Montana Consumer Data Privacy Act (MCDPA)

    Overview

    The Montana Consumer Data Privacy Act (MCDPA), signed into law in 2023, establishes comprehensive privacy rights for Montana residents and sets clear obligations for businesses handling personal data. The law focuses on enhancing transparency and protecting consumer data in an evolving digital environment.

     

     

    Regulation Summary

    Timeline
    • April 28, 2023: MCDPA signed into law by Governor Greg Gianforte.
    • October 1, 2024: MCDPA becomes effective.
    • January 1, 2025: Requirements for honoring universal opt-out preference signals (UOOM) take effect.
    • April 1, 2026: The cure period for addressing violations sunsets.
    What Businesses Are Affected
    • Businesses conducting operations in Montana or targeting Montana residents, meeting one or more of the following thresholds:
      • Control or process personal data of 50,000 or more consumers annually.
      • Control or process personal data of 25,000 or more consumers and derive more than 25% of gross revenue from selling personal data.
    Exemptions
    • Government entities, nonprofit organizations, and institutions of higher education.
    • Entities governed by HIPAA, GLBA, FERPA, or other federal regulations.
    • Personal data processed for employment or publicly available purposes.
    Responsibilities for Businesses
    • Transparency: Provide clear privacy notices detailing data collection, use, and sharing practices.
    • Consumer Rights: Allow consumers to:
      • Access and delete their personal data.
      • Correct inaccuracies in personal data.
      • Opt out of targeted advertising, data sales, and profiling.
    • Data Security: Implement safeguards to protect personal data appropriate to its sensitivity and volume.
    Specific Responsibilities for Website Owners
    • Display privacy notices and explicit opt-out mechanisms.
    • Respond to verified consumer requests within 45 days, extendable by another 45 days if necessary.
    • Honor opt-out preference signals starting January 1, 2025.
    Additional Requirements
    • Data Protection Assessments: Conduct assessments for high-risk activities, such as:
      • Targeted advertising.
      • Sale of personal data.
      • Profiling with significant consumer impact.
    • Sensitive Data: Obtain explicit consent before processing sensitive personal data.
    Data Subject Rights
    • Access: Request confirmation of data processing and obtain copies of personal data.
    • Correction: Fix inaccuracies in personal data.
    • Deletion: Request deletion of personal data.
    • Portability: Receive data in a portable format.
    • Opt-Out: Refuse targeted advertising, profiling, and data sales.
    Enforcement
    • Enforced by the Montana Attorney General.
    • Cure Period: 60 days to address violations.
    • Penalties: Civil penalties of up to $7,500 per violation.
    • No private right of action.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596