Montana Consumer Data Privacy Act: First Look & Summary

Montana has entered the ring as another U.S. state to pass a data privacy law.

Signed by the governor on May 18, the Montana Consumer Data Privacy Act (MCDPA) comes into force on Oct. 1, 2024.

In this guide, you’ll find all you need to know about the MCDPA, including who it applies to and who it affects, the new consumer rights it creates, and the penalties for violating its provisions.

What Is the Montana Consumer Data Privacy Act (MCDPA)?

The Montana Consumer Data Privacy Act, or MCDPA, is one of a growing number of new data privacy laws passed in the US.

It aims to establish consumer rights regarding how personal information gets used by entities and describes requirements, guidelines, and obligations for businesses that want to collect and process that data.

It also explains the penalties and enforcement measures for violating any portion of the law.

MCDPA Effective Date

Montana’s data privacy law enters into force on October 1, 2024.

However, you have until January 1, 2025, to comply with certain provisions surrounding the recognition of global privacy controls via consumer browsers, which will be explained in more detail later in this guide.

The law also provides an initial cure period for entities that violate it, but this grace period ends on April 1, 2026.

MCDPA Key Terms and Definitions

You must understand the legal definitions of some key terms to meet the requirements outlined by the Montana Consumer Data Privacy Act.

Below are the essential phrases and definitions as they appear in the MCDPA.

• Consent: A clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer. The term may include a written statement, a statement by electronic means, or any other unambiguous affirmative action.
  • The term does not include acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information; hovering over, muting, pausing, or closing a given piece of content; or an agreement obtained using dark patterns.
• Consumer: An individual who is a resident of this state.
  • The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.
• Controller: An individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.
• Personal data: Any information that is linked or reasonably linkable to an identified or identifiable individual.
  • The term does not include de-identified data or publicly available information.
• Processing: Any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
• Processor: An individual or legal entity that processes personal data on behalf of a controller.
• Sensitive data: Personal data that includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person’s sex life, sexual orientation, or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.

Whenever these phrases appear throughout this guide, they’re used with these precise meanings in mind.

What Does the Montana Consumer Data Privacy Act Cover?

The MCDPA covers the personal information of consumers who are residents of the state of Montana. It does not protect individuals acting in a commercial or employment context.

But the following individuals acting on behalf of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications with the controller occur solely within the context of their role aren’t covered:

• Employees
• Owners
• Directors
• Officers
• Contractors

Requirements of the Montana Consumer Data Privacy Act

To help you prepare for this law, below are the different business requirements the Montana Consumer Data Privacy Act outlines.

Controller Guidelines for Processing Data

The MCDPA text describes the controller guidelines for processing personal data in Section 7.

You can process personal information so long as you:

• Limit data collection to what is adequate, relevant, and reasonably necessary concerning the purposes for processing the information as disclosed to the consumer.
• Establish, implement, and maintain reasonable security practices to protect the confidentiality and integrity of the personal data appropriate to the volume and nature of the information.

While the reasons for processing data are broad under the MCDPA, it does require you to obtain consent if you want to collect sensitive personal data, data from known children, or if you want to collect additional information from your users beyond what may be considered reasonably necessary.

In the next section, you’ll learn more about consent under the MCDPA.

Consent

Under the MCDPA, controllers can’t process personal data for reasons that aren’t reasonably necessary or compatible with the disclosed purposes unless they obtain consent from the consumer, as explained in Section 7 Part (2)(a).

Montana’s data privacy law lays out a precise definition of what consent is and what it isn’t.

You must meet several conditions for consent to be compliant, including the following:

• Consent must be a clear, affirmative action and not implied
• Consumers must freely give it, aka., no coercion or force
• It may consist of a written statement, electronic means, or other unambiguous affirmative action

As for what doesn’t qualify as consent under the MCDPA, the text of the law clearly states that none of the following actions count as proficient:

• Accepting a terms of use or other similar document that contains descriptions of personal data along with further unrelated details
• Hovering over, muting, pausing, or closing a piece of content
• Obtaining agreements through the use of dark patterns

Data Protection Assessments

The MCDPA requires controllers to conduct and document data protection assessments for any activity that may present a heightened risk of harm to the consumer.

Specifically, Section 9 part (1) of the law states that the following activities present such a heightened risk:

• Processing personal data for targeted advertising
• Selling personal data
• Processing personal data for profiling which (1) presents a reasonably foreseeable risk of unfair or deceptive treatment of an unlawful disparate impact on consumers, (2) financial, physical, or reputational injury to consumers, (3) a physical or other form of intrusion on the seclusion, solitude, private affairs, or concerns of consumers in which such intrusion would be offensive to a reasonable person
• Other substantial injuries to consumers
• The processing of sensitive data

Part (2) goes on to describe what your data protection assessment must entail, including:

• Identifying and weighing the benefits that may result from processing the data, both directly and indirectly, compared to the potential risks to the consumer’s rights, as mitigated by any safeguards the controller employs.
• Factoring in the use of deidentified data and the reasonable expectations of consumers, including the context of the processing and the relationship between the controller and consumer.

The MCDPA allows you to use a single data protection assessment to address a comparable set of processing activities so long as they are similar in scope.

The law also allows similar assessments required to comply with other applicable laws or regulations to potentially count toward the MCDPA.

Contractual Obligations With Third-Party Processors

Any data controllers that rely on a third-party processor must use a contract that complies with certain facets of the MCDPA, as outlined in Section 8 Part (2).

The controller must require that data processors do the following if they process personal data on the controller’s behalf:

• Ensure each person processing the data is subject to a duty of confidentiality.
• Delete or return all personal data to the controller as requested at the end of the provision of services, at the controller’s direction, unless retention is required by law.
• Make all information available to the controller at their reasonable request to demonstrate the processor’s compliance with the MCDPA.
• Ensure any subcontractors the processor engages with are subject to a written contract meeting these same obligations regarding the personal data.
• Allow and cooperate with reasonable data protection assessments by the controller or the controller’s designated assignee.
• Alternatively, the processor may arrange for a qualified independent assessor to assess their policies and technical and organizational measures and provide a report of the assessment to the controller upon request.

Both the data controller and processor must sign the written contract. Section 8 Part (3) emphasizes that nothing in this section relieves a controller or processor from the liabilities imposed on either party by virtue of their roles in the processing relationship.

According to Section 8 Part (4), determining if an entity is a controller or processor is fact-based and depends on these contexts:

• If a person is not limited in processing personal data according to a controller’s instructions or fails to adhere to a controller’s instructions, they’re considered a controller and not a processor.
• A processor that continues to adhere to a controller’s instructions concerning processing personal data remains a processor.
• If a processor begins, either alone or with others, to determine the purpose and means of processing the personal data, the processor is considered a controller with respect to processing and may be subject to enforcement action.

De-Identified and Pseudonymous Data Obligations

Under the MCDPA, controllers in possession of deidentified data have several responsibilities. Section 10 states that you must:

• Take reasonable measures to ensure the data is deidentified and cannot be associated with an individual.
• Publicly commit to maintaining and using deidentified data without attempting to re-identify it.
• Contractually obligate all recipients of the deidentified data to comply with all provisions of the MCDPA.

But the law clarifies that none of this should be used to require a controller or processor to:

• Re-identify deidentified or pseudonymous data.
• Maintain data in an identifiable form.
• Be capable of associating an authenticated consumer request with personal data.

Global Privacy Controls

Under Montana’s new data privacy law, your business must recognize and respect consumer browser extensions or global device settings, typically called Global Privacy Controls (GPC), indicating their desire to opt out of certain types of data processing.

According to Section 6 of the law, a consumer may legally use a GPC to denote that they want to opt out of having their data used for targeted advertising or the sale of their data.

Entities have until January 1, 2025, to prepare for these GPC and similar platform technology or mechanism requirements.

Montana’s Data Privacy Law vs. Other States: Similarities and Differences

By now, several U.S. states have passed data privacy laws.

While they all share some similarities, they also present a few notable differences that businesses must understand to comply with these pieces of legislation.

Currently, the other U.S. state data privacy laws include:

• California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA) — currently in force
• Colorado Privacy Act (CPA) — currently in force
• Connecticut Data Privacy Act (CTDPA) — currently in force
• Delaware Personal Data Privacy Act (DPDPA) — effective January 1, 2025
• Florida Digital Bill of Rights (FDBR) — effective July 1, 2024
• Indiana Consumer Data Protection Act (Indiana CDPA) — effective January 1, 2026
• Iowa Consumer Data Protection Act (Iowa CDPA) — effective January 1, 2025
• Oregon Consumer Privacy Act (OCPA) — effective July 1, 2024
• Tennessee Information Protection Act (TIPA) — effective July 1, 2025
• Texas Data Privacy and Security Act (TDPSA) — effective July 1, 2024
• Utah Consumer Privacy Act (UCPA) — currently in force
• Virginia Consumer Data Protection Act (VCDPA) — currently in force

Here’s a table that compares all of these laws to the MCDPA:

How Will Consumers Be Impacted by the MCDPA?

The MCDPA impacts consumers by granting them more rights and control over how external entities process and use their personal data.

Specifically, Section 5 of the law states that Montana residents can

• Confirm if a controller is processing their personal data and provide access to that data unless confirmation or access would require the controller to reveal a trade secret.
• Correct inaccuracies in the consumer’s personal data
• Delete personal data about themselves.
• Obtain a copy of their personal data previously provided by the individual in a portable and usable format.
• Opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or significant effects concerning the consumers.

Consumers may also appeal any decisions data controllers make regarding their verifiable consumer requests.

Who Does the MCDPA Apply To?

According to the definition of ‘consumer’ described in Section 2, the MCDPA applies only to the personal data of Montana residents.

Anyone who is not a resident of Montana is not protected by this law.

Notably, this means these individuals are covered by the MCDPA even if they leave the state and use the internet in other parts of the world.

How Will Businesses Be Impacted by the MCDPA?

The Montana Consumer Data Privacy Act impacts businesses in several ways beyond the data protection assessments, contractual obligations, and legal bases for processing data previously mentioned in this article.

It also may affect portions of your privacy and cookie policies. The following sections cover precisely what the MCDPA requires of businesses for both policies.

How Will the MCDPA Affect My Privacy Policy?

According to Section 7 Part (5) of the law, controllers must present consumers with a “reasonably accessible, clear, and meaningful” privacy notice.

Your notice must include all of the following details:

• The categories of personal data the controller processes
• The purpose of processing the data
• The categories of personal data the controller shared with third parties, if any
• The categories of the third parties the controller shared data with, if any
• An active email address or other mechanism consumers can use to contact the controller
• A description of how consumers may exercise their rights granted by the MCDPA, including how they can appeal a controller’s decisions regarding their requests

Your privacy policy must establish and describe two or more “secure and reliable” ways consumers can submit requests to act on their data privacy rights, which must consider:

• The normal ways users interact with you
• The secure and reliable communication measures in place regarding the request
• Your ability to verify the identity of the consumers submitting the request

You cannot require anyone to make a new account to follow through on their rights. However, you can ask a consumer to use an existing account.

How Will the MCDPA Affect My Cookie Policy?

Montana’s new data privacy law may affect your cookie policy, specifically if you use information collected from internet cookies to assist with targeted advertising or sell any of that data.

Under Section 5 of the law, consumers have the right to opt out of having their data processed in either of those ways.

You must update your cookie policy and explain to consumers if you are using targeted or advertising cookies and provide them with a reasonable means for denying or opting out of the use of those or other similar internet trackers.

Who Must Comply With Montana’s New Data Privacy Law?

According to Section 3, you must comply with the MCDPA if you conduct business in Montana or produce products or services targeted to residents of the state and meet either of the following thresholds:

• Controls or processes the personal data of not less than 50,000 consumers, excluding personal data controlled or processed solely to complete a payment transaction
• Controls or processes the personal data of no less than 25,000 consumers and derives more than 25% of their gross annual revenue from the sale of personal data

The fact that data collected from payment transactions is exempt from the legal threshold sets the MCDPA apart from most other current U.S. data privacy laws, as they don’t typically make this qualification.

Who Is Exempt From the MCDPA?

All of the following entities are exempt from the MCDPA requirements:

• Political bodies, authorities, boards, bureaus, commissions, districts, or agencies of the state or any political subdivisions
• Nonprofit organizations
• Institutions of higher education
• National Securities Association registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934, as amended.
• Financial institutions or affiliates of financial institutions governed by, or personal data collected, processed, sold, or disclosed under Title V of the Gramm Leach Bliley Act (GBLA)
• Covered entities or businesses as defined in the privacy regulation of the federal Health Insurance Portability and Accountability Act (HIPAA)

How Can Businesses Prepare for the MCDPA?

Businesses should plan to update their privacy policy and include at least two or more ways for consumers to act on their data privacy rights, including opting out of targeted advertising and the sale of their information.

Now is also the time to prepare your website to honor GPCs from your users’ browsers.

Additionally, businesses should consider using a Consent Management Platform (CMP) that provides users with a consent banner that complies with the opt-out requirements outlined by this law.

You should also plan to perform adequate data protection assessments for certain types of data processing per Section 9 of the law.

If you rely on any third parties to process personal information about your consumers, prepare to use compliant data processing agreements that meet the obligations described in Section 8 PArt (2) of the act.

How Will the MCDPA Be Enforced?

The Montana Attorney General has the exclusive right to enforce the MCDPA, as Section 12 of the law explains.

If a controller violates the law, the Attorney General will notify them with a 60-day cure period.

The controller must correct the noticed violations, provide a written statement to the attorney general explaining the corrections, and say that no further violations will occur.

The AG will initiate no further negative actions against controllers who adequately follow through. However, this grace period ends as of April 1, 2026, after which no 60-day cure period shall exist.

Fines and Penalties Under the Montana Consumer Data Privacy Act

The MCDPA does not provide a specific dollar amount or limit regarding penalties. Instead, it simply states that the attorney general is responsible for enforcing the law.

However, the law clarifies that consumers have no private right of action.

How Will Termly Help With MCDPA Compliance?

As your business prepares for the Montana Consumer Data Privacy Act, Termly can provide you with resources and tools to help simplify your compliance journey.

Our legal team and data privacy experts already back our policy generators, plus we update our tools regularly to keep them current with new and changing laws.

Termly’s Privacy Policy Generator, for example, asks you simple questions about your business and its data processing activities. It then creates a compliant policy based on your answers, which you can easily embed directly on your website or mobile app.

Take a peak at what it looks like below.

We also offer a Consent Management Platform (CMP) that you can configure to meet the opt-out requirements concerning consumer rights as outlined by laws like the MCDPA.

See a sample of it below.

Start Managing Consent

Enter Your Website URL

In order to help you create a cookie policy that is compliant with worldwide legislation, we must first scan your website for cookies.

Start Website Scan

Are There Other Privacy Related Laws in Montana?

While the MCDPA is Montana’s first law protecting consumers’ personal data and outlining obligations for processors, it’s not the only state law that impacts privacy rights for residents.

The Montana Pupil Online Personal Information Protection Act prevents entities from knowingly engaging in targeted advertising to K-12 online applications.

The governor also signed Senate Bill 419 in April of 2023, banning the use of the popular social media app TikTok in the state.

Once it goes into effect on January 1, 2024, app stores cannot offer it to residents within state boundaries. It cites TikTok’s gathering of significant information from users and accessing their data against their will as two reasons for the ban.

Anyone violating the prohibition could receive a fine of up to $10,000, plus an additional $10,000 per day after that, so long as the violation continues.

Summary

Now that you’ve reached the end of our Montana Consumer Data Privacy Act guide, you’re equipped with the details you need to start preparing your business for compliance.

Remember, before October 1, 2024, you’ll need to take all of the following steps to meet the high standards of the MCDPA:

• Update your privacy policy to meet all obligations described by the MCDPA.
• Provide two or more methods for consumers to act on their data privacy rights, like a consent banner with access to a consent preference center and linking a Data Subject Access Request (DSAR) form to your site or app.
• Use compliant contracts with any third-party data processors.
• Perform data protection assessments as needed for specific types of data processing.
• Have a working email address or another point of contact for consumers to reach out to you regarding their privacy rights and concerns.

Fortunately, for some businesses, meeting all legal requirements may be easier if you’re already subject to laws like the CCPA or the VCDPA because Montana’s new data privacy law is similar in scope and scale.

But no matter what, Termly’s tools can help make the entire process easier on you so you can focus on what matters most — your business.

More about the author

Written by Stefani Schmidt, M.S., CIPM, CIPP-US

Stefani is a data privacy, risk, compliance, and program management professional with experience in the communications, financial, and adtech industries. Stefani’s previous experience includes working closely with stakeholders from different departments to push forward privacy initiatives across corporations, including working on privacy and security reviews of new business initiatives and vendors. Stefani has an M.S. in Security Technologies from the University of Minnesota – Twin Cities and a B.A. in Journalism and Political Science. More about the author