Businesses must use clear and transparent methods that allow individuals to make an informed and affirmative choice. Consent must be obtained before processing sensitive personal data, such as health information, biometric data, or geolocation. Businesses should present information about data collection and processing in plain, understandable language, avoiding jargon. Consent must be an active action by the individual, such as checking a box or clicking a confirmation button; pre-checked boxes or implied consent are not compliant. For individuals under the age of 13, verifiable parental consent is required. Businesses must also provide a simple way for individuals to withdraw consent at any time.

The Montana Consumer Data Privacy Act (MCDPA) is enforced by the Montana Attorney General, who has the authority to investigate violations, issue penalties, and ensure compliance with the law. Businesses that violate the MCDPA are typically given a 60-day cure period to address and remedy the non-compliance after being notified. If the issues are not resolved within this timeframe, the Attorney General can impose penalties, including fines of up to $7,500 per violation.

Start by assessing whether your business meets the law’s applicability criteria, such as processing the personal data of at least 50,000 Montana residents annually or earning a significant portion of revenue from data sales. Develop a clear and accessible privacy policy that outlines how you collect, use, and share personal data, and include details about consumer rights under the MCDPA. Implement systems to handle consumer rights requests, such as accessing, correcting, deleting, or opting out of data processing.

Shopify merchants can use tools like Consentmo to simplify compliance, as it provides automated solutions for cookie consent management, privacy notices, and handling data subject requests.