MCDPA Title Text

What is MCDPA?

The Montana Consumer Data Privacy Act (MCDPA) is a state-level data privacy law designed to give Montana residents greater control over their personal data. The law provides consumers with rights such as accessing, correcting, and deleting their personal information, as well as opting out of data sales and targeted advertising. It applies to businesses meeting specific revenue or data processing thresholds. The MCDPA was enacted on May 19, 2023, and is part of a growing trend of state-level privacy legislation in the United States.

Where does the MCDPA apply?

The Montana Consumer Data Privacy Act (MCDPA) applies to businesses that conduct business in Montana or target products or services to Montana residents.

It specifically covers entities that meet at least one of the following thresholds:
- Control or process the personal data of at least 50,000 Montana residents annually.
- Over 25% of their gross revenue is from the sale of personal data while controlling or processing the personal data of at least 25,000 residents.

graphic of a white magnifying glass against a blue background

What are the possible reasons for a penalty?

Common reasons include:
- Failure to respond to Consumer Requests such as not addressing consumer rights requests to access, correct, delete, or opt out of the processing of their personal data within the required timeframe.
- Non-Compliance with Data Processing Obligations: Processing personal data without a valid legal basis, such as consumer consent, or failing to provide transparency about data collection and use.
- Improper handling of Sensitive Data, such as collecting or processing sensitive personal information (ex.: health data or geolocation) without obtaining explicit consent or following required safeguards.
- Lack of adequate Security Measures.

Who is liable for a penalty under MCDPA?

Under the Montana Consumer Data Privacy Act (MCDPA), the data controllers and data processors - businesses that collect, use, or manage personal data of Montana residents are liable for penalties if they fail to comply with the law's requirements.

graphic of a building in white against a blue background
white sheet of paper graphic against a blue background with shield in front of it

What are the penalties for
Non-Compliance?

- Monetary Fines: Businesses found in violation of the MCDPA may face civil penalties of up to $7,500 per violation, with each affected consumer potentially constituting a separate violation.
- Injunctions: The Attorney General may seek court orders to stop unlawful practices and compel businesses to comply with the law.
- Cure Period: businesses are typically granted a 60-day cure period to address and resolve alleged violations. If the issues are not remedied within this timeframe, enforcement actions and fines can proceed.
- Legal Costs.

Get the UCPA checklist for Free

Improve the effectiveness of your compliance strategy now.

Download checklist
graphic of a white notepad page against a black background

Frequently Asked Questions

How do I obtain consent from individuals under the MCDPA?

Businesses must use clear and transparent methods that allow individuals to make an informed and affirmative choice. Consent must be obtained before processing sensitive personal data, such as health information, biometric data, or geolocation. Businesses should present information about data collection and processing in plain, understandable language, avoiding jargon. Consent must be an active action by the individual, such as checking a box or clicking a confirmation button; pre-checked boxes or implied consent are not compliant. For individuals under the age of 13, verifiable parental consent is required. Businesses must also provide a simple way for individuals to withdraw consent at any time.

How is the MCDPA enforced?

The Montana Consumer Data Privacy Act (MCDPA) is enforced by the Montana Attorney General, who has the authority to investigate violations, issue penalties, and ensure compliance with the law. Businesses that violate the MCDPA are typically given a 60-day cure period to address and remedy the non-compliance after being notified. If the issues are not resolved within this timeframe, the Attorney General can impose penalties, including fines of up to $7,500 per violation.

How do I make my business compliant with the MCDPA?

Start by assessing whether your business meets the law’s applicability criteria, such as processing the personal data of at least 50,000 Montana residents annually or earning a significant portion of revenue from data sales. Develop a clear and accessible privacy policy that outlines how you collect, use, and share personal data, and include details about consumer rights under the MCDPA. Implement systems to handle consumer rights requests, such as accessing, correcting, deleting, or opting out of data processing.

Shopify merchants can use tools like Consentmo to simplify compliance, as it provides automated solutions for cookie consent management, privacy notices, and handling data subject requests.

Is your site compliant?