Does the Law Apply to You?
Does your business:
(1) conduct business or target consumers in Montana, and
(2) process or control:
a. personal data about at least 50,000 Montana consumers (excluding data used solely for purposes of completing a payment transaction) OR
b. personal data about at least 25,000 Montana consumers and derive more than 25% of gross revenue from the sale of personal data; and
(3) not fall under the umbrella of governmental agencies, non-profits, institutions of higher education, or entities covered by HIPAA or the Gramm-Leach-Bliley Act?
If you answered YES to these questions, the MCDPA applies to your business!:
Feel lost in the woods when it comes to state data privacy laws? Learn more with RCA's state privacy law tracker in touch
When Does the MDCPA NOT Apply?
MCDPA does not apply to governmental agencies, non-profits, institutions of higher education, and others, including entities covered by the Gramm-Leach-Bliley Act or HIPAA.
MCDPA does not apply to individuals acting in a commercial or employment context.
Data covered by HIPAA, the Common Rule, the Driver’s Privacy Protection Act, FERPA, the Fair Credit Reporting Act, the Farm Credit Act, and certain other laws are exempt from the MCDPA.
Key Components of the MCDPA
In general, the MCDPA most closely aligns with Connecticut’s CTDPA and Virginia’s VCPDA. Under MCDPA, opt-in is required for use of all kinds of sensitive data, like many of the state privacy laws that have been enacted recently, including Virginia, Colorado, and Connecticut.
What Constitutes Sensitive Data Under the MCDPA?
Like many of the recently enacted state privacy laws, Montana expands the definition of sensitive data in addition to the usual elements, such as:
- racial or ethnic origin
- religious beliefs
- information about a person’s sex life or orientation
- genetic and biometric data
- mental or physical health diagnosis
- citizenship and immigration status
- precise geolocation data
- personal data collected from a known child
What Constitutes Sale of Personal Data Under the MCDPA?
Montana follows the lead of California, Colorado, and Connecticut in defining ‘sale’ to include exchange for money or other valuable consideration. Notably, this definition includes most targeted advertising activities! If your company sells personal data, you will need to provide consumers with a right to opt out of that sale just as you do for California, Virginia, Colorado, and Connecticut, as well as targeted advertising and profiling activities.
Individual Consumer Rights Under the MCDPA
The individual rights created under MCDPA align well with those provided under other state laws. If MCDPA applies to your business, you must allow consumers to:
- Confirm whether your business is processing any data and, if so, access it
- Correct data about them
- Delete personal data about them
- Obtain a copy of personal data they provided (data portability)
- Opt-out of targeted advertising, the sale of personal data, and profiling
Unless a business cannot authenticate a request, it must respond within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge at least once per year. If the business declines to take a requested action, it must provide the consumer with written notification and instructions for appeal.
The appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must allow consumers to submit a complaint via an online mechanism (if available) or another method for contacting the Montana State Attorney General.
Pseudonymous Data and Individual Rights
Like the privacy law in Virginia and some other states, a business does not need to include pseudonymous data in its response to Individual Rights Requests under the MCDPA.
The MCDPA defines “pseudonymous data” as “personal data that cannot be attributed to a specific individual without the use of additional information, provided the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.”
Pseudonymous data is often used in clinical trials, where each trial participant is assigned a unique random ID. Only the physician and other medical staff know the identity of the participants; other entities participating in the research (including the sponsor/manufacturing company, labs, and other supporting entities) have only the participant ID connected to the study data.
Can Pseudonymous Data Help My Company?
Other types of organizations may want to consider whether they can store customer data in a pseudonymized way, especially those that already assign identifiers through, for example, loyalty or participation rewards programs such as frequent flier/renter/buyer/guest numbers, membership IDs (like insurance companies, libraries, and fitness centers), or a player ID (for online and mobile games).
By separating identifying data (like contact information and payment details) from other information (company-specific identifiers, transactional history, profile information, etc.), a company may be able to decrease its burden in responding to Individual Rights Requests by limiting the data and databases to which the requests must be applied.
Data Protection Assessments (aka Privacy Impact Assessments)
Like many other state privacy laws, the MCDPA includes a requirement to conduct Privacy Impact Assessments. The circumstances under which they must be completed align with VCPDA and CTDPA. Similarly, the MCDPA includes an allowance for use of Assessments conducted for compliance with other laws to satisfy the MCDPA requirements if “reasonably similar in scope and effect.”
MCDPA requires companies to conduct assessments on activities carried out after January 1, 2025 that present a heightened risk of harm, including:
- Processing for targeted advertising
- Selling personal data (remember: this includes exchange for non-monetary value and
will likely require an Assessment of behavioral advertising activities)
- Processing for the purposes of profiling, if it presents a “reasonably foreseeable risk” of
- Unfair or deceptive treatment or unlawful disparate impact on consumers
- Financial, physical, or reputational injury to consumers
- Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person
- Other substantial injury
- Processing sensitive data
If your entity uses AI, consider reviewing how you use it and the effects it creates to determine whether or not an assessment is required.
The MCDPA requires that a contract be in place that dictates what vendors must do concerning processing personal data. Contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.”
Additionally, the contract must require that the processor:
- Ensure it binds each person that processes personal data to a duty of confidentiality
- Delete or return all personal data when it has completed the services, unless retention of the personal data is required by law
- Make available all information necessary to demonstrate the processor's compliance with its obligations
- Pass along the same obligations to any subcontractor in a written contract
- Cooperate with assessments by the controller or an independent assessor to assess the processor's policies and technical and organizational measures. If using an independent assessor, provide an assessment report to the controller.
Like the most recent state laws, including Colorado and Connecticut, the MCDPA specifies that it should not be construed to restrict a business’s collection, use, or retention of personal data for:
- Conducting internal research for development
- Improvement, and repair of products, services, and technology (R&D)
- Product recalls
- Identifying and repairing technical errors that impair existing or intended functionality
- Performing internal operations
How Will the MCDPA be Enforced?
Like almost all state data privacy laws, including those of Virginia, Colorado, Connecticut, and Utah, the Attorney General will have the sole enforcement authority, and violations will be treated as an unfair trade practice under the Montana Consumer Protection Act.
- Enforcement actions may be brought after 60 days’ notice and a cure period; the cure period will expire on April 1, 2026.
- In any enforcement action, the Attorney General can seek an injunction or restraining order (orders that require the entity to stop engaging in certain activities immediately), as well as civil fines of not more than $10,000 for each violation.
- If an individual has engaged in fraudulent activity, that person may be fined not more than $5,000, imprisoned for not more than one year, or both, at the discretion of the court.
- The Consumer Protection Act provides for an additional civil penalty not to exceed $10,000 for each violation if the offending conduct is perpetrated against a person over age 60 or against a developmentally disabled person.
Prepare Your Business For MCDPA Compliance Today
Data privacy programs are good business. Don’t wait for the “right” time to start. Start today to protect your customers and your business.
At Red Clover Advisors, we believe a good data privacy program is a powerful tool for your business.
Based on an in-depth understanding of data regulations and corporate backgrounds, our team of experts guides clients through the intersection of data privacy, digital marketing, and business strategy. We are dedicated to helping you can protect your business, build better relationships with your customers, and set yourself apart from your competitors.