Overview
The Montana Consumer Data Privacy Act (CDPA) follows the Virginia model but is notable for applying to the smallest population of any state with comprehensive privacy legislation, with unique threshold adjustments.
Full Name and Description
Montana Consumer Data Privacy Act (CDPA): Signed into law on May 19, 2023, the CDPA becomes effective October 1, 2024. It provides Montana consumers with data protection rights following the established Virginia framework.
Enforcement Date
- Effective Date: October 1, 2024
- Cure Period: 60 days (no specified sunset date)
Governing Body
- Montana Attorney General: Exclusive enforcement authority
- No Private Right of Action: Consumers cannot sue directly
Primary Purpose
The CDPA aims to:
- Extend comprehensive privacy protections to Montana's residents
- Establish data processing transparency requirements
- Grant consumers meaningful rights over their personal data
- Create accountability for businesses handling consumer information
Applicability
Who Needs to Comply?
The CDPA applies to persons that conduct business in Montana or produce products/services targeted to Montana residents AND:
- Control or process personal data of 50,000+ Montana consumers (excluding payment-only data), OR
- Control or process personal data of 25,000+ Montana consumers AND derive more than 25% of gross revenue from the sale of personal data
Unique Threshold: Lowest Population Bar
Montana's 50,000 consumer threshold is the lowest among states without a revenue floor. Given Montana's total population of approximately 1.1 million, this threshold represents about 4.5% of the state population.
Key Exemptions
Entity-Level Exemptions:
- State and local government entities
- Financial institutions subject to GLBA
- HIPAA-covered entities and business associates
- Nonprofit organizations
- Higher education institutions
- Entities providing communications services under 47 U.S.C.
Data-Level Exemptions:
- Employment data
- B2B contact information
- Data subject to HIPAA, GLBA, FCRA, FERPA, COPPA
- Publicly available information
What the CDPA Governs
Types of Data Covered
Personal Data - Information linked or reasonably linkable to an identified or identifiable individual.
Sensitive Data (requires opt-in consent):
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic data
- Biometric data for identification
- Personal data of a known child
- Precise geolocation data
Consumer Rights Under CDPA
Montana consumers have five core rights:
- Right to Access: Confirm processing and obtain access to personal data
- Right to Correct: Request correction of inaccuracies
- Right to Delete: Request deletion of personal data
- Right to Portability: Obtain a portable copy of data
- Right to Opt-Out: Decline:
- Sale of personal data
- Targeted advertising
- Profiling with legal or significant effects
Compliance Requirements
Key Obligations for Controllers
1. Privacy Notice Requirements
Provide reasonably accessible privacy notices including:
- Categories of personal data processed
- Purpose of processing
- How to exercise consumer rights
- Categories shared with third parties
- Categories of third parties receiving data
2. Consumer Request Handling
| Requirement | Timeframe |
|---|---|
| Initial Response | 45 days |
| Extension (reasonably necessary) | Additional 45 days |
| Appeals Response | 60 days |
| Cost | Free of charge |
3. Data Protection Assessments
Required for:
- Targeted advertising
- Sale of personal data
- Profiling presenting risk of significant effects
- Sensitive data processing
- Any processing with heightened harm risk
4. Controller-Processor Contracts
Required contractual provisions:
- Processing instructions
- Nature and purpose of processing
- Data type and duration
- Rights and obligations of both parties
Security Requirements
- Establish and maintain reasonable security practices
- Security appropriate to volume and sensitivity of data
Consequences of Non-Compliance
Enforcement Process
- Notice of Violation: AG provides written notice
- Cure Period: 60 days to cure violation
- Enforcement: Civil action if not cured
Penalties and Fines
- Up to $7,500 per violation
- Investigative costs and attorney fees recoverable
- Injunctive relief available
Extended Cure Period
Montana's 60-day cure period is among the longest, providing substantial time for remediation.
Implementation & Best Practices
How to Become Compliant
Step 1: Threshold Assessment
- Count Montana consumers in your databases
- Calculate revenue percentage from data sales
- Document applicability determination
Step 2: Standard Compliance Framework
- Follow Virginia-model compliance steps
- Implement consumer rights infrastructure
- Create data protection assessment processes
- Update privacy notices
Special Considerations
Given Montana's small population:
- Many businesses may find they don't meet 50,000 consumer threshold
- Those near the threshold should implement monitoring
- National businesses likely already compliant through other state law compliance
Related Regulations
- Virginia VCDPA Compliance - Virginia's privacy framework (primary model)
- Colorado CPA Compliance - Colorado's privacy law
- Connecticut CTDPA Compliance - Connecticut's privacy law
- CCPA/CPRA Compliance Guide - California's privacy framework
Conclusion
The Montana Consumer Data Privacy Act extends the Virginia privacy model to Big Sky Country. While Montana's small population means fewer businesses will reach the 50,000 consumer threshold, the lower percentage (relative to population) means some companies might unexpectedly fall within scope.
Organizations with existing Virginia-model compliance should find Montana requirements largely familiar, with the main distinction being the extended 60-day cure period.