Montana Consumer Data Privacy Act (MCDPA)

The Montana Consumer Data Privacy Act (MCDPA) is Montana's comprehensive data protection law. The MCDPA was passed on April 21st, 2023, and joins several other state privacy laws that help to protect consumers' personal data and provide organizations with a framework for how to handle the data they collect and process.

This article will take you through what the MCDPA is, who it applies to, the steps you need to take in order to comply with the MCDPA, and what happens if you violate the law.

What is the Montana Consumer Data Privacy Act (MCDPA)?

The Montana Consumer Data Privacy Act (MCDPA) is a privacy law that grants Montana consumers rights concerning their personal data and gives organizations guidelines on how to treat the personal data they collect and process. The MCDPA is set to go into effect on October 1st, 2024.

Who Does the Montana Consumer Data Privacy Act (MCDPA) Apply to?

Any company that does business in the state of Montana or provides goods or services to Montana consumers and meets the following requirements must comply with the MCDPA:

• Controls or processes personal data (except for personal data used solely for completing payments) belonging to 50,000 or more Montana consumers, or
• Controls or processes personal data belonging to 25,000 or more Montana consumers and gets more than 25% of its gross revenue from selling that data

Consumers are defined by the MCDPA as residents of Montana. Employees or individuals operating in a commercial context, such as employers, owners, and contractors do not count as consumers under the MCDPA.

Section 2 of the MCDPA details who is considered a consumer under the law:

Who Doesn't the MCDPA Apply to

There are several entities and types of personal data that the MCDPA does not apply to, including:

• State agencies
• Nonprofit organizations
• Higher education institutions
• Certain national securities associations
• Financial organizations governed by or personal data in compliance with the Gramm-Leach-Bliley Act
• Entities covered by and data protected by the Health Insurance Portability and Accountability Act (HIPAA)
• Information that is subject to several other laws, including the Fair Credit Reporting Act, the Childrens' Online Privacy Protection Act (COPPA), and the Family Educational Rights and Privacy Act

Section 4 of the MCDPA describes exemptions to the law, including state agencies, nonprofit organizations, and higher education institutions:

Personal data is any information that can be used on its own or combined with other pieces of information to identify an individual. Personal data does not include publicly available information, or de-identified data, which is information that has been processed in a way that it cannot be used to distinguish an individual.

Data processing is when data is collected, stored, used, disclosed, or otherwise handled, either manually or automatically. Data controllers are individuals or legal entities that decide why and how to process personal data.

Data processors must assist data controllers in keeping the data they process secure, and must provide data controllers with the information they need in order to conduct data protection assessments.

Data processors and data controllers must have a binding contract between them that explains the details of the data processing procedure and ensures that the information being processed is kept safe.

How to Comply With the Montana Consumer Data Privacy Act (MCDPA)

To comply with the Montana Consumer Data Privacy Act (MCDPA), you will need to understand what rights the law grants consumers and the steps you should take in order to ensure that those rights are protected.

The MCDPA gives consumers the following rights:

• The right to know when their data is being processed (unless the knowledge would require the data controller to divulge a trade secret)
• The right to access a copy of their personal data
• The right to edit their personal data
• The right to delete their personal data
• The right to opt out of the processing of their personal data for targeted advertising
• The right to opt out of the sale of their personal data
• The right to be free from discrimination for exercising these rights

There are a few steps you can take to ensure that you are honoring these rights, including responding to consumer requests to exercise their rights in a timely manner, maintaining a Privacy Policy on your website or app, giving consumers opt-out options, getting consent before selling or processing certain types of personal data, and conducting data protection assessments when required.

Respond to Consumer Requests in a Timely Manner

You will need to respond to consumer requests to exercise their rights as soon as possible, and no later than 45 days from the date of the request. If it will take you longer than 45 days to respond to a consumer's request then you will need to inform the consumer about the reasons for the extension.

You can decline to act on a consumer's request, but you must let the consumer know within 45 days of the request why you are declining their request and what steps they can take to appeal the decision. You should provide steps for the appeal decision in a conspicuous location and let the consumer know within 60 days what the appeal decision is. If you deny the appeal, you must give consumers a method for filing a complaint with the attorney general.

It's a good idea to put the steps for exercising consumer rights in the same location as the steps for appealing a consumer request decision, as Reebok does in the Access, Correction, and Deletion clause in its Privacy Policy:

Your responses to consumer requests must be provided free of charge, unless you can prove that a consumer is making "unfounded, excessive, technically infeasible, or repetitive" requests. In those cases, you are allowed to charge a fee.

If you receive consumers' personal data from a third party, then you must keep a record of any deletion requests or opt the consumer out of having their data processed.

Have a Privacy Policy

The Montana Consumer Data Privacy Act requires data controllers to provide users with a Privacy Policy that is clearly written, easily accessible, and contains meaningful information.

To comply with the MCDPA, your Privacy Policy should contain clauses about the types of data you process and for what purposes, what personal data you share with third parties and with whom you share it, and how consumers can contact you and exercise their rights.

The Kinds of Personal Data You Collect and Use

This clause should inform consumers about the types of personal data you collect or use.

Meyers Chocolates uses a Collection of Personal Information clause in its Privacy Policy to let consumers know that the types of personal data it collects include names, addresses, phone numbers, credit card information, and email addresses:

The Reasons Why You Process Personal Data

It's important to explain your reasons for processing personal data. This clause helps to assure consumers that you only process personal data that is relevant and necessary to the functioning of your organization.

Schneider includes a How we use your information clause in its Privacy Policy that explains that it uses the personal information it collects to provide delivery services and process payments, and for advertising, security, and communication purposes:

The Categories of Personal Data You Share With Third Parties

This clause explains what kinds of personal data you share with third parties.

D.A. Davidson Companies includes a Sharing Personal Information clause in its Privacy Notice for California Residents that informs consumers of the types of personal information it has shared over the previous twelve months:

Note that a chart format isn't required for this, but it helps get the information across in a clear, easy-to-read way and helps organize the information better.

The Types of Third Parties You Share Personal Data With

It's important that you only process data that is essential to the functioning of your organization. You can use this clause to explain how you keep the data you collect secure and who you share consumers' personal data with.

Vital Farms' Privacy Policy contains a Sharing or Disclosing Your Data clause that explains that it keeps consumers' personal data secure and confidential, and that it only shares personal data with third parties if it has notified consumers or if consumers have given their express consent, or if the data has been deidentified:

Billings Clinic uses an Information Collection and Use clause in its Privacy Policy to let consumers know that it may share the personal data it collects with vendors and agents in order to support its activities. It also informs consumers that it may share the personal data it collects in order to comply with the law, defend its rights or property, or protect the safety of its users or the public:

Your Contact Information

You will need to make sure that your Privacy Policy includes an accessible way for consumers to contact you.

St. Peter's Health provides consumers with an email address, phone number, and mailing address at the end of its Privacy Notice:

How Consumers Can Exercise Their Rights

You should use this clause to describe the methods consumers can use to exercise their rights. The MCDPA requires these methods to be "secure and reliable."

The How You Can Access and Update Information clause in POM Wonderful's Privacy Policy explains that consumers can contact the company via its email, fax number, or mailing address with requests to access or edit their personal information:

Check out our free Privacy Policy Template to help you get started with creating your own today.

Give Consumers a Way to Opt Out

To comply with the MCDPA, you will need to include a link on your website that takes consumers to a page that allows them to opt-out of targeted advertising and/or the sale of their personal data. This can be your Privacy Policy, as long as you include such information within the policy.

Amazon's Privacy Notice explains how consumers can manage how their personal data is used, and includes several links that consumers can follow to learn more information or take specific actions concerning their data.

Starting January 1st, 2025, you will be required to provide a method for consumers to choose to have an opt-out preference signal (also known as a GPC) sent to you. This method needs to be easy to use, require active consent from consumers, and verify that the consumer is a resident of Montana.

You should always honor opt-out requests, even if they conflict with your privacy settings or with consumers' participation in certain programs.

Section 6, Part 4 of the MCDPA describes this process:

You will need to notify consumers of any conflict and give them the option to choose to use your privacy settings or participate in specific programs.

Get Consent

You should get consent before selling consumers' personal data, processing sensitive data, or processing personal data for targeted advertising purposes.

Sensitive data is a category of personal data that includes the following:

• Race and ethnicity
• Religious beliefs
• Health information
• Sexual orientation
• Citizenship or immigration status
• Genetic and biometric data
• Precise geolocation data
• Personal data belonging to children

You must obtain consent from consumers before processing their sensitive data, and you must comply with the COPPA when processing sensitive data belonging to children.

You will need to get consent anytime you plan to sell consumers' personal data or use their personal data for targeted advertising.

The best practice way to get consent is to use an "I Agree" checkbox that users must click before they're able to share personal information with you. For example, when users sign up for an account with you, they can agree to your Privacy Policy terms at the time they submit the protected personal data needed to create the account, such as an email address.

Here's an example from Hungry Howie's where users are asked to give consent before submitting orders:

Check out our "I Agree" checkbox generator to stay compliant while enhancing your website.

Conduct Data Protection Assessments

Data protection assessments are audits of your data processing practices. The MCDPA requires data controllers to conduct data protection assessments for any data processing activities that could potentially cause harm to a consumer.

The types of activities that require data protection assessments include:

• Processing personal data for targeted advertising purposes
• Selling personal data
• Processing personal data for profiling that could cause unfair treatment, invasion of privacy of, or injury to consumers
• Processing sensitive personal data

A data protection assessment weighs the risks and benefits of the data processing activities listed above. Data protection assessments are required for data processing activities that take place after January 1st, 2025.

For guidance on what this may look like, check out our article: GDPR Data Protection Impact Assessment

Penalties for Violating the Montana Consumer Data Privacy Act (MCDPA)

The Montana attorney general is the enforcing body for the MCDPA. Any entities found to be in violation of the MCDPA will receive a notification of the violation from the attorney general, and will have 60 days from the receipt of the notification to correct the violation. If the entity does not correct the violation within the 60 day timeframe, the attorney general can then take action against the entity.

Summary

The Montana Consumer Data Privacy Act (MCDPA) is Montana's primary consumer privacy and data protection law.

It gives consumers several rights concerning their personal data, including the right to know that their data is being processed, the rights to access, edit, and delete their information, the right to opt-out of the sale of their personal data to third parties or the use of their personal data for targeted advertising, and the right to exercise these rights free from discrimination.

The MCDPA applies to any entities that do business in the state of Montana or offer goods or services to Montana consumers, and that:

• Control or process personal data belonging to 50,000 or more Montana consumers, or
• Control or process personal data belonging to 25,000 or more Montana consumers and receive more than 25% of their gross revenue from selling personal data

There are a few steps you should take in order to help you comply with the MCDPA, including:

• Maintain a Privacy Policy
• Provide consumers with a way to opt out of having their personal data processed
• Limit the use of the personal data that you collect to that which is strictly necessary
• Keep the personal data you collect secure
• Get consent from consumers before selling their personal data, using their personal data for targeted advertising, or processing their sensitive data
• Conduct data protection assessments if you sell consumers' personal data or process personal data for targeted advertising purposes, personal data for profiling that could result in harm to the consumer, or sensitive data
• Give consumers methods for opting-out of the processing and/or sale of their personal data

Your Privacy Policy should be clearly written and easily accessible, and should contain the following clauses:

• The categories of personal data you process
• The kinds of personal data you share
• Your reasons for processing personal data
• The types of third parties you share personal data with
• Your contact information
• How consumers can exercise their rights concerning their personal data

If you are found to be in violation of the MCDPA, the Montana attorney general will notify you and give you 60 days to correct the violation. If after 60 days the violation is not corrected, the attorney general may take action against you.