Some help with legal information about GDPR and other privacy laws

Privacy laws

Montana Consumer Data Privacy Act

Guide to the Montana Consumer Data Privacy Act

Montana became the ninth state to pass a comprehensive data privacy law. Senate Bill 384, or the Montana Consumer Data Privacy Act (MCDPA) was signed into law on May 19, 2023, and became effective on October 1, 2024.

Read this guide to learn all you need to know about the MCDPA, including the businesses’ obligations and consumer rights under the MCDPA, who it applies to, and the key definition of the MCDPA.

What Is the Montana Consumer Data Privacy Act (MCDPA)?

The Montana Consumer Data Privacy Act protects the privacy rights of residents of Montana and establishes data privacy responsibilities for companies operating in the state or offering goods or services to Montana residents.

MCDPA guarantees digital privacy to individuals. Under the MCDPA, businesses are required to inform consumers about the collection and processing of their data, while consumers have the right to opt out of data collection and processing. Businesses also need to inform consumers if they share their data with third parties.

The MCDPA also requires businesses to implement reasonable protective measures to ensure consumer data security. The MCDPA aims to protect transparency and accountability in data handling practices.

MCDPA effective date: October 1, 2024.

Certain provisions like the recognition of the Global Privacy Controls signal via consumer browsers will enter into force on January 1, 2024.

The MCDPA provides a grace period for entities that violate it until April 1, 2026.

The law requires businesses to obtain consent from parents or legal guardians before processing the personal data of a known child between 13 to 16 years of age for sale, profiling, and targeted advertising.

The MCDPA designates the Attorney General as its enforcement agency. However, the law does not mention the amount of penalty in the case of violations of the law.

Who does the MCDPA Apply to?

The Montana Consumer Data Privacy Act is a strict data privacy law with a lower applicability threshold than other states.

MCDPA applies to for-profit businesses that are based in Montana or produce products or services that target Montana residents, and:

  • Control or process the personal data of at least 50,000 Montana residents (excluding payment transaction data); or
  • Control or process the personal data of at least 25,000 Montana residents and derive over 25% of gross revenue from the sale of personal data.

Note, that the applicability of the MCDPA does not have a monetary threshold like CCPA.

Exemptions to MCDPA

The MTCDPA has these exemptions:

  • Entities regulated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA)
  • Government agencies
  • Higher education institutions
  • National securities associations registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934.
  • Non-profit entities.

In addition to these entities, certain types of information are also excluded from the law. This includes the information covered under HIPAA, Health Care Quality Improvement Act, Driver’s Privacy Protection Act, Farm Credit Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act, COPPA, Airline Deregulation Act, and some other information.

The law also excludes the health-related information covered by other laws like patient-identifying information, information related to human subject research, or data maintained for emergency purposes.

Use CookieScript CMP to create a Cookie Banner, collect user consent, and comply with the MCDPA.

Register for free Show pricing plans

MCDPA Key Terms and Definitions

Below are the essential definitions as they appear in the MCDPA. They are similar to terms, defined by other US privacy laws.

A consumer is a resident of Montana who does not act in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of their role.

A data controller is an individual or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data.

A data processor is an individual or legal entity that processes personal data on behalf of a controller.

Personal data is any information that is linked or reasonably linkable to an identified or identifiable individual. The term does not include de-identified data, or publicly available information.

De-identified data is a form of data maintained in such a way that it cannot be traced back to or used to identify an individual if proper measures are taken by businesses or controllers to not attempt to reidentify the data. The process of de-identification should also obligate all parties involved in the processing to adhere to these standards.

Publicly available information is information published through government records or mass media and publicized by the consumer himself to the general public.

Sensitive personal data must be processed with even more special care. Sensitive data under MCDPA includes any of the following personal data about a person:

  • racial/ethnic origin
  • religious beliefs
  • mental/physical health conditions or diagnosis
  • sexual life
  • sexual orientation
  • citizenship/immigration status
  • biometric/genetic data
  • Personal data of a known child below 13 years of age
  • Precise geolocation data.

Consent is defined as a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the collection and processing of a consumer’s personal data. The statement could be written, made by electronic means, or any other unambiguous affirmative action. The term does not include acceptance of a general or broad term of use or similar document that contains descriptions of personal data processing along with other unrelated information.

MCDPA does not accept that the consent is valid if it was obtained by hovering over, muting, pausing, or closing a given piece of content, or by using dark patterns.

A dark pattern means tricks or manipulated behavior used in websites and apps that make you do things that you didn't mean to substantially subverting or impairing user autonomy, decision-making, or choice.

Third-party means an individual or legal entity, such as a public authority, agency, or body, other than the consumer, controller, or processor or an affiliate of the controller or processor.

Consumer Rights Under the MTCDPA

Residents of Montanan have the following rights regarding their personal data:

  • Right to confirm and access: Montana consumers can ask businesses if they’re processing their data, what data they process, and have the right to access it.
  • Right to data portability: Montana consumers have the right to obtain a copy of their data in a format that’s easy to transfer to another service.
  • Right to correction: Montana consumers have the right to request updates or corrections to inaccurate personal data.
  • Right to deletion: Montana consumers have the right to ask businesses to delete their data.
  • Right to opt-out: Montana consumers have the right to opt out of targeted advertising, the sale of their data, and certain profiling activities.
  • Right to non-discrimination: Businesses can’t discriminate against consumers for exercising their privacy rights.

Obligations for Organizations Under the Montana Consumer Data Privacy Act

Organizations have the following obligations/limitations under the MCDPA:

Purpose limitation: Under the MCDPA, a controller must limit the collection of all personal data to what is adequate, relevant, and reasonably necessary for the purposes for which the data is being collected.

Data minimization: Under the MCDPA, a controller must not collect more personal data than what is reasonable or adequate for the purpose for which it was obtained from consumers.

Consent requirements: Under the MCDPA, a controller must provide an effective mechanism for consumers to revoke their consent for processing of personal data at any time. In such a case, the controller must cease to process the personal data as soon as practically possible, but not later than 45 days after the receipt of the request to revoke consent.

If the controller wants to use the consumer’s personal data for a purpose that is not reasonably necessary or compatible with the purposes for which the data was originally collected, they must get the consumer’s explicit consent for those new purposes.

The requirements for a valid consent under the MCDPA:

  • Consumers should be informed of what they are consenting to.
  • Consent should be an affirmative action, including the active intentions of a customer.
  • Consent should be given freely, without any manipulations like dark patterns.
  • Consent should be specifically given to certain types of data, not a broad one.
  • Consent should be unambiguous, clearly stating that consumers agree to the processing.

The MCDPA specifically emphasizes that consent obtained through the following means is not valid consent:

  • Acceptance of general terms filled with much unrelated information instead of the specific purpose for the consent.
  • Hovering over, muting, pausing, or closing a web page.
  • The agreement was obtained using dark patterns.

Opt-out mechanisms and Global Privacy Controls: Businesses must inform consumers if they sell personal data or use it for targeted advertising, and provide methods to opt out of sales, targeted advertising, and profiling.

They must recognize and respect consumer browser extensions or global device settings, usually called Global Privacy Controls (GPC), indicating users’ desire to restrict certain types of data processing like targeted advertising or the sale of their data.

January 1, 2025, is the deadline for organizations to prepare for these GPC signals and similar technologies, that allow consumers to opt out of targeted advertising and sale of their personal data using opt-out signals.

Non-discrimination: A controller is not allowed to discriminate against consumers for exercising their rights under the provisions of MCDPA.

However, the law allows the controllers to offer different prices, rates, levels, quality, or selection of goods or services to a consumer if they have exercised their right to opt out of the sale of personal data, or in cases of consumer voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card programs.

Privacy notice requirements: Under the MCDPA, a controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • the categories of personal data collected and processed by the controller;
  • the purpose for processing personal data;
  • the categories of personal data that the controller shares with third parties, if any;
  • the categories of third parties, if any, with which the controller shares personal data; and
  • the mechanisms that the consumer could use to contact the controller regarding their privacy rights; and
  • methods for consumers to exercise their consumer rights, including how a consumer may appeal a controller's decision regarding the consumer's request.

CookieScript banner

A privacy notice by CookieScript for informing consumers about their rights and getting their consent to use the collected data.

Security requirements: Under the MCDPA, a controller must establish, implement, and maintain reasonable administrative, technical, and physical data security safeguards to protect the confidentiality, integrity, and accessibility of personal data.

Data protection assessment (DPA): Under the MCDPA, businesses must carry out and document each of the controller's processing activities that carry a heightened risk of harm to a customer. Such activities include:

  • the processing of personal data for the purposes of targeted advertising;
  • the sale of personal data;
  • the processing of personal data for the purposes of profiling in which the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of or unlawful disparate impact on consumers; financial, physical, or reputational injury to consumers; a physical or other forms of intrusion on the solitude or seclusion or the private affairs or concerns of consumers in which the intrusion would be offensive to a reasonable person; or other substantial injuries to consumers; and
  • the processing of sensitive data.

A DPA must identify and balance potential benefits to the controller, the consumer, other stakeholders, and the public from the processing against any potential risks to the consumer's rights. The controller must use safeguards to lessen risks detected through the DPA.

De-identified data requirements: Under the MCDPA, a controller must take reasonable measures to ensure that the de-identified data cannot be associated with an individual, must not attempt to re-identify the deidentified data, and enter into contracts with third parties or other data processors to comply with all provisions of the MCDPA.

A controller must also take the appropriate actions if any of these obligations are violated.

Obligations for Data Controllers Under the MCDPA

Data controllers also have obligations under the Montana Consumer Data Privacy Act.

Assistance to the controller: Data processors must assist the controllers by adopting appropriate technical and organizational measures to fulfill the controllers’ obligations under the MCDPA, implement security safeguards, and have in place breach notification obligations with respect to the personal data processed.

The processors must also provide controllers with all the necessary information to conduct DPAs.

Processing under contract: The processor is obliged to process the personal data on behalf of the controller in accordance with the terms of the contract between the controller and the processor. The controller and the processor must describe the instructions for data processing, the purposes of the processing, the type of data processed, the duration of the processing, and the rights and duties of both parties. The contract should set forth the processor the following instructions:

  • ensure the confidentiality of the personal data;
  • delete or return the personal data to the controller when it is no longer needed for data processing unless retention of personal data is required by the law;
  • upon reasonable request from the controller, provide all the user personal information necessary for compliance with the laws;
  • directly or by an independent assessor, allow the controller to conduct a data protection assessment of the processor's policies and technical and organizational safeguards; and
  • in the case of having subcontractors, enter into a contract with them to protect the personal data and comply with the privacy laws.

Penalties for Violating MCDPA

The Montana privacy law is different from other privacy laws of such a kind that it does not foresee penalties in the act.

The MCDPA designates the Attorney General as its enforcement agency.

There is no private right of action under MCDPA. The Attorney General has the exclusive enforcement power.

The attorney must give a 60-day notice to the businesses in violation to cure the violation. However, this notice period is only available until April 1, 2026. After April 1, 2026, the attorney can initiate an action without providing a cure period.

How to Comply with the MCDPA?

To comply with the Montana Consumer Data Privacy Act, follow these guidelines:

  1. Provide an unambiguous, accessible, clear, and specific privacy notice.
  2. Get consent to collect personal data, especially sensitive personal data.
  3. Get consent for the sale and targeted advertising of the personal data of a known child between 13 to 16 years of age.
  4. Provide a convenient consent withdrawal mechanism.
  5. Limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the disclosed purposes.
  6. Limit the processing of personal data to what is needed to fulfill the specific purpose.
  7. De-identify data to ensure that the de-identified data cannot be associated with an individual.
  8. Implement adequate security safeguards.
  9. Provide opt-out mechanisms for the sale, targeted advertising, and profiling of personal data.
  10. Recognize global opt-out signals like Global Privacy Controls signal.
  11. Conduct regular data protection assessments.
  12. Do not use dark patterns to obtain consent from consumers.
  13. Do not discriminate against consumers for exercising their rights.
  14. Enter into contracts with processors.
  15. Create and implement a response plan for consumer requests.

How Can CookieScript Help?

CookieScript Consent Management Platform (CMP) comes with a Cookie Banner, Cookie Scanner, Privacy Policy Generator, script manager, and user consent manager.  It recognizes a Global Privacy Controls signal, detects and categorizes cookies, local storage, session storage, and other trackers, and automatically blocks Third-Party Cookies, so you can be sure your website is compliant with the MCDPA and other privacy regulations 100%!

In 2024, CookieScript CMP was ranked by users as the best CMP on a peer-review site G2.
It also received a GOLD Tier in the New Google Tiering System.
Moreover, it offers an affordable pricing.

If you are looking for a solution to comply with the MCDPA or other data privacy laws, try a free 14-day trial of CookieScript CMP.

Register for free Show pricing plans

Frequently Asked Questions

Does Montana have a privacy law?

Yes, Montana has the Montana Consumer Data Privacy Act (MCDPA, or Senate Bill 384), which became effective on October 1, 2024. The law protects the digital privacy of Montana residents and sets obligations for businesses. Use CookieScript CMP to comply with the MCDPA.

What is the Montana Consumer Data Privacy Act?

The Montana Consumer Data Privacy Act protects the privacy rights of residents of Montana and establishes data privacy responsibilities for companies operating in the state or offering goods or services for Montana residents. The MCDPA became effective on October 1, 2024. CookieScript CMP can help you to comply with the MCDPA.

Who is a consumer under Montana privacy law?

Under the MCDPA, a consumer is a resident of Montana who does not act in a commercial or employment context, or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of their role. CookieScript CMP can help you to comply with the MCDPA.

Who does the Montana Consumer Data Privacy Act apply to?

The MCDPA applies to for-profit businesses that are based in Montana or produce products or services that target Montana residents, and control or process the personal data of at least 50,000 Montana residents or control or process the personal data of at least 25,000 Montana residents and derive over 25% of gross revenue from the sale of personal data. Use CookieScript CMP to create a Cookie Banner, get user consent, and comply with the MCDPA.

What are the exemptions for Montana privacy law?

The MTCDPA provides exemptions similar to those enumerated under other US privacy laws. The exemptions include: entities regulated by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act (HIPAA), government agencies, higher education institutions, national securities associations, and non-profit entities. CookieScript CMP can help you to comply with the MCDPA and other privacy laws.

What are the penalties for the violations of the Montana Consumer Data Privacy Act?

The Montana privacy law is different from other privacy laws of such a kind that it does not foresee penalties in the act. The Attorney General is the enforcement agency of the law, that can initiate an action against a business. Use CookieScript CMP to create a Cookie Banner, get user consent, and comply with the MCDPA.

How to comply with the Montana privacy law?

To comply with the MCDPA, follow these guidelines: provide a privacy notice, get consent, provide consent withdrawal mechanism, limit the collection and processing of personal data, implement adequate security safeguards, provide and recognize opt-out mechanisms for the sale, targeted advertising, and profiling of the personal data, conduct regular data protection assessments, do not discriminate against consumers for exercising their rights, and enter into contracts with processors. CookieScript CMP can help you to comply with the MCDPA.

ON THIS PAGE

New to CookieScript?

CookieScript helps to make the website ePrivacy and GDPR compliant.

We have all the necessary tools to comply with the latest privacy policy regulations: third-party script management, consent recording, monthly website scans, automatic cookie categorization, cookie declaration automatic update, translations to 34 languages, and much more.