}
+**Short answer.** No Missouri statute requires a general consumer privacy policy or fixes its contents. The governing rule is that whatever you publish must be true: under Section 5 of the FTC Act, unfair or deceptive acts or practices in or affecting commerce are unlawful [^fed-ftc5-deceptive], and the MMPA makes the same conduct actionable as a matter of Missouri law when the misstatement, concealment, or omission of a material fact occurs in connection with the sale or advertisement of merchandise [^q2-mmpa-deception]. A privacy policy that misdescribes how you collect, use, share, retain, or secure data is exposure under both.
+In practice the Missouri drafting question is less *what must be included* and more *does the policy match actual practice*. Where a sectoral regime applies, it supplies the contents: a financial institution may not share nonpublic personal information with nonaffiliated third parties without first giving the GLBA-compliant notice [^fed-glba-notice], and a HIPAA covered entity must give individuals a notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^fed-hipaa-notice]. For everyone else, best practice supplies the outline — categories of data collected, purposes, third-party sharing, retention, and how users exercise any choices you offer — and the MMPA supplies the reason to honor it.
+One Missouri-specific wrinkle deserves attention: the Insurance Data Security Act assumes an insurance licensee *has* a privacy policy, because after a reportable cybersecurity event the licensee must hand the director a copy of the licensee's privacy policy along with a statement of how it will investigate and notify affected consumers [^stat-1410-policy-copy]. For licensees, the policy is therefore not just a marketing document — it is part of the regulatory record a Missouri regulator will read in the worst week of an incident, which is a strong reason to keep it accurate and current before the event.
+## What must your contracts with vendors say? {#vendor-contracts}
+**Short answer.** Missouri has no omnibus data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs for general private-sector contracts. The two state-law touchpoints are narrow: the breach statute requires any person that maintains records it does not own to notify the owner or licensee of a breach immediately following discovery [^q3-breach-vendor], and the Insurance Data Security Act requires licensees to make their third-party service providers implement appropriate administrative, technical, and physical safeguards [^stat-1405-vendor], with that vendor-safeguards duty phased to January 1, 2028 [^q3-idsa-phase-in].
+Where a federal regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers, including by requiring them by contract to implement and maintain appropriate safeguards [^fed-glba-safeguards], and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and downstream-subcontractor terms before protected health information changes hands [^fed-hipaa-baa].
+The Insurance Data Security Act deserves a closer read from any insurer, producer, or other licensee, because its vendor duties are statutory rather than contractual best practice, even though the provider-specific subsection has a January 1, 2028 implementation deadline [^q3-idsa-phase-in]. A licensee must exercise due diligence in selecting its third-party service providers [^stat-1405-diligence] and must require each provider to protect the nonpublic information and information systems the provider can access — which in practice means written security commitments in the services agreement [^stat-1405-vendor]. Outside the regulated verticals, the prudent move is to carry the same protections forward as best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Missouri statute compels them. There is no Missouri source to cite for omnibus vendor terms, which is itself the point.
+## When must you notify people of a data breach in Missouri? {#breach-notification}
+**Short answer.** Any person that owns or licenses personal information of Missouri residents — or that conducts business in Missouri and owns or licenses a resident's personal information — must notify the affected consumer of a breach of security following discovery or notification of the breach [^q4-breach-trigger]. The disclosure must be made without unreasonable delay, consistent with the legitimate needs of law enforcement and with the measures needed to determine the breach's scope and restore the system's integrity [^q4-breach-timing]. If you notify more than 1,000 consumers at one time, you must also notify the Attorney General's office and the nationwide consumer reporting agencies, again without unreasonable delay [^q4-breach-ag-cra].
+The statute is the center of any Missouri incident-response plan, so its mechanics are worth internalizing. *Personal information* is a resident's name combined with an unencrypted, unredacted Social Security number, driver's license or government ID number, financial-account or card number with its access code, unique electronic identifier with a security code permitting account access, medical information, or health-insurance information [^q4-personal-information]. A *breach* is unauthorized access to and unauthorized acquisition of that information in computerized form that compromises its security, confidentiality, or integrity [^q4-breach-definition]. Encryption and redaction are effectively safe harbors, since the listed data elements only count when not encrypted, redacted, or otherwise made unreadable or unusable [^q4-personal-information].
+The statute fixes the notice's minimum contents: a general-terms description of the incident, the type of personal information obtained, a phone number for further information if one exists, contact information for the consumer reporting agencies, and advice to stay vigilant by reviewing account statements and monitoring free credit reports [^q4-breach-contents]. Notice may be written, electronic with consent, or telephonic; substitute notice is available if notice would cost more than $100,000, the affected class exceeds 150,000 consumers, contact information or consent is insufficient, or particular consumers cannot be identified, and it requires email when available, conspicuous website posting if the person has a website, and notice to major statewide media [^q4-breach-methods]. There is also a genuine risk-of-harm off-ramp — notification is not required if, after an appropriate investigation or consultation with law enforcement, you determine that identity theft or other fraud is not reasonably likely to occur, but that determination must be documented in writing and kept for five years [^q4-breach-harm-exception]. Noncompliance is an Attorney General matter: the AG has exclusive authority to seek actual damages for a willful and knowing violation and a civil penalty of up to $150,000 per breach, or per series of similar breaches discovered in a single investigation [^q4-breach-penalty].
+## What does Missouri's Insurance Data Security Act require of insurance licensees? {#insurance-data-security}
+**Short answer.** If you are licensed, authorized, or registered under Missouri insurance law, a dedicated regime is already effective: the Insurance Data Security Act, enacted in 2025 as H.B. 974, took effect January 1, 2026 [^q5-idsa-effective]. Its headline operational duty is live now: a licensee must notify the director of the Department of Commerce and Insurance as promptly as practicable, but in no event later than four business days, from a determination that a qualifying cybersecurity event has occurred [^q5-idsa-4day]. Its structural security-program duty is phased: § 375.1405 implementation runs to January 1, 2027, and third-party-service-provider safeguards under § 375.1405.6 run to January 1, 2028 [^q5-idsa-phase-in].
+Four business days is a dramatically faster clock than the standards most businesses build around — the federal Safeguards Rule gives financial institutions as long as 30 days to notify the FTC of a qualifying event [^q5-glba-ftc-30day], and Missouri's own consumer breach statute runs on a *without unreasonable delay* standard [^q5-breach-timing] — so an insurance licensee's incident-response plan has to be built to make the reportability determination and assemble the director's filing in days, not weeks. The notice duty applies only when the statutory criteria are met: Missouri is the insurer's domicile or the producer's home state and the event is reasonably likely to materially harm a Missouri consumer or a material part of the licensee's operations, or the licensee reasonably believes the event involves nonpublic information of at least 250 Missouri consumers and either outside government or supervisory notice is required or material harm is reasonably likely [^q5-idsa-criteria]. The clock also runs on vendor incidents: when the event happens in a third-party service provider's systems, the licensee's deadlines begin the day after the provider notifies it or the licensee otherwise has actual knowledge, whichever is sooner [^q5-idsa-vendor-clock]. The Act dovetails with the general breach statute rather than displacing it — a licensee that must notify the director must also comply with § 407.1500 and give the director a copy of the consumer notice [^q5-idsa-consumer-notice].
+When the security-program deadline arrives, the program must include a written incident response plan designed to promptly respond to and recover from any cybersecurity event compromising nonpublic information or the licensee's operations [^q5-idsa-irp]. Missouri-domiciled insurers must also certify compliance to the director annually by April 15 and keep the supporting records for five years [^q5-idsa-cert]. Violations expose a licensee to the penalties provided by the insurance code's enforcement sections [^q5-idsa-penalty].
+## Can a consumer sue your business in Missouri over privacy? {#consumer-lawsuit}
+**Short answer.** Not under the breach statute — the Attorney General has exclusive authority to sue for a willful and knowing violation [^q6-breach-ag-exclusive] — and not under the Insurance Data Security Act, which expressly creates no private cause of action [^q6-idsa-no-pra]. The real private-suit exposure is the MMPA: any person who purchases or leases merchandise primarily for personal, family, or household purposes and suffers an ascertainable loss of money or property from an unlawful practice may bring a private civil action for actual damages [^q6-mmpa-pra]. Courts may also award punitive damages, attorney's fees to the prevailing party, and equitable relief [^q6-mmpa-remedies].
+The MMPA is how a misleading privacy promise, an undisclosed data practice, or a mishandled incident most plausibly becomes a Missouri lawsuit. But the claim is materially harder to plead and prove than it once was. A 2020 amendment (S.B. 591) rewrote § 407.025: a plaintiff now must establish that they acted as a reasonable consumer would in light of all circumstances, that the unlawful practice would cause a reasonable person to enter into the transaction that resulted in damages, and individual damages with sufficiently definitive and objective evidence allowing the loss to be calculated with a reasonable degree of certainty [^q6-mmpa-elements]. Those requirements apply to cases filed after August 28, 2020 [^q6-mmpa-sb591-date]. For privacy claims, the objective-damages element is the practical battleground — a plaintiff who cannot quantify an ascertainable loss from the data practice with objective evidence does not get past it, and the reasonable-consumer standard replaces the more plaintiff-friendly subjective framing that preceded it.
+Two structural features still cut in opposite directions. The exposure scales: the MMPA authorizes class actions where an unlawful practice causes similar injury to numerous persons [^q6-mmpa-class], and class representatives carry the same heightened proof elements. And the exposure has a sectoral boundary: the MMPA does not apply to entities within the listed Missouri-regulated insurance, credit-union, and finance chapters unless those regulators authorize the Attorney General to act or a statute gives the powers to the Attorney General or a private citizen [^q6-mmpa-exemption]. For everyone else, the durable takeaway is that Missouri's privacy-suit risk runs through consumer-deception law: keep the privacy policy true, and the heightened § 407.025 elements become your second line of defense rather than your first.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Missouri. This article synthesizes Missouri primary law and is not legal advice from a Missouri-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-1500-trigger]: **Mo. Rev. Stat. § 407.1500** — "Any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach." *Mo. Rev. Stat. § 407.1500.2(1).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^stat-020-unlawful]: **Mo. Rev. Stat. § 407.020** — "The act, use or employment by any person of any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise in trade or commerce or the solicitation of any funds for any charitable purpose, as defined in section 407.453, in or from the state of Missouri, is declared to be an unlawful practice." *Mo. Rev. Stat. § 407.020.1.* <https://revisor.mo.gov/main/OneSection.aspx?section=407.020>
+[^stat-1400-exclusive]: **Mo. Rev. Stat. § 375.1400** — "Notwithstanding any other provision of law, sections 375.1400 to 375.1427 establish the exclusive state standards applicable to licensees for data security, the investigation of a cybersecurity event as defined in section 375.1402, and notification to the director." *Mo. Rev. Stat. § 375.1400.2.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1400>
+[^stat-010-merchandise]: **Mo. Rev. Stat. § 407.010** — "any objects, wares, goods, commodities, intangibles, real estate or services" *Mo. Rev. Stat. § 407.010(4).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.010>
+[^stat-hb974-effective]: **Mo. Rev. Stat. § 375.1400 (enactment history)** — "(L. 2025 H.B. 974, et al.) Effective 1-01-26; see § 375.1427" *Mo. Rev. Stat. § 375.1400 (history note; eff. Jan. 1, 2026).* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1400>
+[^stat-idsa-phase-in]: **Mo. Rev. Stat. § 375.1427** — "Sections 375.1400 to 375.1427 shall take effect on January 1, 2026. Licensees shall have until January 1, 2027, to implement section 375.1405 and until January 1, 2028, to implement subsection 6 of section 375.1405." *Mo. Rev. Stat. § 375.1427.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1427>
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+[^q2-mmpa-deception]: **Mo. Rev. Stat. § 407.020** — "The act, use or employment by any person of any deception, fraud, false pretense, false promise, misrepresentation, unfair practice or the concealment, suppression, or omission of any material fact in connection with the sale or advertisement of any merchandise in trade or commerce or the solicitation of any funds for any charitable purpose, as defined in section 407.453, in or from the state of Missouri, is declared to be an unlawful practice." *Mo. Rev. Stat. § 407.020.1.* <https://revisor.mo.gov/main/OneSection.aspx?section=407.020>
+[^fed-glba-notice]: **GLBA privacy-notice obligation** — "Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=Except%20as%20otherwise%20provided%20in,section%206803%20of%20this%20title.>
+[^fed-hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+[^stat-1410-policy-copy]: **Mo. Rev. Stat. § 375.1410** — "A copy of the licensee's privacy policy and a statement outlining the steps the licensee will take to investigate and notify consumers affected by the cybersecurity event" *Mo. Rev. Stat. § 375.1410.2(12).* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1410>
+[^q3-breach-vendor]: **Mo. Rev. Stat. § 407.1500** — "Any person that maintains or possesses records or data containing personal information of residents of Missouri that the person does not own or license, or any person that conducts business in Missouri that maintains or possesses records or data containing personal information of a resident of Missouri that the person does not own or license, shall notify the owner or licensee of the information of any breach of security immediately following discovery of the breach, consistent with the legitimate needs of law enforcement as provided in this section." *Mo. Rev. Stat. § 407.1500.2(2).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^stat-1405-vendor]: **Mo. Rev. Stat. § 375.1405** — "A licensee shall require a third-party service provider to implement appropriate administrative, technical, and physical measures to protect and secure the information systems and nonpublic information that are accessible to, or held by, the third-party service provider." *Mo. Rev. Stat. § 375.1405.6(2).* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1405>
+[^q3-idsa-phase-in]: **Mo. Rev. Stat. § 375.1427** — "Sections 375.1400 to 375.1427 shall take effect on January 1, 2026. Licensees shall have until January 1, 2027, to implement section 375.1405 and until January 1, 2028, to implement subsection 6 of section 375.1405." *Mo. Rev. Stat. § 375.1427.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1427>
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract; (C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410; (D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,with%20respect%20to%20such%20information>
+[^stat-1405-diligence]: **Mo. Rev. Stat. § 375.1405** — "A licensee shall exercise due diligence in selecting its third-party service provider." *Mo. Rev. Stat. § 375.1405.6(1).* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1405>
+[^q4-breach-trigger]: **Mo. Rev. Stat. § 407.1500** — "Any person that owns or licenses personal information of residents of Missouri or any person that conducts business in Missouri that owns or licenses personal information in any form of a resident of Missouri shall provide notice to the affected consumer that there has been a breach of security following discovery or notification of the breach." *Mo. Rev. Stat. § 407.1500.2(1).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q4-breach-timing]: **Mo. Rev. Stat. § 407.1500** — "The disclosure notification shall be: (a) Made without unreasonable delay; (b) Consistent with the legitimate needs of law enforcement, as provided in this section; and (c) Consistent with any measures necessary to determine sufficient contact information and to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system." *Mo. Rev. Stat. § 407.1500.2(1).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q4-breach-ag-cra]: **Mo. Rev. Stat. § 407.1500** — "In the event a person provides notice to more than one thousand consumers at one time pursuant to this section, the person shall notify, without unreasonable delay, the attorney general's office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. Section 1681a(p), of the timing, distribution, and content of the notice." *Mo. Rev. Stat. § 407.1500.2(8).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q4-personal-information]: **Mo. Rev. Stat. § 407.1500** — "(9) ‘Personal information’, an individual's first name or first initial and last name in combination with any one or more of the following data elements that relate to the individual if any of the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable or unusable: (a) Social Security number; (b) Driver's license number or other unique identification number created or collected by a government body; (c) Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account; (d) Unique electronic identifier or routing code, in combination with any required security code, access code, or password that would permit access to an individual's financial account; (e) Medical information; or (f) Health insurance information." *Mo. Rev. Stat. § 407.1500.1(9).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q4-breach-definition]: **Mo. Rev. Stat. § 407.1500** — "unauthorized access to and unauthorized acquisition of personal information maintained in computerized form by a person that compromises the security, confidentiality, or integrity of the personal information." *Mo. Rev. Stat. § 407.1500.1(1).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q4-breach-contents]: **Mo. Rev. Stat. § 407.1500** — "The notice shall at minimum include a description of the following: (a) The incident in general terms; (b) The type of personal information that was obtained as a result of the breach of security; (c) A telephone number that the affected consumer may call for further information and assistance, if one exists; (d) Contact information for consumer reporting agencies; (e) Advice that directs the affected consumer to remain vigilant by reviewing account statements and monitoring free credit reports." *Mo. Rev. Stat. § 407.1500.2(4).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q4-breach-methods]: **Mo. Rev. Stat. § 407.1500** — "For purposes of this section, notice to affected consumers shall be provided by one of the following methods: (a) Written notice; (b) Electronic notice for those consumers for whom the person has a valid email address and who have agreed to receive communications electronically, if the notice provided is consistent with the provisions of 15 U.S.C. Section 7001 regarding electronic records and signatures for notices legally required to be in writing; (c) Telephonic notice, if such contact is made directly with the affected consumers; or (d) Substitute notice" *Mo. Rev. Stat. § 407.1500.2(6)-(7).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q4-breach-harm-exception]: **Mo. Rev. Stat. § 407.1500** — "Notwithstanding subdivisions (1) and (2) of this subsection, notification is not required if, after an appropriate investigation by the person or after consultation with the relevant federal, state, or local agencies responsible for law enforcement, the person determines that a risk of identity theft or other fraud to any consumer is not reasonably likely to occur as a result of the breach. Such a determination shall be documented in writing and the documentation shall be maintained for five years." *Mo. Rev. Stat. § 407.1500.2(5).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q4-breach-penalty]: **Mo. Rev. Stat. § 407.1500** — "The attorney general shall have exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation." *Mo. Rev. Stat. § 407.1500.4.* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q5-idsa-effective]: **Mo. Rev. Stat. § 375.1400 (enactment history)** — "(L. 2025 H.B. 974, et al.) Effective 1-01-26; see § 375.1427" *Mo. Rev. Stat. § 375.1400 (history note; eff. Jan. 1, 2026).* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1400>
+[^q5-idsa-4day]: **Mo. Rev. Stat. § 375.1410** — "Each licensee shall notify the director as promptly as practicable, but in no event later than four business days, from a determination that a cybersecurity event involving nonpublic information that is in the possession of a licensee has occurred when either of the following criteria has been met:" *Mo. Rev. Stat. § 375.1410.1.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1410>
+[^q5-idsa-phase-in]: **Mo. Rev. Stat. § 375.1427** — "Sections 375.1400 to 375.1427 shall take effect on January 1, 2026. Licensees shall have until January 1, 2027, to implement section 375.1405 and until January 1, 2028, to implement subsection 6 of section 375.1405." *Mo. Rev. Stat. § 375.1427.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1427>
+[^q5-glba-ftc-30day]: **GLBA Safeguards Rule (FTC breach notice)** — "Upon discovery of a notification event as described in paragraph (j)(2) of this section, if the notification event involves the information of at least 500 consumers, you must notify the Federal Trade Commission as soon as possible, and no later than 30 days after discovery of the event." *16 C.F.R. § 314.4(j)(1).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Upon%20discovery%20of%20a%20notification,after%20discovery%20of%20the%20event.>
+[^q5-breach-timing]: **Mo. Rev. Stat. § 407.1500** — "The disclosure notification shall be: (a) Made without unreasonable delay;" *Mo. Rev. Stat. § 407.1500.2(1).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q5-idsa-criteria]: **Mo. Rev. Stat. § 375.1410** — "(1) This state is the licensee's state of domicile, in the case of an insurer, or this state is the licensee's home state, in the case of a producer, as those terms are defined in section 375.012, and the cybersecurity event has a reasonable likelihood of materially harming a consumer residing in this state or a reasonable likelihood of materially harming any material part of the normal operations of the licensee; or (2) The licensee reasonably believes that the nonpublic information involved is of two hundred fifty or more consumers residing in this state and is either of the following: (a) A cybersecurity event impacting the licensee of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body under any state or federal law; or (b) A cybersecurity event that has a reasonable likelihood of materially harming: a. Any consumer residing in this state; or b. Any material part of the normal operations of the licensee." *Mo. Rev. Stat. § 375.1410.1(1)-(2).* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1410>
+[^q5-idsa-vendor-clock]: **Mo. Rev. Stat. § 375.1410** — "The computation of a licensee's deadlines shall begin on the day after the third-party service provider notifies the licensee of the cybersecurity event or the licensee otherwise has actual knowledge of the cybersecurity event, whichever is sooner." *Mo. Rev. Stat. § 375.1410.4(2).* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1410>
+[^q5-idsa-consumer-notice]: **Mo. Rev. Stat. § 375.1410** — "The licensee shall comply with section 407.1500, as applicable, and provide a copy of the notice sent to consumers under that section to the director when a licensee is required to notify the director under subsection 1 of section 375.1410." *Mo. Rev. Stat. § 375.1410.3.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1410>
+[^q5-idsa-irp]: **Mo. Rev. Stat. § 375.1405** — "As part of its information security program, each licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event that compromises the confidentiality, integrity, or availability of nonpublic information in its possession, the licensee's information systems, or the continuing functionality of any aspect of the licensee's business or operations." *Mo. Rev. Stat. § 375.1405.8.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1405>
+[^q5-idsa-cert]: **Mo. Rev. Stat. § 375.1405** — "Annually by April fifteenth, each insurer domiciled in this state shall submit to the director a written statement certifying that the insurer is in compliance with the requirements set forth in this section." *Mo. Rev. Stat. § 375.1405.9.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1405>
+[^q5-idsa-penalty]: **Mo. Rev. Stat. § 375.1420** — "In the case of a violation of sections 375.1400 to 375.1427, a licensee may be subject to penalties as provided by law, including sections 374.046, 374.048, and 374.049." *Mo. Rev. Stat. § 375.1420.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1420>
+[^q6-breach-ag-exclusive]: **Mo. Rev. Stat. § 407.1500** — "The attorney general shall have exclusive authority to bring an action to obtain actual damages for a willful and knowing violation of this section and may seek a civil penalty not to exceed one hundred fifty thousand dollars per breach of the security of the system or series of breaches of a similar nature that are discovered in a single investigation." *Mo. Rev. Stat. § 407.1500.4.* <https://revisor.mo.gov/main/OneSection.aspx?section=407.1500>
+[^q6-idsa-no-pra]: **Mo. Rev. Stat. § 375.1400** — "Sections 375.1400 to 375.1427 shall not be construed to create or imply a private cause of action for violation of their provisions, nor shall such sections be construed to curtail a private cause of action that would otherwise exist in the absence of sections 375.1400 to 375.1427." *Mo. Rev. Stat. § 375.1400.3.* <https://revisor.mo.gov/main/OneSection.aspx?section=375.1400>
+[^q6-mmpa-pra]: **Mo. Rev. Stat. § 407.025** — "Any person who purchases or leases merchandise primarily for personal, family or household purposes and thereby suffers an ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by section 407.020, may bring a private civil action in either the circuit court of the county in which the seller or lessor resides or in which the transaction complained of took place, to recover actual damages." *Mo. Rev. Stat. § 407.025.1(1).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.025>
+[^q6-mmpa-remedies]: **Mo. Rev. Stat. § 407.025** — "The court may, in its discretion: (1) Award punitive damages; (2) Award to the prevailing party attorney's fees, based on the amount of time reasonably expended; and (3) Provide such equitable relief as it deems necessary or proper to protect the prevailing party from the methods, acts, or practices declared unlawful by section 407.020." *Mo. Rev. Stat. § 407.025.2.* <https://revisor.mo.gov/main/OneSection.aspx?section=407.025>
+[^q6-mmpa-elements]: **Mo. Rev. Stat. § 407.025** — "A person seeking to recover damages shall establish: (a) That the person acted as a reasonable consumer would in light of all circumstances; (b) That the method, act, or practice declared unlawful by section 407.020 would cause a reasonable person to enter into the transaction that resulted in damages; and (c) Individual damages with sufficiently definitive and objective evidence to allow the loss to be calculated with a reasonable degree of certainty." *Mo. Rev. Stat. § 407.025.1(2).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.025>
+[^q6-mmpa-sb591-date]: **Mo. Rev. Stat. § 407.025 (revisor's applicability note)** — "Applicability of statute changes for cases filed after August 28, 2020, 510.262" *Mo. Rev. Stat. § 407.025 (revisor's note; A.L. 2020 S.B. 591).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.025>
+[^q6-mmpa-class]: **Mo. Rev. Stat. § 407.025** — "Persons entitled to bring an action pursuant to subsection 1 of this section may, if the unlawful method, act or practice has caused similar injury to numerous other persons, institute an action as representative or representatives of a class against one or more defendants as representatives of a class, and the petition shall allege such facts as will show that these persons or the named defendants specifically named and served with process have been fairly chosen and adequately and fairly represent the whole class, to recover damages as provided for in subsection 1 of this section." *Mo. Rev. Stat. § 407.025.5.* <https://revisor.mo.gov/main/OneSection.aspx?section=407.025>
+[^q6-mmpa-exemption]: **Mo. Rev. Stat. § 407.020** — "Any institution, company, or entity that is subject to chartering, licensing, or regulation by the director of the department of commerce and insurance under chapter 354 or chapters 374 to 385, the director of the division of credit unions under chapter 370, or director of the division of finance under chapters 361 to 369, or chapter 371, unless such directors specifically authorize the attorney general to implement the powers of this chapter or such powers are provided to either the attorney general or a private citizen by statute" *Mo. Rev. Stat. § 407.020.2(2).* <https://revisor.mo.gov/main/OneSection.aspx?section=407.020>

package/skills/legal-explainers/data-privacy-law-explainer/content/montana.md ADDED Viewed

@@ -0,0 +1,105 @@
+---
+jurisdiction: "Montana"
+slug: montana
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-05"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/montana
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/montana · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Montana Consumer Privacy Law (MCDPA)[^about]
+The Montana Consumer Data Privacy Act gives Montana consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above notably low thresholds — it requires opt-in consent for sensitive data, recognition of a universal opt-out preference signal, and is enforced exclusively by the Attorney General with no private right of action and, after a 2025 amendment, no general cure period.
+## At a glance
+| Question | Montana |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you meet the 25,000-consumer (or 15,000 plus over-25%-data-sale) threshold in Montana, the MCDPA requires a privacy notice, opt-in consent to process sensitive data, recognition of a universal opt-out preference signal, and processor contracts — enforced by the Attorney General, with no consumer lawsuits and, since the 2025 amendments, no general right to cure before penalties of up to $7,500 per violation. |
+| **Main law** | Mont. Code Ann. §§ 30-14-2801 et seq. (codified short title Consumer Data Privacy Act; commonly the Montana Consumer Data Privacy Act, or MCDPA) |
+| **Privacy policy required?** | Yes — a reasonably accessible, clear, and meaningful notice with statutorily fixed contents |
+| **Who does it cover?** | Persons doing business in Montana (or targeting residents) that control or process the data of 25,000+ consumers, or 15,000+ while deriving over 25% of gross revenue from selling data — no revenue floor; state agencies, higher-education institutions, GLBA banks, HIPAA covered entities, and insurers are exempt |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Must be honored |
+| **Lawsuit detail** | No — enforcement is exclusively the Attorney General's |
+| **Who enforces it?** | Montana Attorney General (exclusive) |
+## Does the MCDPA apply to your business? {#does-mcdpa-apply}
+**Short answer.** It turns on consumer volume, not revenue, and the thresholds are low. The MCDPA applies to persons that do business in Montana or target its residents and that control or process the personal data of at least 25,000 consumers, or at least 15,000 consumers while deriving more than 25% of gross revenue from the sale of personal data [^stat-2803-apply].
+The law is widely called the Montana Consumer Data Privacy Act, or MCDPA, but its codified short title is simply the Consumer Data Privacy Act [^stat-2801-shorttitle]. These thresholds are lower than most state privacy laws and reach mid-market businesses with only a moderate Montana footprint. There is no dollar revenue floor. A consumer is a Montana resident, and the definition excludes individuals acting in a commercial or employment context, so workforce and ordinary business-contact data fall outside the consumer-rights framework [^stat-2802-consumer]. The statute also exempts state and local government bodies, institutions of higher education, GLBA-regulated banks and credit unions, HIPAA covered entities and business associates, and insurers, along with data already regulated under laws such as GLBA, HIPAA, the FCRA, and FERPA [^stat-2804-exempt].
+## What must your Montana privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, the categories of personal data sold to or shared with third parties, the categories of those third parties, a contact mechanism, an explanation of consumer rights and how to exercise and appeal them, and the date the notice was last updated [^stat-2812-notice].
+Section 30-14-2812(5) is the content checklist for a Montana privacy notice. The notice must be posted online through a conspicuous hyperlink on the controller's website homepage or on a mobile device's application store page or download page, and a controller does not need a separate Montana-specific notice if its general notice already contains everything the section requires [^stat-2812-posting]. The MCDPA also requires data minimization — collection limited to what is adequate, relevant, and reasonably necessary to the disclosed purposes — and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous opt-out method presented outside the notice itself [^stat-2812-minimize].
+## What must your contracts with vendors and processors include? {#vendor-processor-contracts}
+**Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a written data processing agreement is a statutory requirement, not a best practice [^stat-2813-contract].
+Section 30-14-2813(2) then specifies the required terms. The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data, the duration of processing, and the rights and obligations of both parties [^stat-2813-setforth]. It must also require the processor to maintain a duty of confidentiality, delete or return data at the controller's direction, make available the information needed to demonstrate compliance, engage any subcontractor under a written contract binding it to the same obligations, and allow and cooperate with reasonable assessments [^stat-2813-terms]. A compliant template processor agreement should track each of these.
+## Do you need consent for sensitive data, and must you honor an opt-out signal? {#sensitive-data-and-opt-out}
+**Short answer.** Yes on both counts. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-2812-sensitive]. Separately, a controller must let consumers opt out of targeted advertising and the sale of personal data through a universal opt-out preference signal [^stat-2809-signal].
+Sensitive data includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data [^stat-2802-sensitive]. The opt-out preference signal must require an affirmative consumer choice rather than a default setting, must be consumer-friendly, and must not unfairly disadvantage another controller; the underlying opt-out rights themselves — including the right to opt out of targeted advertising, sale, and certain profiling — sit in section 30-14-2808 [^stat-2808-optout].
+## Who enforces the MCDPA, and can consumers sue? {#enforcement-and-lawsuits}
+**Short answer.** The Attorney General has exclusive authority to enforce the MCDPA, so there is no private right of action for consumers [^stat-2817-enforce]. An uncured violation exposes a business to a civil penalty of up to $7,500 for each violation [^stat-2820-penalty].
+The statute is explicit that nothing in it provides a basis for a private right of action [^stat-2817-nopra]. The 2025 amendments also reshaped the enforcement posture: the original act's right to cure was scheduled to sunset on April 1, 2026, but the amendments removed the general cure provision early, so the current enforcement section no longer contains one. The penalty section still references a 30-day period described in section 30-14-2817(3), while that subsection now describes the Attorney General's civil-investigative-demand authority rather than a cure process — an unresolved cross-reference that should be treated as a live statutory ambiguity. The practical posture is to build the notice, consent, and contracting controls up front rather than relying on a chance to fix problems after a complaint.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-05. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Montana. This article synthesizes Montana primary law and is not legal advice from a Montana-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-2803-apply]: **Mont. Code Ann. § 30-14-2803** — "(a) control or process the personal data of not less than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or" *Mont. Code Ann. § 30-14-2803(1)(a).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0030/0300-0140-0280-0030.html>
+[^stat-2801-shorttitle]: **Mont. Code Ann. § 30-14-2801** — "30-14-2801. Short title. This part may be cited as the ‘Consumer Data Privacy Act’." *Mont. Code Ann. § 30-14-2801.* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0010/0300-0140-0280-0010.html>
+[^stat-2802-consumer]: **Mont. Code Ann. § 30-14-2802** — "(b) The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency." *Mont. Code Ann. § 30-14-2802(7).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0020/0300-0140-0280-0020.html>
+[^stat-2804-exempt]: **Mont. Code Ann. § 30-14-2804** — "(e) state or federally chartered bank or credit union or an affiliate or subsidiary that is principally engaged in financial activities as described in 12 U.S.C. 1843(k);" *Mont. Code Ann. § 30-14-2804(1)(e).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0040/0300-0140-0280-0040.html>
+[^stat-2812-notice]: **Mont. Code Ann. § 30-14-2812** — "A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (a) the categories of personal data processed by the controller; (b) the purpose for processing personal data; (c) the categories of personal data that the controller sells to or shares with third parties, if any; (d) the categories of third parties, if any, with which the controller sells or shares personal data; and (e) an active e-mail address or other mechanism that the consumer may use to contact the controller; (f) an explanation of the rights provided by 30-14-2808(1) and how consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision regarding the consumer's request; and (g) the date the privacy notice was last updated." *Mont. Code Ann. § 30-14-2812(5).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0120/0300-0140-0280-0120.html>
+[^stat-2812-posting]: **Mont. Code Ann. § 30-14-2812** — "on the controller's website homepage or on a mobile device's application store page or download page." *Mont. Code Ann. § 30-14-2812(10).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0120/0300-0140-0280-0120.html>
+[^stat-2812-minimize]: **Mont. Code Ann. § 30-14-2812** — "limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer;" *Mont. Code Ann. § 30-14-2812(1)(a).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0120/0300-0140-0280-0120.html>
+[^stat-2813-contract]: **Mont. Code Ann. § 30-14-2813** — "A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller." *Mont. Code Ann. § 30-14-2813(2).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0130/0300-0140-0280-0130.html>
+[^stat-2813-setforth]: **Mont. Code Ann. § 30-14-2813** — "The contract must be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties." *Mont. Code Ann. § 30-14-2813(2).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0130/0300-0140-0280-0130.html>
+[^stat-2813-terms]: **Mont. Code Ann. § 30-14-2813** — "(a) ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data; (b) at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (c) on the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in this part; (d) engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and (e) allow and cooperate with reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to assess the processor's policies and technical and organizational measures in support of the obligations under this part using an appropriate and accepted control standard or framework and assessment procedure for the assessments." *Mont. Code Ann. § 30-14-2813(2)(a)-(e).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0130/0300-0140-0280-0130.html>
+[^stat-2812-sensitive]: **Mont. Code Ann. § 30-14-2812** — "process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq.;" *Mont. Code Ann. § 30-14-2812(2)(b).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0120/0300-0140-0280-0120.html>
+[^stat-2809-signal]: **Mont. Code Ann. § 30-14-2809** — "(ii) may not make use of a default setting, but require the consumer to make an affirmative, freely given and unambiguous choice to opt out of any processing of a customer's personal data pursuant to this part;" *Mont. Code Ann. § 30-14-2809(3)(b)(ii).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0090/0300-0140-0280-0090.html>
+[^stat-2802-sensitive]: **Mont. Code Ann. § 30-14-2802** — "(a) data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;" *Mont. Code Ann. § 30-14-2802(28)(a).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0020/0300-0140-0280-0020.html>
+[^stat-2808-optout]: **Mont. Code Ann. § 30-14-2808** — "(e) opt out of the processing of the consumer's personal data for the purposes of:" *Mont. Code Ann. § 30-14-2808(1)(e).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0080/0300-0140-0280-0080.html>
+[^stat-2817-enforce]: **Mont. Code Ann. § 30-14-2817** — "The attorney general has exclusive authority and may use the duties and powers provided by Title 30, chapter 14, parts 1 and 2, to enforce violations pursuant to this part." *Mont. Code Ann. § 30-14-2817(1).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0170/0300-0140-0280-0170.html>
+[^stat-2820-penalty]: **Mont. Code Ann. § 30-14-2820** — "A person who violates the provisions of this part following the 30-day period described in 30-14-2817(3) is liable for a civil penalty in an amount not to exceed $7,500 for each violation." *Mont. Code Ann. § 30-14-2820(2).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0200/0300-0140-0280-0200.html>
+[^stat-2817-nopra]: **Mont. Code Ann. § 30-14-2817** — "Nothing in this part may be construed as providing the basis for or be subject to a private right of action for violations of this part or any other law." *Mont. Code Ann. § 30-14-2817(5).* <https://mca.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/section_0170/0300-0140-0280-0170.html>

package/skills/legal-explainers/data-privacy-law-explainer/content/nebraska.md ADDED Viewed

@@ -0,0 +1,83 @@
+---
+jurisdiction: "Nebraska"
+slug: nebraska
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-06"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/nebraska
+license: CC BY 4.0
+stale: false
+---
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/nebraska · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+# Nebraska Consumer Privacy Law (Data Privacy Act)[^about]
+The Nebraska Data Privacy Act gives Nebraska consumers rights over their personal data and imposes notice, contracting, and consent duties on most for-profit businesses — unusually, it uses no consumer-volume or revenue threshold and instead exempts only federal small businesses, and it is enforced exclusively by the Attorney General with a 30-day cure period and no private right of action.
+## At a glance
+| Question | Nebraska |
+| --- | --- |
+| **Law coverage** | Comprehensive law |
+| **Summary** | If you do business in Nebraska (or serve its residents), process or sell personal data, and are not a federal small business, the Data Privacy Act requires a privacy notice, opt-in consent to process sensitive data, and processor contracts — enforced by the Attorney General with a 30-day cure period and no consumer lawsuits. |
+| **Main law** | Neb. Rev. Stat. §§ 87-1101 et seq. (Nebraska Data Privacy Act, effective Jan. 1, 2025) |
+| **Privacy policy required?** | Yes — a reasonably accessible and clear privacy notice with statutorily fixed contents |
+| **Who does it cover?** | Persons that conduct business in Nebraska or produce a product or service consumed by Nebraska residents, that process or sell personal data, and that are not a small business under the federal Small Business Act — no consumer-count or revenue threshold; state agencies, GLBA, HIPAA, nonprofits, and higher-education institutions exempt |
+| **Can consumers sue?** | No |
+| **Privacy policy rule** | Policy contents fixed by law |
+| **Consent for sensitive data?** | Consent required first |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | No — the Act cannot be construed as a basis for a private right of action |
+| **Who enforces it?** | Nebraska Attorney General (exclusive) |
+## Does the Nebraska Data Privacy Act apply to your business? {#does-ndpa-apply}
+**Short answer.** It turns on whether you are a small business, not on how many consumers you reach. The Act applies to a person that conducts business in Nebraska or produces a product or service consumed by Nebraska residents, that processes or sells personal data, and that is not a small business as determined under the federal Small Business Act [^stat-1103-apply].
+This is Nebraska's most distinctive feature. Most state privacy laws turn coverage on numbers — Virginia, for example, only reaches businesses handling 100,000-plus consumers a year. Nebraska sets no consumer-count and no revenue threshold at all. Instead it covers essentially every for-profit business that touches Nebraskans' data and then carves out anyone that qualifies as a small business under the federal Small Business Act as it existed on January 1, 2024. The Act also exempts state agencies and political subdivisions, GLBA-regulated financial institutions, HIPAA covered entities and business associates, nonprofit organizations, and institutions of higher education, along with several data-level carve-outs such as employment and HIPAA, FCRA, DPPA, and FERPA data. A consumer is a Nebraska resident acting only in an individual or household context, not an employee or business contact. One catch even small businesses should note: a small business still may not sell sensitive data without the consumer's prior consent.
+## What must your Nebraska privacy policy contain? {#privacy-policy-contents}
+**Short answer.** A controller must give each consumer a reasonably accessible and clear privacy notice that lists the categories of personal data processed, the purpose for processing, how a consumer exercises their rights, any categories of personal data shared with third parties, any categories of those third parties, and a description of each method for submitting a rights request [^stat-1113-notice].
+For a template privacy policy, section 87-1113 is the content checklist. Nebraska also layers on an extra disclosure: if a controller sells personal data to a third party or processes it for targeted advertising, it must clearly and conspicuously disclose that activity and how the consumer can opt out. A Nebraska-facing policy should therefore do more than recite a generic rights paragraph — it should state plainly whether the business sells data or runs targeted advertising and, if so, exactly how to opt out. The notice the policy presents should match the data practices the controller actually carries out.
+## What must your contracts with processors say? {#vendor-contracts}
+**Short answer.** A contract between a controller and a processor must govern the processor's data processing procedures for work done on the controller's behalf — so a data processing agreement is a statutory requirement, not just a best practice [^stat-1115-contract].
+Section 87-1115 then specifies the required terms: clear instructions for processing, the nature and purpose of processing, the type of data and duration, the rights and obligations of both parties, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, cooperation with reasonable assessments, and a requirement to bind subcontractors by written contract to the same obligations [^stat-1115-contract]. A compliant template DPA tracks each of these.
+## Do you need consent to process sensitive data? {#sensitive-data}
+**Short answer.** Yes. A controller may not process a consumer's sensitive data without obtaining the consumer's consent, and for a known child it must instead handle that data in accordance with the federal Children's Online Privacy Protection Act [^stat-1112-consent]. Sensitive data includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data.
+This is the opt-in model shared by Virginia, Colorado, Connecticut, and Texas — the opposite of Utah's notice-and-opt-out approach. Nebraska defines consent as a clear and affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, and it excludes acceptance of broad terms of use, passive actions like hovering or muting, and anything obtained through a dark pattern. Even a small business that is otherwise outside the Act cannot sell sensitive data without the consumer's prior consent.
+## Can a consumer sue your business under the Data Privacy Act? {#consumer-lawsuit}
+**Short answer.** No. The Act expressly cannot be construed as a basis for a private right of action, so consumers cannot sue under it — enforcement runs through the Attorney General [^stat-1125-noprivate]. Before bringing an action, the Attorney General must give written notice at least 30 days in advance identifying the specific provisions allegedly violated, and may not sue if the business cures within that window [^stat-1122-cure].
+A controller that cures within the 30-day window and provides the required written statements — confirming the cure and promising no repeat violation — avoids the action. An uncured violation after the cure period exposes the business to a civil penalty of up to $7,500 for each violation, plus injunctive relief and the Attorney General's reasonable fees. The practical posture is to build the notice, consent, and contracting controls up front, but a covered business that receives a notice has a genuine window to fix the issue.
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-06. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Nebraska. This article synthesizes Nebraska primary law and is not legal advice from a Nebraska-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+[^stat-1103-apply]: **Neb. Rev. Stat. § 87-1103** — "The Data Privacy Act applies only to a person that: (a) Conducts business in this state or produces a product or service consumed by residents of this state; (b) Processes or engages in the sale of personal data; and (c) Is not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024, except to the extent that section 87-1118 applies to a person described by this subdivision." *Neb. Rev. Stat. § 87-1103(1).* <https://nebraskalegislature.gov/laws/statutes.php?statute=87-1103>
+[^stat-1113-notice]: **Neb. Rev. Stat. § 87-1113** — "A controller shall provide each consumer with a reasonably accessible and clear privacy notice that includes: (1) The categories of personal data processed by the controller, including, if applicable, any sensitive data processed by the controller; (2) The purpose for processing personal data; (3) How a consumer may exercise a consumer right under sections 87-1107 to 87-1111, including the process by which a consumer may appeal a controller's decision with regard to the consumer's request; (4) If applicable, any category of personal data that the controller shares with any third party; (5) If applicable, any category of third party with whom the controller shares personal data; and (6) A description of each method required under section 87-1111 through which a consumer may submit a request to exercise a consumer right under the Data Privacy Act." *Neb. Rev. Stat. § 87-1113.* <https://nebraskalegislature.gov/laws/statutes.php?statute=87-1113>
+[^stat-1115-contract]: **Neb. Rev. Stat. § 87-1115** — "A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall include: (a) Clear instructions for processing data; (b) The nature and purpose of processing; (c) The type of data subject to processing; (d) The duration of processing; (e) The rights and obligations of both parties; and (f) A requirement that the processor shall: (i) Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data; (ii) At the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law; (iii) Make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of the Data Privacy Act; (iv) Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and (v) Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data." *Neb. Rev. Stat. § 87-1115(2).* <https://nebraskalegislature.gov/laws/statutes.php?statute=87-1115>
+[^stat-1112-consent]: **Neb. Rev. Stat. § 87-1112** — "Process the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq., as such act existed on January 1, 2024." *Neb. Rev. Stat. § 87-1112(2)(d).* <https://nebraskalegislature.gov/laws/statutes.php?statute=87-1112>
+[^stat-1125-noprivate]: **Neb. Rev. Stat. § 87-1125** — "The Data Privacy Act shall not be construed as providing a basis for, or being subject to, a private right of action for a violation of the Data Privacy Act or any other law." *Neb. Rev. Stat. § 87-1125.* <https://nebraskalegislature.gov/laws/statutes.php?statute=87-1125>
+[^stat-1122-cure]: **Neb. Rev. Stat. § 87-1122** — "Before bringing an action under section 87-1124, the Attorney General shall notify a controller or processor in writing, not later than the thirtieth day before bringing the action, identifying the specific provisions of the Data Privacy Act the Attorney General alleges have been or are being violated." *Neb. Rev. Stat. § 87-1122.* <https://nebraskalegislature.gov/laws/statutes.php?statute=87-1122>