Deciphering whether a new data privacy law applies to your business can feel like trying to solve a puzzle.

The Montana Consumer Data Privacy Act (MTCDPA) is no different, but it lays out clear rules. Let's break down exactly who needs to comply, the important deadlines, and who is exempt.

---

Think of the MTCDPA's requirements as a checklist. If your business checks just one of the following two boxes, you need to bring your data handling practices into compliance.

The law applies to any company that conducts business in Montana or produces products or services targeted to Montana residents and:

1. Controls or processes the personal data of at least 50,000 consumers.
2. Controls or processes the personal data of at least 25,000 consumers and derives more than 25% of its gross revenue from the "sale" of personal data.

Let's quickly define those terms. A "consumer" here is simply a resident of Montana. "Personal data" is any information that can be linked to an identifiable person—from an email address to browsing history collected by cookies.

A "sale" isn't just a direct cash transaction; it's the exchange of personal data for money or "other valuable consideration."

This broad definition means many common digital marketing practices could be considered a sale.

Unlike some other state laws, Montana's act doesn't have a revenue threshold.

A small business could easily meet the 50,000-consumer mark, making it crucial not to ignore privacy regulations based on your company's size alone.

The focus is on the volume and use of data you handle.

---

Mark your calendars. The Montana Consumer Data privacy Act goes into full effect on October 1, 2024.

This is the hard deadline by which your business must be fully compliant.

That means your ideal privacy policy should be updated, your mechanisms for handling consumer rights requests must be operational, and your cookie banner must function correctly.

There's a second key date to be aware of: January 1, 2025. By this date, businesses must recognize universal opt-out mechanisms.

This is a technical standard that allows users to signal their privacy preferences across all websites they visit through their browser settings, often known as the Global Privacy Control (GPC).

Getting this right requires a robust technical solution, which is where a certified CMP can be invaluable.

---

Not every organization is covered by the MTCDPA.

The law carves out several exemptions, largely to avoid creating redundant rules for industries that are already heavily regulated.

The following types of entities are generally exempt from the MTCDPA:

• Government bodies and state agencies
• Nonprofit organizations
• Institutions of higher education
• Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
• Covered entities and business associates governed by the Health Insurance Portability and Accountability Act (HIPAA)

Additionally, the law doesn't apply to certain types of data, such as health records governed by HIPAA or personal information used in an employment context (e.g., employee data).

For most for-profit businesses that meet the thresholds mentioned earlier, however, compliance will be mandatory.

---

Montana's approach to consent fundamentally changes how your website can interact with visitor data.

Unlike the strict "opt-in" model of Europe's GDPR for cookies, the MTCDPA primarily uses an "opt-out" framework. Understanding this distinction is the key to compliance.

---

In an "opt-out" system, you can collect and process most types of personal data by default, but you must give consumers a clear and easy way to say "no."

Think of it this way: under this model, you don't have to ask for permission before placing most marketing or analytics cookies.

However, your visitors have the absolute right to refuse them.

Your responsibility is to make that choice readily available. This is where the modern cookie notice/banner becomes essential.

It’s no longer just a passive notice; it’s an active rights-management tool.

Your website’s banner must provide a conspicuous link for users to opt out of the sale of their data and targeted advertising.

The operation behind this banner needs to be robust, ensuring that when a user opts out, the corresponding scripts and tags are actually disabled.

---

The "opt-out" rule has one very important exception: sensitive data.

For this specific category of information, you must get explicit, affirmative consent before you collect or process it. This is known as an "opt-in" model.

Sensitive data under the MTCDPA includes information that reveals:

• Racial or ethnic origin
• Religious beliefs
• A mental or physical health diagnosis
• Sexual orientation or citizenship status
• Genetic or biometric data used for identification
• Precise geolocation data
• Personal data from a known child (under 13)

For this information, silence does not equal consent. You must ask for a clear "yes" from the user.

This requires a much more specific function from your consent tool than a standard opt-out banner.

A comprehensive CMP is designed to handle these different legal basis requirements seamlessly.

---

The MTCDPA provides heightened protections for young people, creating a two-tiered system that businesses must respect.

• For children under 13: The law aligns with the federal Children’s Online Privacy Protection Act (COPPA).

• You must obtain verifiable consent from a parent or guardian before collecting any personal data from a known child.

• This is a strict parental opt-in.

• For minors between 13 and 16: This is a key difference from many other state laws.

• You must obtain the minor's own "opt-in" consent before selling their personal data or using it for targeted advertising.

The operational challenge here is knowing a visitor's age.

This difficulty underscores the importance of adopting a "privacy by default" approach, a core principle of Privacy by Design, to minimize data collection risks.

---

Since opting out of these two activities is a core consumer right, it's vital to understand what they mean in practical terms.

• Targeted Advertising: This is defined as displaying ads to a consumer based on their personal data obtained from their activities over time and across non-affiliated websites.

• In short, it’s the technology that makes ads "follow" you from site to site.

• Sale of Personal Data: This isn't just selling a customer list for cash. The MTCDPA defines it as "the exchange of personal data for monetary or other valuable consideration."

• This broad language can cover many common data-sharing agreements in the digital marketing ecosystem that provide a mutual benefit to the parties involved.

Understanding what you need is the first step when thinking about how to choose a CMP for your business.

---

Achieving compliance with a new privacy law can feel like a major project, but it doesn't have to be overwhelming.

By breaking it down into a clear, manageable action plan, you can ensure your website and business practices are ready. Here are four essential steps to take.

---

Your privacy policy is the cornerstone of your transparency with customers.

It's the single most important document for explaining your data practices in plain language.

Under the MTCDPA, your privacy policy must be updated to clearly state:

• The categories of personal data you collect (e.g., names, emails, cookie data).

• Your purpose for processing that data.

• The categories of data you share with or sell to third parties.

• The rights consumers have under the new law (access, correction, deletion, opt-out).

• Clear instructions on how consumers can exercise those rights.

Take the time to review your current policy. Is it easy to understand?

Does it accurately reflect all your data collection activities, including those from analytics and advertising cookies?

Creating the ideal privacy policy is about clarity and honesty, not just legal jargon.

---

A policy is a promise; a consent management tool is how you keep it.

To comply with the MTCDPA's opt-out requirements, you need a technical solution that can manage user preferences and control the behavior of cookies and trackers on your site.

This is where a Consent Management Platform (CMP) becomes critical.

A professional CMP does much more than a basic WordPress cookie plugin. It handles the entire lifecycle of consent by:

• Displaying a clear and compliant cookie banner.

• Providing users with an easy-to-access way to opt out of targeted advertising and the sale of their data.

• Automatically blocking or allowing tracking tags based on the user's choice.

• Recording consent choices to provide an audit trail for your business.

Choosing a Google-certified CMP like AdOpt ensures the technical operation of your consent mechanism is robust and aligned with industry standards and legal requirements.

---

The MTCDPA empowers consumers to take control of their data.

As a business, you must be ready to respond to their requests, often called Data Subject Requests or DSRs.

You need a reliable internal process for handling requests to:

• Access: "Show me the personal data you have about me."

• Correct: "Please fix the inaccurate information you hold on me."

• Delete: "Erase my personal data from your systems."

• Opt-Out: "Stop using my data for targeted ads or selling it."

To do this effectively, you need to know what data you have and where it is. This is why conducting a data mapping exercise is a foundational step.

You should also designate a person or team, like a Data Protection Officer, to oversee this process and ensure requests are handled within the legally required 45-day timeframe.

---

For certain activities, the MTCDPA requires you to perform a "Data Protection Assessment" (DPA).

Think of this as a formal risk assessment that you document internally.

You are required to conduct a DPA for processing activities that present a "heightened risk of harm" to a consumer.

Under the law, this includes:

• Processing personal data for targeted advertising.

• Selling personal data.

• Processing sensitive data.

• Using personal data for profiling that could produce significant legal or financial effects.

The assessment involves weighing the benefits of your data processing against the potential risks to consumer privacy and outlining the steps you're taking to mitigate those risks.

It’s a practical exercise in applying the principles of Privacy by Design and demonstrates that you are proactively managing your data responsibilities.

---

The Montana Consumer Data Privacy Act is built on a foundation of consumer empowerment.

It grants Montana residents a specific set of rights to control their personal data, and it places a legal duty on your business to honor those rights promptly and efficiently.

Understanding these rights is fundamental to your compliance strategy.

---

Think of this as the right to "see and fix."

Consumers can ask you to confirm whether you are processing their data and request a copy of the exact personal information you hold about them.

If they find that information is inaccurate—a misspelled name, an old address—they have the right to request a correction.

For your business, this means you need to have a clear view of your data.

Fulfilling an access request is only possible if you’ve done the work of data mapping to know exactly what customer data you store and where you store it.

---

This is the consumer's right to be forgotten.

A Montana resident can request that you erase the personal data you have collected from them.

This is one of the most significant rights and requires a robust internal process to execute properly.

When you receive a deletion request, you must remove that individual's personal data from your systems, from your CRM to your email marketing lists.

While there are some exceptions (for example, if you need the data to complete a transaction or comply with another legal obligation), the default expectation is deletion.

---

The right to portability is the right for a consumer to take their data with them.

Upon request, you must provide them with a copy of their personal data in a common, easily usable, and machine-readable format (like a CSV file).

A simple analogy is getting your medical records from an old doctor to give to a new one.

The file must be structured and portable. This right ensures that consumers aren't locked into a service simply because their data is.

For your business, this requires the technical ability to export an individual's data cleanly from your systems.

---

This is the central right that directly impacts your website's use of cookies and your digital marketing efforts.

Consumers can direct your business to stop processing their data for three specific purposes:

1. Sale of Personal Data: As a reminder, this is broadly defined as exchanging data for money or other valuable benefits.

2. Targeted Advertising: Using data collected from a person’s activity across different websites to serve them personalized ads.

3. Profiling: Any automated decision-making that has a legal or similarly significant effect on the consumer.

To honor these opt-out rights, especially for targeted advertising, you need a technical solution.

When a user opts out, your website must automatically disable the advertising tags and cookies.

This is precisely what a Consent Management Platform (CMP) is designed to do, making it an essential tool for MTCDPA compliance.

Knowing how to choose a CMP is a critical step in preparing your business.

---

Understanding the rules is half the battle; knowing the consequences of breaking them is the other half.

The Montana Consumer Data Privacy Act (MTCDPA) lays out a specific process for enforcement that every business should be aware of.

While it offers some initial flexibility, ignoring your privacy obligations is not a viable strategy.

---

Unlike some privacy laws, the MTCDPA does not allow for a "private right of action."

In simple terms, this means individual consumers cannot sue your business directly for a violation.

Instead, the Montana Attorney General has the sole and exclusive authority to enforce the law.

If a consumer believes a business has violated their rights, they can file a complaint with the Attorney General's office.

The AG's office will then review the complaint and decide whether to investigate and take action on behalf of the state.

While this may seem less direct, an official investigation from the state's top law enforcement office is a serious matter that can consume significant time and resources.

---

The MTCDPA includes a business-friendly feature called a "right to cure," but it comes with an expiration date.

If the Attorney General determines that your business is in violation, they will provide you with a written notice.

From the moment you receive that notice, you have 60 days to "cure" the violation.

This means you must fix the issue and provide the Attorney General's office with a written statement confirming that the violation has been resolved and that you've put measures in place to prevent it from happening again.

However, this safety net is temporary. This right to cure expires on April 1, 2026.

After that date, the Attorney General is no longer required to offer a 60-day warning and can proceed directly to an enforcement action.

It’s crucial to treat compliance as a day-one priority, not something to be fixed only after you get caught.

---

This is the question on every business owner's mind.

Interestingly, the MTCDPA does not specify exact dollar amounts for fines in the way that laws like the GDPR do.

However, a lack of a specific fine schedule does not mean there are no financial consequences.

If a business fails to cure a violation within the 60-day period (or if a violation occurs after the cure period expires), the Attorney General is authorized to bring a legal action against the company.

This action could result in a court-ordered injunction, forcing you to change your data practices, and could include civil penalties deemed appropriate by the court.

The key takeaway is that the financial and operational risks are real.

The most effective way to avoid penalties is to build a proactive compliance framework with a clear privacy policy and the right technology, like a professional CMP, to manage your obligations correctly from the start.

---

The MTCDPA takes effect on October 1, 2024. Businesses have an additional deadline of January 1, 2025, to recognize universal opt-out signals like the Global Privacy Control (GPC).

---

Your business must comply if it operates in Montana or targets its residents and meets one of two conditions:

• It controls or processes the personal data of at least 50,000 consumers.

• It controls or processes the personal data of at least 25,000 consumers and derives over 25% of its gross revenue from selling personal data.

---

Sensitive data is personal information that requires higher protection. Under the MTCDPA, this includes data revealing:

• Racial or ethnic origin

• Religious beliefs

• A mental or physical health diagnosis

• Sexual orientation or citizenship status

• Genetic or biometric data

• Precise geolocation data

• Personal data from a known child under 13

---

You have 45 days to respond to a consumer's request.

This period can be extended once by an additional 45 days when reasonably necessary, as long as you inform the consumer of the extension.

---

The Montana Attorney General has the sole authority to enforce the law.

Initially, businesses are given a 60-day "cure period" to fix any violations. This grace period, however, expires on April 1, 2026.

After that date, or if a violation isn't fixed, the Attorney General can take legal action. The law does not specify exact fine amounts.

---

Yes. The MTCDPA requires you to obtain clear, affirmative "opt-in" consent from a consumer before you can collect or process any of their sensitive personal data.

---

Yes. By January 1, 2025, your website must be able to recognize and honor universal opt-out mechanisms like the GPC, which allow users to signal their privacy choices through their browser settings.

---

Yes. The law exempts certain types of entities and data, including:

• Government agencies

• Non-profit organizations

• Institutions of higher education

• Financial institutions covered by the Gramm-Leach-Bliley Act

• Entities subject to federal health privacy law (HIPAA)

---

Platforms like AdOpt help you comply without complicating your site.

Schedule your call