ManyPets’ data privacy promise

June 2024

Privacy Policy and Statement 

Your privacy is important to us. At ManyPets, Inc. (hereinafter referred to as “ManyPets”), we are committed to protecting your non-public personal information as required by law. This notice is to advise you of how we will handle this information.  

What is Personal Data? 

In this privacy policy, references to “personal information” or “personal data” are references to information that relates to an identified or identifiable individual.  Some examples of personal data are your name, company, e-mail address, address, and telephone number but it may also include information such as your IP address and location, in certain jurisdictions. 

Types of Information We Collect on this Website  

You can visit the website of ManyPets without revealing who you are or providing any personal information about yourself.  

There will be times, such as when you request information or a publication, when we will need to obtain personally identifiable information from you or about you. However, this information will not be collected without your knowledge.  

The information we receive about you or from you may be used by us to process your inquiry or request, to comply with any law, regulation, or court order, and to help improve our website or the products or services we offer.   

When you visit this website, we may collect usage information (including, but not limited to, IP addresses, browser and platform types, domain names, access times, and referral data) to help us understand how our website is navigated and used. This data does not include any personal information about you and is used only to measure and improve the effectiveness of our website.  

How We Use Your Information/Use of Collected Personal Information  

ManyPets only processes personal information for the purposes described in this Privacy Policy and/or privacy notice for specific services. Such services may include:  

• Providing our insurance services to users;   

• Auditing, research, and analysis in order to maintain, protect, and improve our services;  

 • Ensuring the technical functioning of our network; and 

• Developing new services. 

Promotional Messaging or Advertising: 

Any Promotional Messaging or Advertising material is for general informational purposes only and does not constitute an offer to sell or a solicitation of an offer to buy any product or service.  

Ability to Opt-in/Out  

If we propose to use your personal information for any purposes other than those described in this Policy and/or in the specific service notices, you may "opt-out"—or say no to—having your information shared by contacting us through our contact page. We will not collect or use sensitive information for purposes other than those described in this Policy and/or in the specific service notices unless we have obtained your prior consent.  

If you do choose to decline to submit personal information to any of our services, there may be some instances in which we may not be able to provide those services to you.  

Information Provided by You 

When you engage us to provide insurance services, we may ask you for personal information (such as your name, address, social security number, date of birth, phone numbers, credit card information, and email address) which we maintain in encrypted form on secure servers. We may combine the information submitted under various forms and services in order to provide customers with a better experience and to improve the quality of our services.   

We may need to use your personal data in order to carry out the following activities: 

  • To set you up as a new client (including carrying out ‘know your customer’ checks); 

  • To provide you with an insurance quote; 

  • To provide our products and services to you; 

  • To respond to your inquiries; 

  • To accept payments from you; 

  • To communicate with you about your policy; 

  • To renew your policy; 

  • To obtain reinsurance for your policy; 

  • To process insurance and reinsurance claims; 

  • For general insurance administration purposes; 

  • To comply with our legal and regulatory obligations; 

  • To model our risks; 

  • To defend or prosecute legal matters; 

  • To respond to your inquiries; 

  • When you sign up for an online account; 

  • To make our products and services better and to develop new products and services; and 

  • To send you notices and information regarding our products or services, including notifying you about special promotions or offers, where we are legally permitted to do so. 

Information Collected from Other Sources  

From time to time, we may receive personal information about you from third party sources but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us. This Privacy Policy applies to how we handle your information. We do not exercise control over the websites that are displayed in other browser windows opened by links from within our various services. These other sites may place their own cookies or other files on your computer, collect data, or solicit personal information from you.  

Disclosure of Personal Information to Third Parties, Vendors, Service Providers, or for Company Communications  

We may disclose personal information that we collect, or you provide, as described in this privacy policy under the following circumstances:  

  • To transfer data to our affiliates from time to time for our legitimate business purposes. Affiliates are defined as group companies, subsidiaries, parent companies, joint ventures, and other corporate entities under common ManyPets ownership; 

  • To contractors, service providers, and other third parties we use to support our business that are bound by an obligation to keep personal information confidential and use it only for the purposes for which we disclose it to them; 

  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Company's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by the Company about our Website users is among the assets transferred; and 

  • To fulfil the purpose for which you provide it.   

 

Choices about the Collection and Use of Your Information  

  • This website may use "cookies" to enhance your viewing experience. A cookie is a tiny element of data that is sent to your browser to be stored on your hard drive so that we can recognize you when you return. You may set your browser to notify you when you receive a cookie or refuse cookies from all websites.  Please note, if you reject cookies, it is possible that some web pages may not load properly, your access to certain information might be denied, or you might be required to enter information more than once.  

  • Promotional Offers from the Company: If you do not wish to have your e-mail address/contact information used by the Company to promote our own or third parties' products or services, you can opt-out by using one of the methods described above in 'How We Use Your Information'.   

  • Targeted Advertising: If you do not want us to use information that we collect or that you provide to us to deliver advertisements according to our advertisers' target-audience preferences, you can opt-out by using one of the methods described above in 'How We Use Your Information'.   

Access to and Correction of Personal Information   

If you believe that any personal information we have collected about you is inaccurate, you may send a written request via our contact page to correct or delete any personal information that you have provided to us. We will investigate your request and make appropriate changes if warranted.   

We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.   

Collection of Information from Children  

We do not knowingly collect personal information from anyone under the age of 13.  If you believe that we are processing personal information pertaining to a child inappropriately, we ask you to contact us using the information provided under the “Contact Us” section. 

For more information about protecting your child's privacy online, visit the Federal Trade Commission website at https://www.ftc.gov. 

Other Considerations   

When you use some ManyPets products, services, or applications or post on a ManyPets forum, chat room, or social networking service such as Facebook, Twitter, or other such social media sites, the personal information and content you share is visible to other users and can be read, collected, or used by them.   

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) 

ManyPets is required by law to take reasonable steps to ensure the privacy of your personally identifiable health information, and to inform you about:  

  • The Company's uses and disclosures of Protected Health Information ("PHI"); 

  • Your privacy rights with respect to your PHI;  

  • The Company's duties with respect to your PHI;  

  • Your right to file a complaint with the Company and to the Secretary of the U.S. Department of Health and Human Services ("HHS"); and  

  • The person or office to contact for further information regarding the Company's privacy practices.  

PHI includes all individually identifiable health information transmitted or maintained by ManyPets, regardless of form (e.g. oral, written, electronic). A federal law, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), regulates PHI use and disclosure by ManyPets. You may find these rules at 45 Code of Federal Regulations Parts 160 and 164.  

State Specific Privacy Laws 

Many states and territories have their own privacy regulations which apply to individuals and corporations that live or do business in, frequent, or offer good and services to its residents. The individual laws of these states vary and as such you should familiarize yourself with your individual state laws.  

Addendum 1 which can be found at the end of this notice summarizes each current state privacy regulation.   

Confidentiality and Security  

We will not add your name to mailing lists unless you specifically request that we do so. We do not share, sell, lease, or rent our mailing or customer lists to third parties. We may use third parties to help us administer e-mail alerts. If personally identifiable information (i.e. name, address, e-mail address, telephone number) is provided to any of these third parties, we will require that they maintain such information in strictest confidence in compliance with this policy. We also assess new technology for protecting customer information on an ongoing basis.  

We take the security of your personal information seriously and make appropriate technical and organizational measures against unauthorized or unlawful processing of personal data, and against accidental loss, destruction of, or damage to, personal data.  Please contact us immediately if you believe your Personal Information has been exposed. 

Although we take appropriate measures to protect the security of the information communicated through the website, no Internet connected computer system can be made absolutely secure from intrusion. We, therefore, cannot and do not guarantee that information communicated by you to us will be received or that it will not be altered before or after its transmission to us. If you elect to use the website to communicate with us, you do so at your own risk.  

Questions and Concerns  

If you have any questions or comments in regards to this privacy statement, or if you have any concerns as to the validity of information made available within these pages, we recommend you seek verification by contacting us via our ‘Contact Us’ page.  

Please note that we may update and modify this Privacy Statement. It remains your responsibility to access and check these terms and conditions whenever you access the Website as the latest version of these terms and conditions will govern. We do not accept any liability for any errors or omissions. 

Addendum 1 

California Privacy Rights  

California Civil Code Section §1798.83 and the California Consumer Privacy Act (CCPA) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. The CCPA also provides California residents the right ‘To Be Forgotten’ by a company.  

A California resident has the right to know what Personal Information is collected, used, disclosed, or sold, to delete any Personal Information collected, to opt-out of the sale of Personal Information, and to not be discriminated against for exercising such rights. 

Right to Know 

A California resident has the right to request that we disclose what Personal Information we collect, use, disclose or sell. You may request that we disclose the following information upon receipt of a verifiable consumer request: 

  • The categories of Personal Information collected and categories of sources from which the Personal Information is collected; 

  • The business or commercial purpose for collecting or selling Personal Information; 

  • The categories of third parties with whom we share Personal Information; and 

  • The specific pieces of Personal Information we have collected about you. 

Right to Delete 

As a California resident, you have the right to request that we delete any Personal Information about you which we have previously collected. If it is necessary for us to maintain the Personal Information for certain purposes, we are not required to comply with your deletion request. If we determine that we will not delete your Personal Information when you request us to do so, we will inform you and tell you why we are not deleting it. 

Right to Opt-Out of Sale of Personal Information 

We do not sell Personal Information, including the Personal Information of minors under the age of 16. However, pursuant to applicable law, a California resident may request that their information not be sold in the future.  To do so please send a request via our ‘Contact Us’ page. 

No Discrimination 

You have the right not to be discriminated against because you exercised any of your rights under the CCPA.  

If you would like to exercise any such rights, please send a request via our ‘Contact Us’ page. 

Virginia Consumer Data Protection Act  

The Virginia Consumer Data Protection Act (VCDPA) provides consumers with certain rights related to their personal data. Under the Act, these rights include: 

  • The right to know, access, and confirm personal data; 

  • The right to delete personal data; 

  • The right to correct inaccuracies in personal data; 

  • The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company); 

  • The right to opt-out of the processing of personal data for targeted advertising purposes; 

  • The right to opt-out of the sale of personal data; 

  • The right to opt-out of profiling based upon personal data; and 

  • The right to not be discriminated against for exercising any of the foregoing rights. 

If you are a Virginia resident and would like to exercise any such rights, please send a request via our ‘Contact Us’ page. 

Colorado Privacy Act 

The Colorado Privacy Act (CPA) provides consumers with certain rights related to their personal data.  

The CPA provides five main rights for the consumer. 

Right of Access 

You have the right to confirm whether a controller is processing your personal data and to have the sole right to access your personal data. 

Right to Correction 

You have the right to correct inaccuracies in any personal data, taking into account the nature of the personal data and the purposes of the processing of your personal data. 

Right to Delete 

You have the right to delete personal data concerning the consumer. 

Right to Data Portability 

You have the right to obtain your personal data in a portable and, to the extent technically feasible, readily usable format that allows you the consumer to transmit the data to another entity without hindrance. 

Right to Opt-Out 

You have the right to opt out of the processing of your personal data purposes of: 

  • targeted advertising; 

  • the sale of personal data; or 

  • profiling in furtherance of decisions that produce legal or similarly significant effects on you as the consumer. 

Right to appeal 

The CPA also provides you the right to appeal a business’ denial to take action within a reasonable time period. A business must respond to a request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline, it must notify you within the initial 45-day response period. 

If you are a Colorado resident and would like to exercise any such rights, please send a request via our ‘Contact Us’ page. 

Massachusetts Information Privacy Act 

MGL c.214, § 1B Right of Privacy of the Massachusetts Information Privacy Act (MIPA) provides that any Massachusetts resident (resident) shall have a right against unreasonable, substantial, or serious interference with his privacy. Information may only be collected with the resident’s express permission and any company that holds such information must immediately delete it upon a request to do so from the impacted resident.  

To make any such request as a resident of the Commonwealth of Massachusetts, please send a request via our ‘Contact Us’ page. 

Connecticut Data Privacy Act 

The Connecticut Data Privacy Act (CTDPA) gives Connecticut residents certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. It protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store.  

What is considered personal data? 

Personal data is any information that can be linked to an identifiable individual, excluding publicly available information. Examples of personal data include: a home address, a driver’s license or state identification number, passport information, a financial account number, login credentials, and payment card information. 

Access 

Consumers have the right to confirm whether a controller is processing their personal data and access such personal data, unless such actions would reveal a trade secret. 

Correction 

Consumers have the right to correct inaccuracies in their personal data (with some limitation). 

Deletion 

Consumers have the right to delete personal data provided by or about the consumer. 

Data Portability 

Consumers have the right to obtain a portable copy of their personal data to the extent technically feasible and provided the controller will not be required to reveal any trade secret.24 

Opt-Out of Certain Data Processing 

Consumers have the right to opt out of the processing of personal data for purposes of:  

  • targeted advertising; 

  • the sale of personal data; or  

  • profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer.  

Designation Rights 

Consumers have the sole right to designate another person as an authorized agent to exercise the right to opt out on their behalf. 

To make any such request as a resident of the State of Connecticut, please send a request via our ‘Contact Us’ page. 

The Utah Consumer Privacy Act  

The Utah Consumer Privacy Act (UCPA) is applicable to the following: 

  • Any controller or processor who: 

  • Conducts business in the state of Utah; or 

  • Produces a product or service that is targeted to consumers who are residents of the state of Utah. 

  • Any owner of the information (Consumer) who: 

  • Is a resident of the state of Utah; or 

  • Is provided a good or a service from a business that conducts its business in the state of Utah. 

The UCPA provides consumers the right to:   

  • Confirm whether a controller is processing the consumer's personal data. 

  • Access the consumer's personal data. 

  • Delete the consumer's personal data that the consumer has provided to the controller. 

  • Obtain a copy of the consumer's personal data, that the consumer previously provided to the controller, in a format that: 

  • is portable; 

  • is readily usable; and 

  • allows the consumer to transmit the data to another controller without impediment. 

  • Opt-out of the processing of the consumer's personal data for purposes of:  

  • targeted advertising; and/or 

  • the sale of personal data. 

Texas Data Privacy and Security Act 

The Texas Data Privacy and Security Act (TDPSA) regulates the collection, use, processing, and treatment of consumers’ personal data and provides residents the following rights:    

  • Confirm whether a controller is processing personal data and be provided the ability to access the personal data. 

  • Correct inaccuracies in their personal data. 

  • Delete personal data provided by or obtained about the consumer. 

  • Obtain a copy of their personal data, if available, in a portable and readily usable format.  

  • Opt-out of processing personal data for targeted advertising, the sale of personal data, or its use for profiling.   

All data subject or opt-out requests must be addressed “without undue delay,” but no later than 45 days after the receipt of the request. Furthermore, a data subject or opt-out request must be provided free of charge at least twice annually per consumer.  

Scope: Who Must Comply With the TDPSA?  

The law applies to those who conduct business in the state of Texas or produce a product or service consumed by residents of the state of Texas; process or engage in the sale or personal data; and are not a small business, as defined by the U.S. Small Business Administration.   

Texas Data Privacy Law Requirements  

The TDPSA outlines duties for controllers related to collecting personal data, including limiting collection to what is adequate, relevant, and reasonably necessary, and requiring them to establish data security practices.   

Controllers cannot:   

  • Collect personal data for reasons not disclosed to the consumer without consent.  

  • Process data in violation of state and federal laws that prohibit unlawful discrimination or discriminate against a consumer for exercising their rights.  

  • Process sensitive data without consent or process sensitive data of a child unless it's in accordance with the Children’s Online Privacy Protection Act of 1998 (COPPA).  

Florida Data Privacy Law  

The Florida Digital Bill of Rights applies to any person that: 

  • Conducts business in Florida or produces products or services "used" by Florida residents, and  

  • Processes or engages in the "sale" of personal data.  

Definition of a Controller  

A "controller" is an entity that: 

  • Is organized or operated for the profit or financial benefit of its shareholders or owners. 

  • Conducts business in the state of Florida. 

  • Collects personal data about consumers or is the entity on behalf of which such information is collected. 

  • Determines the purposes and means of processing personal data about consumers alone or jointly with others. 

  • Makes in excess of $1 billion in global gross annual revenues. 

Definition of a Processor 

A "Processor" is defined as a person, entity or otherwise who processes personal data on behalf of a controller.  

Duties of a Controller 

Controllers are required to provide consumers with a reasonably accessible and clear privacy notice, which, among other things, discloses: 

  • The categories of personal data processed by the controller. 

  • The purpose of such processing. 

  • To consumers how they may exercise their privacy rights.    

  • How controller processes personal data to the extent such processing is "reasonably necessary and proportionate" and "adequate, relevant, and limited to what is necessary" for the certain specified purposes.  

  • How controller has implemented reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and reduce reasonably foreseeable risks of harm to consumers. 

  • How controller has conducted and documented data protection assessments in connection with certain processing activities, such as processing personal data for targeted advertising or certain profiling purposes, selling personal data, processing sensitive data, or any other processing activity that presents a heightened risk of harm to consumers.  

  • That controller will review and update the privacy notice at least annually. 

Consumer Rights and Requests 

  • The right to access and obtain a copy of any data that the controller may hold.  

  • The right to delete or correct inaccuracies in their personal data.  

  • The right to opt-out of the selling and/or sharing of personal data for targeted advertising, including removal of personal data from voice or facial recognition technologies. 

  • Permits parents and guardians to exercise rights on behalf of their children.  

A controller must respond to a consumer's request to exercise their right within forty-five (45) days of receipt of such request. If the controller denies the consumer of their request, the controller must offer a right of appeal that is conspicuously available and similar to the process for submitting consumer request. 

Selling Personal Data 

The Florida Digital Bill of Rights defines the "sale of personal data" as "the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by a controller to a third party”. 

The transfer of personal data is not considered a sale of personal data under the following circumstances: 

  • To a processor that processes personal data on behalf of the controller. 

  • To a third party for purposes of providing a product or service requested by the consumer. 

  • That the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience. 

  • To a third party as an asset that is part of a merger or an acquisition under the condition of a non-disclosure agreement. 

Targeted Advertising 

Targeted advertising is defined as displaying to a consumer an advertisement selected based on personal data obtained from that consumer's activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer's preferences or interests. 

A consumer may opt-out of any and all targeted advertising as described previously.  

Consumers Right of Action 

If a consumer is not satisfied by any response or action by a data controller or processer, the consumer may file a formal complaint with the Florida Department of Legal Affairs. The Florida Department of Legal Affairs can bring action against violators for an unfair or deceptive act or practice.  

Oregon Consumer Privacy Act  

To whom does the Oregon Consumer Privacy Act (OCPA) apply? 

The OCPA imposes transparency and disclosure obligations on a "controller" (an individual or legal entity who, "alone or jointly with another person, determines the purposes and means for processing personal data") who either: 

  • Conducts business in Oregon; or 

  • Produces products or services that are targeted to the residents of Oregon; 

and a for profit or non-profit entity that during a calendar year: 

  • Controls or processes personal data of not less than 100,000 Oregon residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 

  • Controls or processes personal data of not less than 25,000 Oregon residents and derives more than 25 percent of its gross revenue from the sale of personal data. 

What rights does the OCPA grant to consumers? 

The Oregon Consumer Privacy Act grants residents acting in an individual context, ("consumers"), certain access and control rights concerning their personal data. Consumers do not include those in a commercial or employment context: 

A consumer may submit authenticated requests to a controller to: 

  • Confirm whether the controller is processing the consumer's personal data; 

  • Obtain a copy of the consumer's personal data (i.e., data portability); 

  • Correct inaccurate personal data of the consumer; 

  • Delete personal data about the consumer; 

  • Disclose, at the controller's discretion, the list of third parties to whom the controller has disclosed the consumer's, or any consumer's personal data; 

  • Opt-out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (profiling); and  

  • Revoke previously given consent to process the consumer's personal data, which must be honored within 15 days of receiving the request. 

A controller must respond to consumer requests to exercise their rights granted by the statute within 45 days. The OCPA also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights. A controller must respond to an appeal in writing within 45 days and, if the appeal is denied, the controller must provide the consumer with a method for contacting the Oregon Attorney General. 

What obligations does the OCPA impose on controllers and processors? 

The OCPA applies to "personal data." Personal data is defined as any information that is linked or reasonably linkable to a consumer or to a device that is reasonably linkable to a consumer. The definition of personal data notably excludes de-identified data or publicly available information. 

Controllers will limit the collection of personal data to what is adequate, relevant, reasonably necessary, and proportionate in relation to the purposes for which the personal data is processed and establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and security of consumers' personal data; and disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out. 

What obligations does the OCPA impose on Processers? 

A processer must assist the controller in meeting its obligations under the act, including its obligations regarding consumer rights requests and security of data processing.  

Disputes Concerning Consumer Data Privacy 

If the consumer is not satisfied with a response or action of a controller a formal complaint may be filed with the Oregon office of the Attorney General (AG). 

Montana Consumer Data Privacy Act  

Who does the Montana Consumer Data Privacy Act (MCDPA) apply to? 

The MCDPA imposes transparency and disclosure obligations on a "controller" (an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data) who either: 

  • Conducts business in Montana; or 

  • Produces products or services that are targeted to the residents of Montana; 

and that: 

  • Controls or processes personal data of not less than 50,000 Montana residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or 

  • Controls or processes personal data of not less than 25,000 Montana residents and derives more than 25% of its gross revenue from the sale of personal data. 

What rights does the MCDPA grant consumers? 

The MCDPA grants Montana residents acting in an individual context, ("consumers"), certain access and control rights concerning their personal data. Consumers do not include those in a commercial or employment context. 

A consumer may submit authenticated requests to a controller to: 

  • Confirm whether the controller is processing the consumer's data.  

  • Provide access to the consumer's data. 

  • Correct inaccurate personal data of the consumer. 

  • Delete personal data about the consumer. 

  • Obtain a copy of the consumer's personal data (i.e., data portability).  

  • Opt-out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. 

A controller must respond to consumer requests to exercise their rights within 45 days. Furthermore, a consumer is granted the right to appeal a controller's refusal to take action on requests to exercise their rights. A controller must respond to an appeal in writing within 60 days and, if the appeal is denied, the controller must provide the consumer with a method for contacting the Montana Attorney General. 

What obligations does the MCDPA impose on controllers? 

Controllers will limit the collection of personal data to what is adequate, relevant, reasonably necessary, and proportionate in relation to the purposes for which the personal data is processed and establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and security of consumers' personal data; and disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out. 

What obligations does the MCDPA impose on Processers? 

A processer must assist the controller in meeting its obligations under the act, including its obligations regarding consumer rights requests and security of data processing.  

Disputes Concerning Consumer Data Privacy 

If the consumer is not satisfied with a response or action of a controller a formal complaint may be filed with the Montana Attorney General Investigations and Enforcement unit.