Data privacy has become a growing concern for consumers as more sensitive content like personally identifiable information and protected health information (PII/PHI) comes online. In response, many states have passed legislation to protect their residents. One such state is Montana, which recently enacted the Montana Consumer Data Privacy Act (MCDPA). In this article, we will provide an overview of the MCDPA, its key provisions, and what it means for Montana’s residents.

Montana Consumer Data Privacy Act: An Overview

What Is the Montana Consumer Data Privacy Act?

The Montana Consumer Data Privacy Act is a state law that governs the collection, use, and sharing of personal information by businesses operating in Montana. The law will go into effect October 1, 2024. The MCDPA is similar to others, such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), in that it gives consumers more control over their personal information.

The MCDPA stands out as a Republican-led state law that provides robust consumer privacy protections. It is comprehensive in its approach, offering a strong baseline of privacy rights for Montana residents that are comparable to those offered by leading privacy frameworks in other states such as Connecticut, Utah, Iowa, and Colorado. This is a significant achievement, given the fact that Republican-led states have been generally less active in passing privacy laws compared to Democratic-led states.

Moreover, the MCDPA is designed in such a way that it is unlikely to require significant modifications to the compliance programs of organizations that are already subject to other privacy laws. This is a welcome development, as it can help to reduce the burden of compliance for businesses, especially those operating across multiple states with varying privacy requirements.

The MCDPA is a positive development for consumer privacy in Montana and serves as a model for other Republican-led states seeking to enhance privacy protections for their residents. By offering a comprehensive set of baseline privacy rights and protections, the MCDPA recognizes the importance of safeguarding consumer data and promoting transparency and accountability in data practices.

How the MCDPA Compares to Other Data Privacy Regulations

The Montana Consumer Data Privacy Act is a significant development in data privacy regulation. One of the key features of this legislation is that it includes provisions that are missing from some other state laws, making it more consumer-friendly and workable.

One such provision is the requirement for companies to honor browser privacy signals, such as the Global Privacy Control, which allows consumers to opt out of data sales at all companies in a single step. This makes it easier for consumers to exercise their privacy rights and control their personal data.

The MCDPA also prohibits the use of “dark patterns” in obtaining consent, which are manipulative tactics used to trick consumers into giving up their data. By preventing companies from using such tactics, the law promotes transparency and ensures that consumers are giving informed consent.

Another important provision of the MCDPA is that it places a sunset on the “right to cure” in administrative enforcement, meaning that companies will no longer have a “get out of jail free” card for failing to protect consumer privacy. This encourages businesses to take consumer privacy seriously and ensures they will face consequences for noncompliance.

In total, the MCDPA is a comprehensive and forward-thinking data privacy law that sets a high standard for other states to follow. With its consumer-friendly provisions, it empowers individuals to take control of their personal data and promotes transparency and accountability in data practices.

What Does the MCDPA Mean for Montana Residents?

The Montana Consumer Data Privacy Act gives Montana residents more control over their personal information. They now have the right to know what personal information businesses are collecting about them, and they can opt out of the sale of that information. They can also request that businesses delete their personal information, and businesses must comply with these requests within 45 days. Additionally, the MCDPA requires businesses to implement reasonable security measures to protect personal information from unauthorized access, disclosure, or destruction.

Who Must Comply With the MCDPA?

It is important to note that the Montana Consumer Data Privacy Act applies to businesses that conduct business in Montana or that intentionally target Montana residents with their products or services, even if the businesses are located outside of the state. The Act covers a wide range of businesses, including those that collect data through websites, mobile apps, and other online platforms.

Compliance and Certification Table

Kiteworks touts a long list of compliance and certification achievements.

Key Provisions of the Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act contains several key provisions that businesses operating in Montana should be aware of. Some of the most important provisions include:

1. Montanans Have a Right to Know How Their PII Is Used

Under the MCDPA, Montana residents have the right to know what personal information businesses are collecting about them, why it is being collected, and who it is being shared with. Businesses must disclose this information in a clear and understandable format, and they must provide this information free of charge upon request.

2. Montanans Have the Right to Opt Out

Montana residents have the right to opt out of the sale of their personal information. Businesses must provide an opt-out mechanism on their website or mobile app, and they must honor opt-out requests within 45 days.

3. Montana Residents Can Request a Business to Delete Their PII

Montana residents have the right to request that businesses delete their personal information. Businesses must honor these requests within 45 days, and they must also notify any third parties with whom the information was shared.

4. Only a Minimum Amount of Montanans’ PII Can Be Collected

Under the MCDPA, businesses must only collect and retain personal information that is necessary for a specific purpose. They must also minimize the amount of personal information they collect, and they must delete or de-identify personal information when it is no longer needed.

5. Businesses Must Protect Montana Residents’ PII

Businesses must implement reasonable security measures to protect Montanans’ personal information from unauthorized access, disclosure, or destruction. They must also conduct regular risk assessments and train their employees on data security best practices.

How the MCDPA Defines “Personal Information”

The Montana Consumer Data Privacy Act defines “personal information” as any information that relates to an identified or identifiable natural person residing in Montana. This includes, but is not limited to, the individual’s name, address, phone number, email address, Social Security number, driver’s license number, passport number, biometric data, financial information, health information, and any other information that could reasonably be linked, directly or indirectly, with a particular consumer or household. The Act also considers personal information to include any data that is collected or processed through an individual’s use of websites, apps, or other online services, including IP addresses, browsing history, and online behavior.

The Act gives Montana residents greater control over their personal information and places greater responsibility on businesses to protect that information.

Obligations to Businesses Under the Montana Consumer Data Privacy Act

Under the Montana Consumer Data Privacy Act, businesses that collect, use, or disclose personal information of Montana residents must provide certain disclosures and protections to those individuals. Businesses must inform consumers about the categories of personal information that they collect, the purposes for which that information is collected, and any third parties with whom that information is shared. Additionally, businesses must obtain opt-in consent before collecting sensitive personal information, such as financial or health information, and must provide consumers with the ability to opt out of the sale of their personal information to third parties.

The Act also imposes certain security obligations on businesses to safeguard personal information from unauthorized access, destruction, use, modification, or disclosure. Businesses must implement reasonable data security measures that are appropriate to the nature of the personal information being collected and the size and complexity of the business’s operations. In the event of a data breach, businesses must provide timely notice to affected consumers and take steps to mitigate the harm caused by the breach.

Businesses subject to the MCDPA are those that conduct business in Montana or that intentionally target Montana residents with their products or services, and meet at least one of the following criteria:

  • Generate annual gross revenue of $25 million or more
  • Buy, receive, sell, or share the personal information of 50,000 or more consumers, households, or devices
  • Derive 50% or more of their annual revenue from selling consumers’ personal information

Under the MCDPA, businesses must provide consumers with certain rights, including the right to:

  • Know what personal information is being collected about them and how it is being used
  • Access, correct, or delete their personal information
  • Opt out of the sale of their personal information
  • Not be discriminated against for exercising their privacy rights

Fines and Penalties Under the Montana Consumer Data Privacy Act

The Montana Attorney General is responsible for enforcing the MCDPA, and can seek civil penalties of up to $5,000 per violation. Additionally, consumers can bring a private right of action if their personal information is subject to unauthorized access or disclosure as a result of a business’s violation of the law.

Overall, the Montana Consumer Data Privacy Act represents an important step toward protecting consumers’ personal information and ensuring transparency and accountability in the data practices of businesses operating in Montana.

Kiteworks Helps Businesses Comply With the Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act passage reflects a growing trend among states to legislate data privacy protection in response to businesses’ inability to do it on their own. Several other states, including California, Utah, Virginia, and Colorado, have enacted similar laws in recent years, and other states are expected to pass their own data privacy laws in the near future. The popularity of these laws can be attributed to a rise in data breaches, either from sophisticated cyberattacks or accidental data leaks, that expose private citizens’ PII. When PII is exposed, it can be used to commit identity theft and insurance fraud. It can take years and tens of thousands of dollars for private citizens to recover from these events.

The Kiteworks Private Content Network consolidates the communication channels organizations use to share PII and other sensitive information with trusted third parties. Traditionally, organizations have relied on multiple communication channels, which can make it challenging to maintain a centralized and automated system to protect and track PII whenever it’s shared externally. Kiteworks solves this problem by unifying all the different content communication channels into one platform, enabling administrators to apply consistent security policies to individual users and files. These granular access controls and role-based permissions, bolstered by multi-factor authentication, ensure only authorized users have access to PII. The Kiteworks platform is protected by a hardened virtual appliance that features an embedded antivirus protection and intrusion detection system (IDS). In addition, integrations with security solutions like data loss prevention (DLP), advanced threat protection (ATP), and content disarm and reconstruction (CDR) minimize the attack surface and reduce the impact of cyberattacks and data breaches.

Kiteworks enables automated policy-based encryption that protects emails and their attachments for their entire journey from sender to recipient, even as they pass through network firewalls, offering peace of mind to users concerned about the confidentiality and integrity of their information.

Additionally, Kiteworks provides several secure deployment options, including on-premises, private cloud, hybrid cloud, and FedRAMP virtual private cloud deployments, so organizations choose the best deployment option for their specific content security and compliance requirements.

By using Kiteworks, businesses can streamline governance, ensure strict compliance, proactively detect potential privacy and compliance issues, and respond quickly to incidents.

If your business is looking for a solution to comply with the Montana Consumer Data Privacy Act and other privacy regulations, schedule a custom-tailored demo of the Kiteworks Private Content Network today.


Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo