6-Step MCDPA Compliance Requirements Checklist

Josh Langeland, CIPM

by Josh Langeland, CIPM

September 4, 2024

Generate a Free MCDPA Privacy Policy
6-Step-MCDPA-Requirements-Checklist-01

Businesses that fall under the legal threshold of the Montana Consumer Data Privacy Act (MCDPA) have until October 1, 2024, to prepare for compliance.

So, I made this simple six-step checklist to help businesses meet the requirements outlined by the MCDPA.

Ready to follow along?

Table of Contents
  1. MCDPA Compliance Checklist: Step-by-Step
  2. MCDPA Requirements FAQ
  3. Summary

MCDPA Compliance Checklist: Step-by-Step

To help simplify the requirements of the MCDPA, I made this easy six-step checklist.


Part 1: Perform a Privacy Audit

To comply with the MCDPA, your business should first perform a privacy audit to identify all personal data it collects from consumers, why, and how it’s used.

Also called a data inventory, consider one of the following methods to complete this process:

Part 2: Privacy Notification Requirements

The MCDPA requires businesses to present Montana consumers with a reasonably accessible, clear, and meaningful privacy policy that explains the following information:

  • What categories of personal data you collect.
  • Your purpose for processing the data.
  • How consumers can exercise their rights and appeal decisions based on requests.
  • What categories of data you share with third parties, if any.
  • What categories of third parties you share data with, if any.
  • An active email address or other mechanism consumers can use to contact you.

Part 3: Consent Management for Specific Data Processing

Businesses subject to following the MCDPA must manage user consent to allow them to opt out of different types of data processing, including:

  • The sale of personal data
  • Processing their data for targeted advertising
  • Processing their data for the purposes of profiling

You can meet this guideline by using a consent management platform (CMP) and presenting your website visitors with a compliant consent banner.

Part 4: Contractual Obligations for Sharing or Selling Personal Data

Under the MCDPA, businesses that act as data controllers working with third-party data processors must use a binding contract outlining the following requirements:

  • Include the instructions for the data processing, its nature, its duration, and its purpose.
  • Require a duty of confidentiality concerning the data.
  • Require the processor to demonstrate compliance with the MCDPA.
  • Require the processor to delete or return all personal data to the controller at the controller’s discretion.
  • Require the processor to delete or return all data at the end of the contract.
  • Require the processor to cooperate with reasonable assessments by the controller.
  • Require any subcontractors to sign a contract outlining the same obligations.

Part 5: Consumer Rights and Verifiable Consumer Requests

If your business is subject to the MCDPA, you must present Montana consumers with two or more ways to submit verifiable consumer requests to follow through on their rights to:

  • Confirm if you’re processing their data.
  • Request access to their data
  • Correct inaccuracies in their data.
  • Obtain a portable copy when possible.
  • Request to delete their personal data.
  • Opt out of having their data sold.
  • Opt out of having their data processed for targeted advertising.
  • Opt out of profiling.

To meet this legal requirement, you might implement the following solutions on your website:

  • Use a Data Subject Access Request (DSAR) form.
  • Provide an email address where users can submit requests.
  • Publish a cookie policy if your site uses cookies that collect sensitive data, data you sell, or data used for targeted advertising.
  • Use a consent banner so consumers can follow through on opt-out rights.

Under the MCDPA, websites must honor universal opt-out mechanisms (UOOMs) as a verified request from consumers to follow through on their opt-out rights by January 1, 2025.

Part 6: Security Procedures and Practices

The MCDPA requires businesses to implement adequate administrative, technical, and physical security measures to protect the confidentiality and accessibility of collected personal information.

Some common data security measures you might consider include:

  • Anonymizing and de-identifying the data
  • Encrypting the information
  • Access controls
  • Creating a data backup or recovery plan

MCDPA Requirements FAQ

Still have questions about the MCDPA? Below, I answer some frequently asked questions about the upcoming law.

Does the MCDPA apply to my business?

The MCDPA applies to your business if you’re located in Montana or target goods and services at residents of the state and meet one of the following thresholds:

  • Controls or processes the personal data of no less than 50,000 consumers, excluding data processes solely to complete payment transactions.
  • Controls or processes the personal data of no less than 25,000 consumers and derives more than 25% of gross annual revenue from the sale of data.

When does the MCDPA take effect?

The MCDPA takes effect on October 1, 2024.

Who enforces the MCDPA?

The Montana Attorney General retains the authority to enforce all aspects of the MCDPA.

What are the penalties for violating the MCDPA?

There is no stated dollar amount for fines for violating the MCDPA.

However, other U.S. state-level laws incur penalties of up to $7,500 per violation, and the possible fines for the MCDPA might be similar.

Can Termly help with MCDPA compliance?

Termly offers a Privacy Policy Generator that can help simplify businesses’ compliance with laws like the MCDPA.

It asks simple questions about your business and makes a unique, comprehensive policy based on your answers. The generator will include all necessary clauses as the MCDPA requires before the law takes effect.

We also provide a Consent Management Platform (CMP) configurable to help websites meet the opt-out requirements outlined by Montana’s consumer privacy law.

It comes with a free DSAR form, so you can provide a reliable method for users to submit requests to follow through on their rights.

Summary

Businesses that need to comply with the MCDPA before it enters effect on October 1, 2024, can use my easy-to-follow six-step checklist for help meeting the legal requirements:

  • Perform a privacy audit to determine all personal data your business collects, why it collects it, and how it is used.
  • Make a privacy policy that meets all notification requirements outlined by the law.
  • Manage user consent and present them with a method to follow through on their opt-out rights.
  • When working with third-party data processors, ensure you make and both sign contracts meeting the guidelines described in the MCDPA.
  • Present users with two or more ways to submit verifiable consumer requests to follow through on their new privacy rights.
  • Implement proper security measures to protect the integrity of all personal data in your possession.

You can use solutions like Termly’s Privacy Policy Generator and CMP to simplify compliance with laws like the MCDPA even further.

Josh Langeland, CIPM
More about the author

Written by Josh Langeland, CIPM

Hi, I’m Josh! I am a Privacy Engineer passionate about using technology to respect user privacy. I thrive at the intersection of complex technology and ever-changing privacy law. If I’m not drafting a design review or re-architecting a system, you might find me reading a biography or hiking at the closest national park. More about the author

Related Articles

Explore more resources