Montana Consumer Data Privacy Act (MCDPA)

Montana's comprehensive privacy law, notable for the lowest consumer-count threshold (50,000) among VCDPA-template states — reflecting Montana's smaller population — and mandatory GPC recognition.

Overview

The Montana Consumer Data Privacy Act (MCDPA), codified at Mont. Code Ann. § 30-14-2801 et seq. and enacted as SB 384 (2023), became effective October 1, 2024. The MCDPA follows the Virginia/Connecticut model with consumer-friendly adjustments. Its signature feature is the lowest consumer-count threshold among states using the VCDPA template: 50,000 consumers (vs. 100,000 in most states) — a calibration that reflects Montana's population of roughly 1.1 million. Proportionally, the 50K threshold captures about 5% of Montana residents, so it affects more entities than a headline comparison would suggest.

Applicability: (a) 50,000+ Montana consumers processed per year, or (b) 25,000+ consumers AND 25%+ of gross revenue from data sales.

Exemptions mirror the VCDPA template: HIPAA, GLBA, non-profits, higher-ed, FCRA/DPPA/FERPA/COPPA-regulated data, employee/B2B.

Consumer Rights

Right to confirm and access
Right to correct
Right to delete
Right to portability
Right to opt out of sale, targeted advertising, and profiling
Right to appeal

Sensitive data (standard categories — race, religion, health, sexual orientation, citizenship, genetic/biometric, minors under 13, precise geolocation) requires opt-in consent.

Compliance Requirements

Controllers must publish privacy notices, honor GPC/UOOM (mandatory), perform DPIAs for targeted advertising, sale, profiling, sensitive data processing, and heightened-risk activities, and execute processor contracts per § 30-14-2814.

Cure Period + Enforcement

The Montana AG holds exclusive enforcement authority. Penalties reach $7,500 per violation. The 60-day cure period remains active — among the longest active cure windows in the country.

How Inori Addresses This

Notice: src/content/legal/privacy.mdx v1.2 covers MCDPA disclosures.
GPC (mandatory): middleware.ts:respectGpc reads Sec-GPC: 1, persists 12 months, and echoes X-GPC-Honored: true. Montana is part of the multi-state UOOM mapping.
DSAR: /api/dsar serves access, correction, deletion, portability, and appeal intake within a 30-day SLA.
Hard purge: 90-day cron deletes tenant data after account closure.
Sensitive data: Not collected.
Deferred: Formal DPIA register ships in a later sprint. Compliance with CTDPA and CPA — which Inori already meets — transitively covers MCDPA.

See CCPA/CPRA, VCDPA, Colorado Privacy Act, and CTDPA for the comparative VCDPA-template family. GPC covers the mandatory signal. DSAR describes the request pipeline. OCPA is a similar model with additional Oregon-specific rigor.

See how Inori handles montana consumer data privacy act (mcdpa)

Try our free COI checker first, or start a free trial of the full platform.

Free COI Checker Start Free Trial

Montana Consumer Data Privacy Act (MCDPA)

Overview

Applicability: (a) 50,000+ Montana consumers processed per year, or (b) 25,000+ consumers AND 25%+ of gross revenue from data sales.

Exemptions mirror the VCDPA template: HIPAA, GLBA, non-profits, higher-ed, FCRA/DPPA/FERPA/COPPA-regulated data, employee/B2B.

Consumer Rights

Right to confirm and access
Right to correct
Right to delete
Right to portability
Right to opt out of sale, targeted advertising, and profiling
Right to appeal

Sensitive data (standard categories — race, religion, health, sexual orientation, citizenship, genetic/biometric, minors under 13, precise geolocation) requires opt-in consent.

Compliance Requirements

Cure Period + Enforcement

The Montana AG holds exclusive enforcement authority. Penalties reach $7,500 per violation. The 60-day cure period remains active — among the longest active cure windows in the country.

How Inori Addresses This

Notice: src/content/legal/privacy.mdx v1.2 covers MCDPA disclosures.
GPC (mandatory): middleware.ts:respectGpc reads Sec-GPC: 1, persists 12 months, and echoes X-GPC-Honored: true. Montana is part of the multi-state UOOM mapping.
DSAR: /api/dsar serves access, correction, deletion, portability, and appeal intake within a 30-day SLA.
Hard purge: 90-day cron deletes tenant data after account closure.
Sensitive data: Not collected.
Deferred: Formal DPIA register ships in a later sprint. Compliance with CTDPA and CPA — which Inori already meets — transitively covers MCDPA.

See how Inori handles montana consumer data privacy act (mcdpa)

Try our free COI checker first, or start a free trial of the full platform.

Free COI Checker Start Free Trial

Montana Consumer Data Privacy Act (MCDPA)

Overview

Consumer Rights

Compliance Requirements

Cure Period + Enforcement

How Inori Addresses This

Related Concepts

See how Inori handles montana consumer data privacy act (mcdpa)

Montana Consumer Data Privacy Act (MCDPA)

Overview

Consumer Rights

Compliance Requirements

Cure Period + Enforcement

How Inori Addresses This

Related Concepts

See how Inori handles montana consumer data privacy act (mcdpa)