Legal writer at TermsFeed.
Widener University School of Law graduate, Managing Legal Editor at TermsFeed.
On this page
- 1. What is the Montana Consumer Data Privacy Act (MCDPA)?
- 2. Who Does the Montana Consumer Data Privacy Act (MCDPA) Apply to?
- 2.1. Who Doesn't the MCDPA Apply to
- 3. How to Comply With the Montana Consumer Data Privacy Act (MCDPA)
- 3.1. Respond to Consumer Requests in a Timely Manner
- 3.2.1. The Kinds of Personal Data You Collect and Use
- 3.2.2. The Reasons Why You Process Personal Data
- 3.2.3. The Categories of Personal Data You Share With Third Parties
- 3.2.4. The Types of Third Parties You Share Personal Data With
- 3.2.5. Your Contact Information
- 3.2.6. How Consumers Can Exercise Their Rights
- 3.3. Give Consumers a Way to Opt Out
- 3.4. Get Consent
- 3.5. Conduct Data Protection Assessments
- 4. Penalties for Violating the Montana Consumer Data Privacy Act (MCDPA)
- 5. Summary
The Montana Consumer Data Privacy Act (MCDPA) is Montana's comprehensive data protection law. The MCDPA was passed on April 21st, 2023, and joins several other state privacy laws that help to protect consumers' personal data and provide organizations with a framework for how to handle the data they collect and process.
This article will take you through what the MCDPA is, who it applies to, the steps you need to take in order to comply with the MCDPA, and what happens if you violate the law.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
What is the Montana Consumer Data Privacy Act (MCDPA)?
The Montana Consumer Data Privacy Act (MCDPA) is a privacy law that grants Montana consumers rights concerning their personal data and gives organizations guidelines on how to treat the personal data they collect and process. The MCDPA is set to go into effect on October 1st, 2024.
Who Does the Montana Consumer Data Privacy Act (MCDPA) Apply to?
Any company that does business in the state of Montana or provides goods or services to Montana consumers and meets the following requirements must comply with the MCDPA:
- Controls or processes personal data (except for personal data used solely for completing payments) belonging to 50,000 or more Montana consumers, or
- Controls or processes personal data belonging to 25,000 or more Montana consumers and gets more than 25% of its gross revenue from selling that data
Consumers are defined by the MCDPA as residents of Montana. Employees or individuals operating in a commercial context, such as employers, owners, and contractors do not count as consumers under the MCDPA.
Section 2 of the MCDPA details who is considered a consumer under the law:
Who Doesn't the MCDPA Apply to
There are several entities and types of personal data that the MCDPA does not apply to, including:
- State agencies
- Nonprofit organizations
- Higher education institutions
- Certain national securities associations
- Financial organizations governed by or personal data in compliance with the Gramm-Leach-Bliley Act
- Entities covered by and data protected by the Health Insurance Portability and Accountability Act (HIPAA)
- Information that is subject to several other laws, including the Fair Credit Reporting Act, the Childrens' Online Privacy Protection Act (COPPA), and the Family Educational Rights and Privacy Act
Section 4 of the MCDPA describes exemptions to the law, including state agencies, nonprofit organizations, and higher education institutions:
Personal data is any information that can be used on its own or combined with other pieces of information to identify an individual. Personal data does not include publicly available information, or de-identified data, which is information that has been processed in a way that it cannot be used to distinguish an individual.
Data processing is when data is collected, stored, used, disclosed, or otherwise handled, either manually or automatically. Data controllers are individuals or legal entities that decide why and how to process personal data.
Data processors must assist data controllers in keeping the data they process secure, and must provide data controllers with the information they need in order to conduct data protection assessments.
Data processors and data controllers must have a binding contract between them that explains the details of the data processing procedure and ensures that the information being processed is kept safe.
How to Comply With the Montana Consumer Data Privacy Act (MCDPA)
To comply with the Montana Consumer Data Privacy Act (MCDPA), you will need to understand what rights the law grants consumers and the steps you should take in order to ensure that those rights are protected.
The MCDPA gives consumers the following rights:
- The right to know when their data is being processed (unless the knowledge would require the data controller to divulge a trade secret)
- The right to access a copy of their personal data
- The right to edit their personal data
- The right to delete their personal data
- The right to opt out of the processing of their personal data for targeted advertising
- The right to opt out of the sale of their personal data
- The right to be free from discrimination for exercising these rights
Respond to Consumer Requests in a Timely Manner
You will need to respond to consumer requests to exercise their rights as soon as possible, and no later than 45 days from the date of the request. If it will take you longer than 45 days to respond to a consumer's request then you will need to inform the consumer about the reasons for the extension.
You can decline to act on a consumer's request, but you must let the consumer know within 45 days of the request why you are declining their request and what steps they can take to appeal the decision. You should provide steps for the appeal decision in a conspicuous location and let the consumer know within 60 days what the appeal decision is. If you deny the appeal, you must give consumers a method for filing a complaint with the attorney general.
Your responses to consumer requests must be provided free of charge, unless you can prove that a consumer is making "unfounded, excessive, technically infeasible, or repetitive" requests. In those cases, you are allowed to charge a fee.
If you receive consumers' personal data from a third party, then you must keep a record of any deletion requests or opt the consumer out of having their data processed.
The Kinds of Personal Data You Collect and Use
This clause should inform consumers about the types of personal data you collect or use.
The Reasons Why You Process Personal Data
It's important to explain your reasons for processing personal data. This clause helps to assure consumers that you only process personal data that is relevant and necessary to the functioning of your organization.
The Categories of Personal Data You Share With Third Parties
This clause explains what kinds of personal data you share with third parties.
D.A. Davidson Companies includes a Sharing Personal Information clause in its Privacy Notice for California Residents that informs consumers of the types of personal information it has shared over the previous twelve months:
Note that a chart format isn't required for this, but it helps get the information across in a clear, easy-to-read way and helps organize the information better.
The Types of Third Parties You Share Personal Data With
It's important that you only process data that is essential to the functioning of your organization. You can use this clause to explain how you keep the data you collect secure and who you share consumers' personal data with.
Your Contact Information
St. Peter's Health provides consumers with an email address, phone number, and mailing address at the end of its Privacy Notice:
How Consumers Can Exercise Their Rights
You should use this clause to describe the methods consumers can use to exercise their rights. The MCDPA requires these methods to be "secure and reliable."
Give Consumers a Way to Opt Out
Amazon's Privacy Notice explains how consumers can manage how their personal data is used, and includes several links that consumers can follow to learn more information or take specific actions concerning their data.
Starting January 1st, 2025, you will be required to provide a method for consumers to choose to have an opt-out preference signal (also known as a GPC) sent to you. This method needs to be easy to use, require active consent from consumers, and verify that the consumer is a resident of Montana.
You should always honor opt-out requests, even if they conflict with your privacy settings or with consumers' participation in certain programs.
Section 6, Part 4 of the MCDPA describes this process:
You will need to notify consumers of any conflict and give them the option to choose to use your privacy settings or participate in specific programs.
You should get consent before selling consumers' personal data, processing sensitive data, or processing personal data for targeted advertising purposes.
Sensitive data is a category of personal data that includes the following:
- Race and ethnicity
- Religious beliefs
- Health information
- Sexual orientation
- Citizenship or immigration status
- Genetic and biometric data
- Precise geolocation data
- Personal data belonging to children
You must obtain consent from consumers before processing their sensitive data, and you must comply with the COPPA when processing sensitive data belonging to children.
You will need to get consent anytime you plan to sell consumers' personal data or use their personal data for targeted advertising.
Here's an example from Hungry Howie's where users are asked to give consent before submitting orders:
Check out our "I Agree" checkbox generator to stay compliant while enhancing your website.
Conduct Data Protection Assessments
Data protection assessments are audits of your data processing practices. The MCDPA requires data controllers to conduct data protection assessments for any data processing activities that could potentially cause harm to a consumer.
The types of activities that require data protection assessments include:
- Processing personal data for targeted advertising purposes
- Selling personal data
- Processing personal data for profiling that could cause unfair treatment, invasion of privacy of, or injury to consumers
- Processing sensitive personal data
A data protection assessment weighs the risks and benefits of the data processing activities listed above. Data protection assessments are required for data processing activities that take place after January 1st, 2025.
For guidance on what this may look like, check out our article: GDPR Data Protection Impact Assessment
Penalties for Violating the Montana Consumer Data Privacy Act (MCDPA)
The Montana attorney general is the enforcing body for the MCDPA. Any entities found to be in violation of the MCDPA will receive a notification of the violation from the attorney general, and will have 60 days from the receipt of the notification to correct the violation. If the entity does not correct the violation within the 60 day timeframe, the attorney general can then take action against the entity.
The Montana Consumer Data Privacy Act (MCDPA) is Montana's primary consumer privacy and data protection law.
It gives consumers several rights concerning their personal data, including the right to know that their data is being processed, the rights to access, edit, and delete their information, the right to opt-out of the sale of their personal data to third parties or the use of their personal data for targeted advertising, and the right to exercise these rights free from discrimination.
The MCDPA applies to any entities that do business in the state of Montana or offer goods or services to Montana consumers, and that:
- Control or process personal data belonging to 50,000 or more Montana consumers, or
- Control or process personal data belonging to 25,000 or more Montana consumers and receive more than 25% of their gross revenue from selling personal data
There are a few steps you should take in order to help you comply with the MCDPA, including:
- Provide consumers with a way to opt out of having their personal data processed
- Limit the use of the personal data that you collect to that which is strictly necessary
- Keep the personal data you collect secure
- Get consent from consumers before selling their personal data, using their personal data for targeted advertising, or processing their sensitive data
- Conduct data protection assessments if you sell consumers' personal data or process personal data for targeted advertising purposes, personal data for profiling that could result in harm to the consumer, or sensitive data
- Give consumers methods for opting-out of the processing and/or sale of their personal data
- The categories of personal data you process
- The kinds of personal data you share
- Your reasons for processing personal data
- The types of third parties you share personal data with
- Your contact information
- How consumers can exercise their rights concerning their personal data
If you are found to be in violation of the MCDPA, the Montana attorney general will notify you and give you 60 days to correct the violation. If after 60 days the violation is not corrected, the attorney general may take action against you.