Montana Consumer Data Privacy Act (MCDPA): What Website Owners Need to Know

Does your business comply with the Montana Consumer Data Privacy Act (MTCDPA)? 

Montana formally became the ninth state in the country to enact a state-level consumer data privacy law- MTCDPA. The law has adopted the trend of creating its own rules and taking matters into its own hands, rather than relying on a federal privacy law, to protect the data of its residents.

This legislation outlines the consumer rights when it comes to how their information is used by companies. The law also establishes the needs, regulations, and expectations of companies that wish to gather and process this information.

The MTCDPA not only gives detailed guidelines about its enforcement in an event of a data breach but also mentions the penalties and fines.

In this article, we will examine the key aspects of the Montana data privacy law and its impact on companies and businesses.

What is the Montana Consumer Data Privacy Act (MTCDPA)

The Montana Consumer Data Privacy Act (MTCDPA) is a privacy law that gives Montana consumers rights over their personal information. It also gives organizations direction on how to treat the personal information they process and collect.

Montana’s data privacy law took effect on October 1, 2024. The law protects consumers and businesses operating in the state that involve the processing of personal information.

As with most other state data privacy legislation, the MTCDPA uses the term “controllers” to refer to those entities that control the purpose and means of gathering or processing personal data. “Processors” are any entity processing data on behalf of a controller.

Unlike the CCPA, the Montana Privacy Act does not rely on an exclusive revenue cap.

MTCDPA is similar to laws in states like Indiana. It says that even if a business doesn’t make a lot of money, it still has to follow the rules, as long as it handles the personal data of a certain number of people.

Many other data privacy laws protect companies that handle the personal data of 100,000 or more residents; Montana’s statute reduces the threshold to 50,000, mainly because Montana has a relatively small population.

Who Must Comply With the Montana Consumer Data Privacy Act? 

As provided under Section 3, businesses are required to comply with the MTCDPA if they are located in Montana or offer services or products to residents of Montana and meet either of the following requirements:

• Controls or processes the personal data of at least 50,000 consumers, other than personal data controlled or processed solely to finalize a payment transaction
• Processes or controls the personal data of at least 25,000 consumers and derives over 25% of its gross annual turnover from selling personal data.

According to Section 2 of the MTCDPA, consumers are considered residents of Montana. Employees or persons acting in a commercial capacity, including employers, owners, and contractors, are not considered consumers under the MTCDPA.

MTCDPA Consumer Rights: What Protections Does the MTCDPA Law Provide?

The Montana Consumer Data Privacy Act grants consumers several key rights regarding their personal data. These rights have been established as the standard in data privacy laws enacted in other states or worldwide.

Companies are required to provide consumers with an opportunity to opt out of data processing and collection. Controllers and processors are also required to apply reasonable security and safeguards to protect the collected data.

• Right to Opt Out: Customers can opt out of selling their personal data, receiving targeted ads, or having their profile used for advertising purposes.
• Right to Access: Customers are entitled to determine whether a controller is handling their personal information and obtain access to such information, except in specific cases.
• Right to Correction: Consumers are entitled to request corrections to any outdated or inaccurate information a controller maintains about them, particularly if the consumer provided it.
• Right to Delete: Consumers are entitled to request a controller to delete any personal data the controller possesses about them.
• Right to Portability: Consumers have the right to receive a copy of their personal data that they have already submitted to the controller in a readily readable format.
• Right to Not Be Discriminated Against: Controllers cannot discriminate against consumers who exercise their rights. Discrimination encompasses any unjust treatment in connection with these rights.

There are some things businesses can do to make sure that they are abiding by these rights.

Businesses can answer consumer requests to exercise their rights promptly, add a privacy policy on website, provide consumers with opt-out choices, obtain consent before selling or processing specific types of personal data, and perform data protection audits where necessary.

How Organizations Can Comply With Montana Regulations Using WPLP Compliance Platform 

Companies should prepare to revise their privacy policies and include at least two or more ways that consumers can exercise their data privacy rights, including opting out of marketing and the sale of their data.

It’s also the right time to ensure your site complies with global privacy control signals sent by users’ browsers.

Additionally, companies should consider using a consent management platform (CMP) that displays a cookie consent banner compliant with the opt-out requirements defined by Montana data privacy law.

You also need to prepare to conduct proper data protection analyses for specific categories of data processing, as outlined in Section 9 of the law.

If you are dependent on any third parties to process personal data of your customers, be ready to employ compliant data processing agreements (DPA). DPA should be in line with the requirements outlined in Section 8 Part (2) of the act.

As your business prepares for the MCDPA, the WPLP Compliance Platform can offer you plugins to ease your compliance process. Plugins like WP Legal Pages and WP Cookie Consent can help you comply with the law.

WP Legal Pages is a privacy policy generator that presents easy-to-answer questions regarding your business and data processing operations. Then, it generates a compliant policy based on your responses, which can be uploaded to your website in just seconds.

See what it looks like below.

WP Cookie Consent also meets opt-out requirements concerning consumer rights as outlined by laws such as the MTCDPA.

See a sample of it below.

Montana Act Penalties and Fines for Non-Compliance 

The attorney general of Montana is the enforcement agency for the MTCDPA. 

Any party that is in violation of the MTCDPA will be given notice of the violation by the attorney general and will have 60 days from the date of receipt of the notice to correct the violation. 

If the party fails to correct the violation within the 60-day period, the attorney general may then take action against the party.

FAQ

Conclusion

Businesses subject to the MTCDPA must take specific actions to ensure compliance with the Montana Consumer Data Privacy Act’s stringent requirements.

You must update your privacy policy to comply with all applicable legal requirements.

Additionally, you can provide consumers with multiple options to exercise their data privacy rights, including a consent banner with access to a consent preference center and a Data Subject Access Request (DSAR) which is easily accessible on your website. 

We suggest using the WP Legal Pages Compliance Platform to make it easier to comply with other US privacy laws. 

If you like this article, you might also like:

• Pennsylvania Consumer Data Privacy Act (PCDPA)
• An Overview of Iowa Consumer Data Protection Act (ICDPA)
• Texas Data Privacy and Security Act (TDPSA): A Quick Summary

Need help complying with the MTCDPA? Simplify the process with the WP Legal Pages Compliance Platform — your easy solution for meeting Montana’s new data privacy requirements.