Support Centre



Law: Consumer Data Privacy Act (MCDPA)

Regulator: The Montana Attorney General (AG)

Summary: The Montana Governor signed Senate Bill No. 384 for An Act Establishing the CDPA on May 18, 2023, which will enter into effect October 1, 2024. The CDPA introduces obligations for controllers, including the obligation to implement administrative, technical, and physical data security practices, limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to its purposes, and conduct Data Protection Assessments.

The CDPA also requires a contract between controllers and processors to govern procedures performed on the controller's behalf. Additionally, the CDPA provides for data subject rights, including the right to confirm whether a controller is processing their personal data, access, correct, delete, and obtain a copy of such personal data, as well as the right to opt-out of certain processing activities. Furthermore, the CDPA provides the AG with enforcement powers, but does not provide a private right of action.

In addition, the State has its own data breach requirements under §30-14-1704 of Part 17 of Chapter 14 of Title 30 of the Montana Code Annotated 2017, which require, among other things, that a person or business must disclose any breach of the security of the data system following discovery or notification of the breach. Moreover, the Attorney General's Office of Consumer Protection needs to be simultaneously notified alongside individuals in the event of a personal data breach.


Data privacy continues to dominate legislative discussions in the US, both at the federal and state levels. While many states are considering broader, more comprehensive laws, there are certain states that are passing privacy laws more focused on certain industries or data types. A good example of this trend is the recently passed Montana Genetic Information Privacy Act (GIPA). GIPA recognizes the inherent sensitivity of genetic data and significant privacy risks in the collection and processing of genetic data.  

Specifically, GIPA prohibits the disclosure of a consumer's genetic data to the consumer's employer and any entity offering health insurance, life insurance, or long-term care insurance without the consumer's express consent. It is important to note that consumers may revoke consent at any time. Further, GIPA requires entities that collect genetic data to implement and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure. Jordan L. Fischer, Partner at Constangy, Brooks, Smith & Prophete LLP, explores the key areas of GIPA and its initial response.  

The Montana Consumer Data Privacy Act (MCDPA) was signed by the Governor of Montana, Greg Gianforte, on May 18, 2023, following its passage by the State Senate and House of Representatives.

The MCDPA introduces obligations for data controllers and duties for data processors, as well as consumer rights, and will enter into effect on October 1, 2024.

The Consumer Data Privacy Act was introduced, on February 16, 2023, to the Montana State Senate. Since then, the Act has passed both the State Senate, as well as the House of Representatives, and was signed by the Governor of Montana, Greg Gianforte, on May 18, 2023. The Act introduces obligations for both data controllers and data processors, as well as consumer rights, and will enter into effect on October 1, 2024. OneTrust DataGuidance Research gives an overview of the Act.