Montana Consumer Data Privacy Act

Montana is among the first US states to pass a consumer privacy law, which shares many similarities with other laws in the US.

What is the Montana Consumer Data Protection Act (MCDPA)?

The Montana Consumer Data Protection Act (MCDPA) is Montana’s state law that protects consumer privacy by requiring businesses to meet specific privacy requirements and granting consumers a number of rights to hold businesses accountable. It will come into effect on October 1, 2024.

Does the MCDPA apply to your business?

The MCDPA applies to businesses that operate from Montana or target Montana consumers and meet at least one of the following requirements:

The Montana privacy law sets a lower threshold compared to other US states, which is reasonable for a state with a population of just over 1 million people.

Are there exemptions from the MCDPA?

Similar to other state privacy laws, the MCDPA exempts certain organizations and information from its scope. The exempt organizations include:

The following data is also exempt:

What is personal data under the MCDPA?

MCDPA personal data is any data that could identify a person. That includes obvious information such as personal names, email addresses, and Social Security Numbers, but also includes data that could lead to a known person, such as browsing behavior, IP addresses, purchase history, etc. Deidentified data and publicly available personal information are exempt from the scope of the law.

What is sensitive personal data under the MCDPA?

The processing of sensitive data brings more risks to consumers; therefore, it is more strictly protected by the MCDPA. The expanded protection applies to the following sensitive data:

What are MCDPA controllers and processors, and what are their duties?

Controllers are the companies that decide on everything about the processing activities, including what data to collect, for what purposes, where to store it, for how long to retain it, etc. Processors are the service providers. They are the companies that do that on behalf of the controllers.

For example, if you run an ecommerce store, you decide why to process data, what data you need to process, what tools to use, etc., which means that you are the data controller. The third-party tools employed for managing personal information - from email communication and displaying personalized ads on social networks to monitoring site usage - function as your data processors.

If you run a Software-as-a-Service (SaaS) business, you make decisions on processing purposes, what data to process, and so on, which makes you a data controller. You act as a data controller when you utilize data for your own enterprise, but when you do that as a service to your customers, you serve as a data processor for the businesses using your SaaS.

The duties of the controllers include:

Processors’ duties include:

What is a Data Processing Agreement, and why do we need it?

The Data Processing Agreement is the contract between the controller and the processor that governs the data processing. It is obligatory for every relationship between the controller and processor.

The Montana privacy law requires that the contract contains at least the following:

What is an MCDPA-compliant privacy notice?

To comply with the MCDPA, it's important to inform your users about what you do with their personal information. This should be in your privacy policy. The MCDPA specifies that your privacy policy should include:

That’s the bare minimum you need, but you can always add more for increased transparency.

Do I need to obtain consent from consumers for data processing?

Although the Montana consumer data protection law relies on the opt-out principle, which gives you the freedom to process data without consent, there are a few cases where you must obtain explicit consumer consent:

Consent means “a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.”

The MCDPA further clarifies how not to ask for consent:

When it comes to a child’s data, you can obtain parental consent according to the COPPA mechanisms.

Do we need to respect universal opt-out mechanisms?

Yes, you must honor signals sent by consumers through universal opt-out mechanisms, such as the Global Privacy Controls. However, there is one caveat - the consumer must take affirmative action to set up the universal opt-out mechanism.

What is Data Protection Assessment?

Data protection assessment is a process that results in a document where you assess the risk of a specific processing activity to the personal data of your consumers. MCDPA explicitly prescribes that activities with heightened risk include:

You need a separate data impact assessment for each activity that poses a heightened risk. The Attorney General can require you to present any data protection assessment to evaluate your compliance with the law.

What are MCDPA personal data rights and requests?

Montana consumers will have the following rights at their disposal:

Consumers can submit requests to exercise their rights. They can use any of the methods established in the privacy policy. You must respond to them within 45 days. This deadline can be prolonged to an additional 45 days in the case of more complex requests.

Who enforces the MCDPA and how much are the fines?

The Montana Attorney General will enforce the MCDPA. If their investigation finds that you are in violation, you’ll get a 60-day cure period to remedy the violations. If you fail to do so, you’ll be fined. The civil penalties can go up to $7,500 per violation.