Montana joins states in strengthening data privacy: Introducing the MCDPA

Pandectes GDPR Compliance for Shopify Stores - Montana joins states in strengthening data privacy- Introducing the MCDPA - Cover

Table of Contents


With the increasing prevalence of data breaches and privacy violations, many states in the United States have taken proactive measures to safeguard the privacy rights of their constituents. One of the most significant steps toward achieving this goal is the implementation of comprehensive data privacy laws. Recently, on May 23, 2023, the state of Montana joined the ranks of such states by enacting the Consumer Data Privacy Act (MCDPA).

This groundbreaking legislation aims to provide robust protection to consumers’ personal data while concurrently establishing a framework for businesses to comply with the latest data consumer privacy laws and regulations. The MCDPA is a significant milestone in the ongoing struggle to safeguard individual privacy rights in the digital age. It represents a crucial step forward in ensuring that individuals are protected from data breaches and privacy violations.

Understanding the Montana Consumer Data Privacy Act (MCDPA)

As a Montana resident, you can rest assured that your personal data collected is protected by the Montana Consumer Data Privacy Act (MCDPA). This comprehensive data privacy law is a testament to the state’s unwavering commitment to safeguarding consumer rights in the ever-evolving digital landscape. The MCDPA lays out strict guidelines for businesses when it comes to processing personal data, with a strong emphasis on transparency, consent, and robust security measures.

The scope and applicability of the MCDPA

The MCDPA applies to both businesses based in Montana and those outside the state that handle the personal data of Montana residents. To fall under the law’s purview, businesses must meet specific criteria:

  1. Processing personal data: The Montana Consumer Data Protection Act (MCDPA) mandates that businesses that handle the personal data of 50,000 or more Montana residents (excluding personal data controlled exclusively for the intent of assembling a payment transaction) in a given year must comply with its provisions. The law aims to safeguard the privacy and security of individual’s personal information and requires businesses to implement measures to prevent unauthorized access, use, or disclosure of such data. The MCDPA’s scope covers a wide range of entities, including companies operating both online and offline, and it applies to businesses that collect, sell, or share personal information, such as names, addresses, Social Security numbers, and financial data.

  2. Revenue threshold: In accordance with the Montana Consumer Data Privacy Act (MCDPA), companies that derive more than 25% of their revenue from the sale of personal data are required to comply with the Act’s regulations if they process the personal data of 25,000 or more Montana residents within a single year. This means that such businesses must adhere to the MCDPA’s guidelines for handling and protecting consumer data, ensuring the privacy and security of their customer’s sensitive information.

It is important to note that certain entities, such as nonprofits, educational institutions, and entities complying with the Health Insurance Portability and Accountability Act (HIPAA), are exempt from the MCDPA’s requirements.

Pandectes GDPR Compliance for Shopify Stores - Montana joins states in strengthening data privacy- Introducing the MCDPA - laptop

Defining personal data under the MCDPA

According to the MCDPA, personal data refers to any information that can be linked to a specific person. This covers a variety of data types, such as names, addresses, social security numbers, and financial information, to name a few. It’s important to note that publicly available or deidentified data is not included in this definition.

Sensitive data protection

The MCDPA places a strong emphasis on safeguarding sensitive data, which encompasses a range of personal information such as genetic or biometric data, racial or ethnic origin, religious beliefs, and physical health diagnoses. This includes implementing robust security measures and ensuring responsible handling of such data throughout its lifecycle, from collection to storage and eventual disposal. The MCDPA seeks to create a safe and secure environment for individuals, protecting their fundamental rights to privacy and confidentiality.

The rights of Montana consumers

The MCDPA grants several essential rights to Montana consumers concerning the processing of their personal data:

  1. Consent and revocation: Consumers have the right to provide informed consent before their personal data is processed. They also retain the right to revoke their consent at any time.

  2. Data deletion: Consumers can request the deletion of their personal data from a business’s records, ensuring that data is not retained indefinitely.

  3. Universal Opt-Out Mechanisms (UOOMs): The MCDPA recognizes and upholds universal opt-out mechanisms, allowing consumers to easily opt out of various data processing activities.

  4. Data portability: Montana consumers have the right to request and receive their personal data in a portable format, empowering them to move their data from one service provider to another.

  5. Consumer requests: Businesses must respond promptly and appropriately to consumer requests related to their personal data.

Obligations of businesses under the MCDPA

To comply with the MCDPA, businesses must adhere to a series of requirements and practices aimed at protecting consumer data and privacy:

  1. Data protection assessments: Businesses must conduct data protection assessments to identify and mitigate potential risks associated with data processing activities.

  2. Physical data security practices: Adequate physical security measures must be in place to protect consumers’ personal data from unauthorized access or breaches.

  3. Reasonably comparable scope: The MCDPA aligns with data privacy laws in other states, ensuring that businesses can implement consistent compliance strategies.

  4. Comprehensive data privacy law: The MCDPA provides a comprehensive framework for data privacy, enabling businesses to meet regulatory requirements effectively.

Pandectes GDPR Compliance for Shopify Stores - Montana joins states in strengthening data privacy- Introducing the MCDPA - Montana

Enforcement and compliance

It is imperative for businesses operating in Montana to familiarize themselves with the Montana Consumer Protection Act (MCDPA) and its enforcement by the Attorney General. The MCDPA is designed to ensure that companies are held accountable for any violations of consumer protection laws. However, it also provides a cure period for businesses to rectify any issues before penalties are imposed. It should be noted that the MCDPA will come into effect from October 1, 2024, giving businesses ample time to prepare and make necessary adjustments to comply with the new regulations. It is vital for businesses to stay updated with the latest information regarding the MCDPA to avoid any legal issues and maintain consumer trust.

Children’s privacy additions

In line with the progressive moves taken by California and Connecticut, the MCDPA has introduced further measures to protect the privacy of children aged between 12 and 15. Specifically, the controller of personal data is now required to identify and flag any individuals who are under 18 years of age and, if such identification is made, must obtain explicit consent before processing any of their personal data for the purposes of targeted advertising or selling that data to other parties. In addition, any personal information relating to children may be considered “sensitive information” per the relevant definition. These measures represent an important step forward in safeguarding the privacy and interests of young people in today’s digital age.

Impacts on data processors (vendors)

As per the regulations of the MCDPA, vendors who act as data processors are required to adhere to certain obligations. These obligations include following instructions given by the data controller and providing assistance to the data controller in meeting compliance requirements. The MCDPA also outlines the specific requirements that must be included in the data processing agreement between the data controller and data processor. By fulfilling these duties, data processors can contribute to the overall protection of sensitive information and ensure that all parties involved are operating in compliance with relevant laws and regulations.

Pandectes GDPR Compliance for Shopify Stores - Montana joins states in strengthening data privacy- Introducing the MCDPA - Archive

The impact of the Montana Consumer Data Privacy Act (MCDPA)

The enactment of the MCDPA has significant implications for both businesses and consumers within and beyond Montana’s borders. Here’s a closer look at its impact:

Strengthening consumer privacy rights

The MCDPA is a critical step toward strengthening consumer privacy rights in Montana. By providing consumers with control over their personal data and granting them essential rights, the law empowers individuals to make informed choices about the use and processing of their information.

Increased accountability for businesses

Businesses that process the personal data of Montana residents are now subject to greater scrutiny and accountability. Compliance with the MCDPA requires a thorough understanding of data privacy regulations, fostering a culture of data protection and security within organizations.

Streamlining data privacy practices

The MCDPA’s alignment with data privacy laws in other states streamlines data privacy practices for businesses operating across multiple jurisdictions. Implementing consistent data protection measures not only ensures compliance with the MCDPA but also simplifies compliance with other state privacy laws.

Heightened focus on data security

With the MCDPA’s emphasis on data protection assessments and physical data security practices, businesses are prompted to prioritize data security. The law compels organizations to assess potential risks and implement robust security measures to safeguard sensitive information.

Universal Opt-Out Mechanisms (UOOMs)

The recognition of universal opt-out mechanisms in the MCDPA simplifies the process for consumers to exercise their right to opt out of data processing activities. This increased transparency and consumer control over data usage foster greater trust between businesses and their customers.

Potential challenges and compliance efforts

While the MCDPA aims to enhance data privacy, businesses may face some challenges in ensuring compliance with the law. The implementation of new policies and procedures may require substantial efforts and resources. However, the benefits of complying with the MCDPA, such as enhanced consumer trust and streamlined privacy practices, outweigh the challenges.


The Montana Consumer Data Privacy Act (MCDPA) is a pivotal piece of legislation in the world of data privacy laws within the United States. This Act takes a detailed and comprehensive approach to safeguarding consumer rights and defining what constitutes personal data. It serves as a model for other states considering implementing similar legislation. With a deadline of October 1, 2024, businesses are required to adapt to the new regulatory landscape, ensuring they prioritize transparency, data security, and consumer-focused data processing practices. This deadline is fast approaching, and it is crucial that businesses take the necessary steps to comply with these regulations.

Make your Shopify Store GDPR/CCPA compliant today
Pandectes GDPR Compliance App for Shopify
Subscribe to learn more

You Might Also Like

Scroll to Top