The Montana Consumer Data Privacy Act (MCDPA) is a comprehensive privacy law designed to protect the personal information of Montana residents. Enacted as Senate Bill 384 and signed into law by Governor Greg Gianforte on May 19, 2023, the MCDPA establishes clear guidelines for businesses handling consumer data. The MCDPA took effect on October 1, 2024, positioning Montana among the states with robust data privacy protections.
What is the Montana Consumer Data Privacy Act (MCDPA)?
Why was MCDPA passed?
What makes MCDPA unique?
The Montana Consumer Data Privacy Act (MCDPA) stands out by requiring recognizable opt-out mechanisms for data sales and targeted ads, enforcing data protection assessments for high-risk processing, and mandating opt-in consent for sensitive data. It closely aligns with Virginia’s law but includes stricter enforcement measures and broader consumer rights.
Consumer: A resident of Montana acting in an individual or household context, excluding those acting in commercial or employment contexts.
Personal data: Information linked or reasonably linkable to an identified or identifiable individual, excluding de-identified data or publicly available information.
Sensitive data: A subset of personal data including information on racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data for unique identification, and data collected from children under 13 years of age.
Controller: An individual or entity that determines the purpose and means of processing personal data.
Processor: An individual or entity that processes personal data on behalf of a controller.
Sale of personal data: The exchange of personal data for monetary or other valuable consideration to a third party, with specific exceptions such as disclosures to processors or affiliates.
Consent: A clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement to process their personal data, excluding acceptance obtained through general terms or dark patterns.
Who must comply with MCDPA?
The Montana Consumer Data Privacy Act (MCDPA) applies to businesses that:
Conduct business in Montana or target Montana residents, and
Control or process personal data of at least 50,000 consumers annually, or
Control or process personal data of at least 25,000 consumers and derive over 25% of gross revenue from data sales.
MCDPA exemptions
​The Montana data privacy law includes specific exemptions:​
Entities: Exemptions apply to state agencies, nonprofits, higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).​
Companies have a 60-day cure period to address violations before enforcement actions begin.
No private right of action (i.e., consumers cannot sue businesses directly).
Is MCDPA opt-in or opt-out?
The Montana Consumer Data Privacy Act (MCDPA) primarily follows an opt-out model for most data processing activities but requires opt-in consent for sensitive data.
Opt-Out Provisions
Consumers must take action to opt out of:
Targeted advertising
Sale of personal data
Certain types of profiling
Businesses must implement a universal opt-out mechanism by January 1, 2025, allowing consumers to opt out through browser settings or other automated means.
Opt-In Requirement for Sensitive Data:
Businesses must obtain explicit opt-in consent before processing:
Racial or ethnic origin
Religious beliefs
Health data
Sexual orientation
Precise geolocation data
Biometric or genetic data
The price of non-compliance
Failure to comply with the MCDPA can result in legal and financial consequences, including enforcement actions by the Attorney General and potential civil penalties.
‍
‍
MCDPA Fines & Penalties
The Montana Consumer Data Privacy Act (MCDPA) is enforced exclusively by the Montana Attorney General, with the following fines and penalties:
Cure periodÂ
Businesses found violating the law must be given a 60-day cure period to address non-compliance before enforcement actions begin. The cure provision will terminate on April 1, 2026 (eighteen months after law goes into effect).Â
MCDPA penalties
Businesses that fail to comply after the 60-day cure period may face:
Fines of up to $7,500 per violation (each affected consumer could count as a separate violation).
Additional penalties for ongoing or repeated violations.
Legal and reputational risks
Investigations and legal actions by the Attorney General could lead to costly litigation.
Damage to brand reputation if consumers lose trust in the company’s data practices.
Loss of business partnerships, as many companies prefer to work with privacy-compliant vendors.
No private right of action
Unlike California’s CCPA, Montana’s law does not allow consumers to sue businesses directly.
Only the Attorney General can take enforcement action.
‍
‍
The impact of MCDPA on businesses
Businesses subject to the Montana Consumer Data Privacy Act (MCDPA) must follow a range of compliance requirements to protect consumer data and uphold privacy rights. These obligations include transparency in data practices, honoring consumer rights, implementing security measures, and ensuring responsible data processing.
What are the MCDPA requirements for businesses?
To comply with MCDPA, businesses must ensure the following:
Privacy notices: Businesses must provide clear and transparent privacy policies explaining data collection, usage, and consumer rights.
Universal opt-out: Businesses must implement a universal opt-out mechanism, allowing consumers to opt out via browser settings or other automated tools.
Data minimization: Businesses can only collect personal data necessary for disclosed purposes.
Security measures: Companies must take reasonable steps to protect consumer data.
Sensitive data restrictions: Businesses must obtain explicit opt-in consent before processing sensitive data (e.g., health, biometric, geolocation).
Data protection assessments: Required for high-risk processing activities, including targeted advertising and profiling.
The impact of MCDPA on consumers
Understanding Montana consumer rights
The MCDPA strengthens consumer privacy rights, giving individuals greater control over their personal data. Residents can access, correct, delete, and obtain a copy of their personal data, ensuring transparency in how businesses handle their information.Â
Additionally, they have the right to opt out of targeted advertising, data sales, and certain types of profiling, reducing unwanted tracking and personalized marketing. The law also mandates a universal opt-out mechanism, making it easier for consumers to enforce their choices without manually opting out from each business.
MCDPA also enhances protections for sensitive data, requiring businesses to obtain explicit opt-in consent before processing information related to health, biometric data, precise location, and other highly personal categories.Â
These safeguards help prevent unauthorized use of private information and minimize the risk of data exploitation. With stronger security requirements and accountability measures in place, consumers can expect greater transparency, improved privacy protections, and more control over their online footprint as businesses work to comply with the new regulations.
How MCDPA compares to other U.S. data privacy laws
The MCDPA aligns closely with other state-level privacy laws, particularly those in Connecticut, Virginia, and Colorado, while differing from more stringent regulations like California’s CCPA/CPRA.
Like many other state laws, MCDPA follows a rights-based model, granting consumers the ability to access, correct, delete, and opt out of data sales and targeted advertising. It also requires businesses to implement a universal opt-out mechanism similar to Colorado and Connecticut.Â
MCDPA vs other state privacy laws
‍
State
Scope
Effective Date
Key Features
Penalties for Non-Compliance
Montana (MCDPA)
Montana residents
October 1, 2024
Consumer rights, opt-out of targeted advertising, consent for sensitive data
Up to $7,500 per violation
Rhode Island (RIDTPPA)
Rhode Island residents
January 1, 2026
Consumer rights to access, delete, and opt out of targeted advertising and data sales
Up to $10,000 per violation
Kentucky (KCDPA)
Kentucky residents
January 1, 2026
Consumer rights, opt-out of targeted advertising and data sales, data protection assessments
Up to $7,500 per violation
Indiana (ICDPA)
Indiana residents
January 1, 2026
Consumer rights, opt-out of targeted advertising, consent for sensitive data
Up to $7,500 per violation
Connecticut (CTDPA)
Connecticut residents
July 1, 2023
Opt-out for targeted ads and data sales; requires data protection assessments; expanded consumer rights
Up to $5,000 per violation
Colorado (CPA)
Colorado residents
July 1, 2023
Opt-out for targeted advertising; sensitive data consent; data protection assessments
Up to $20,000 per violation
California (CCPA/CPRA)
California residents
January 1, 2023
Right to access, delete, opt-out; data protection assessments; enforcement includes private right of action
Up to $7,500 per violation
Virginia (VCDPA)
Virginia residents
January 1, 2023
Opt-out rights, data protection assessments, strong consumer rights
Up to $7,500 per violation
Texas (TDPSA)
Texas residents
July 1, 2024
Consumer rights, data protection, opt-out of data sales
Up to $7,500 per violation
Oregon (OCPA)
Oregon residents
July 1, 2024
Strong consumer rights, opt-out options, data minimization
Up to $7,500 per violation
Iowa (ICDPA)
Iowa residents
January 1, 2025
Data protection, opt-out of data sharing
Up to $7,500 per violation
Montana (MCDPA)
Montana residents
October 1, 2024
Consumer rights, opt-out options, sensitive data consent
Up to $7,500 per violation
New Jersey (NJDPA)
New Jersey residents
January 15, 2025
Right to access, correct, delete data; opt-out of targeted advertising
Up to $10,000 per violation
‍
What makes MCDPA stand out?
While MCDPA introduces strong consumer protections, it generally strikes a business-friendly balance compared to California’s more aggressive enforcement approach, making it more similar to Colorado, Virginia, and Connecticut’s privacy laws than to CCPA/CPRA.
What are the differences between MCDPA and CCPA?
Unlike California’s opt-out for sensitive data, MCDPA requires opt-in consent for processing biometric, health, and other sensitive data, putting it in line with Virginia’s model.
One key difference between MCDPA and CCPA/CPRA is enforcement—Montana does not allow a private right of action, meaning consumers cannot sue businesses directly, whereas California permits legal action for certain data breaches.Â
MCDPA also grants expanded consumer rights, including access, correction, deletion, and data portability, which are standard in most state-level privacy laws. However, unlike California’s CCPA/CPRA, MCDPA does not include a broad right to opt out of all data sharing—it specifically focuses on data sales, targeted ads, and profiling.
What are the differences between MCDPA and GDPR?
MCDPA and GDPR both grant consumer rights like access, correction, deletion, and data portability, but GDPR applies globally to any business processing EU data, while MCDPA applies only to qualifying businesses in Montana.
GDPR requires opt-in consent for most data processing, whereas MCDPA is primarily opt-out, except for sensitive data. GDPR has stricter fines and no cure period, unlike MCDPA’s 60-day cure period (which expires on April 1, 2026).Â
How to ensure MCDPA compliance
If you’ve read this far, you know that building a privacy-compliant business is important, but also far from easy. Here are eight key steps every business should take to ensure they don’t fall foul of regulators:
What is MCDPA compliance
MCDPA compliance means businesses follow the Montana Consumer Data Privacy Act by respecting consumer rights (access, correction, deletion, portability), enabling opt-outs for data sales, targeted ads, and profiling, obtaining opt-in consent for sensitive data, conducting data protection assessments, and ensuring privacy policies and security measures meet legal standards.
How to comply with MCDPA
To comply with MCDPA, you must:
Assess applicability: Determine if your business meets the MCDPA thresholds (processing data of 50,000+ residents or 25,000+ with data sales).
Update privacy policies: Clearly disclose data collection, use, and consumer rights.
Implement consumer rights mechanisms: Allow users to access, correct, delete, and export their data.
Enable opt-outs: Provide opt-outs for targeted ads, data sales, and profiling, including a universal opt-out mechanism by January 1, 2025.
Obtain consent for sensitive data: Get explicit opt-in consent for processing biometric, health, or geolocation data.
Conduct data protection assessments: Evaluate risks in high-impact data processing activities.
Strengthen security measures: Protect consumer data with reasonable safeguards.
Monitor compliance: Train staff, review policies regularly, and prepare for Attorney General enforcement.
How Ketch can simplify MCDPA compliance
Using the Ketch Platform, you can automate and streamline RIDTPPA compliance with:
Consent management: Enables businesses to collect and track opt-in consent for sensitive data processing.
When you automate these processes, you enable your internal stakeholders:Â
Your developers and marketers can do their jobs without fretting about regulations
Your legal team can set guidelines for notice and consent, secure in the knowledge that any changes they make will ripple through your whole data ecosystem (including vendors or third-party companies using your data!)
Final thoughts: Preparing your business for MCDPA
Now that the MCDPA is in effect, businesses must proactively adjust their data privacy practices to meet its requirements. Compliance goes beyond meeting legal obligations—it involves fostering a culture of data protection and consumer trust. Staying updated on regulatory changes and continuously improving privacy measures will be essential as laws evolve.
Contact Ketch today to streamline your compliance and future-proof your privacy strategy.Â
This a sample accordion element needed for script above to work
Ketch supports compliance with major privacy laws, including GDPR, CCPA, CPRA, and various emerging US state laws, ensuring businesses meet global and local data privacy requirements.
Does MCDPA apply to small businesses? MCDPA applies only to businesses that process 50,000+ Montana residents’ data or 25,000+ residents with data sales making up 25%+ of revenue. Small businesses below these thresholds are exempt unless they voluntarily comply. Read more: MCDPA: What it means for small businesses
Does MCDPA regulate employee or business-to-business (B2B) data? No, MCDPA only protects consumer data, meaning it does not apply to employee data or B2B transactions, unlike California’s CCPA/CPRA, which includes certain employee and B2B data protections.
How does MCDPA define “sale” of personal data? MCDPA defines a sale as the exchange of personal data for monetary consideration (money). This is narrower than California’s CCPA, which also includes data exchanged for “valuable consideration.”
Does MCDPA require businesses to appoint a Data Protection Officer (DPO)? No, unlike GDPR, MCDPA does not require a dedicated DPO. However, businesses processing high-risk data should designate a compliance lead to handle privacy obligations.
Are businesses required to conduct Privacy Impact Assessments (PIAs)? Yes, MCDPA mandates Data Protection Assessments for high-risk processing activities, such as targeted advertising, profiling, and handling sensitive data, similar to Colorado’s CPA and Virginia’s VCDPA.
How does MCDPA affect third-party data sharing? Businesses must disclose third-party data sharing in their privacy policies and allow consumers to opt out of data sales. Contracts with vendors processing personal data should include privacy and security obligations.
Does MCDPA have a data retention requirement? While it doesn’t mandate specific retention periods, MCDPA enforces data minimization, meaning businesses must only keep personal data as long as necessary for the disclosed purpose.
How does MCDPA handle children’s data? MCDPA follows federal COPPA (Children’s Online Privacy Protection Act) guidelines, requiring parental consent before collecting data from children under 13 years old. It does not include extra protections for teens like California’s CPRA.
Does MCDPA apply to businesses outside of Montana? Yes, MCDPA applies to any business processing Montana residents’ data, even if the company is headquartered elsewhere, similar to GDPR’s extraterritorial scope.
What should businesses do if they receive a consumer request? Businesses must verify the consumer’s identity, respond within 45 days, and provide the requested data or confirmation of action. They can extend the deadline by 45 more days if necessary but must notify the consumer.
Jack Carvel is Head of Legal and DPO at Ketch, helping global SaaS companies operationalize privacy, data governance, and AI responsibly. Jack is a dual-qualified privacy attorney with 10+ years of experience.
Automate your privacy compliance with Ketch
Risk of regulatory action or fine is no longer an unlikely, empty threat—regulators across Europe and now the United States are charging brands with irresponsible handing of consumer data.
Your knowledge of the regulations and requirements for your business may be the difference maker in ensuring your brand reputation stays intact. Ketch can help.
.webp)
