# Montana Privacy Law (MCDPA) Compliance Guide for Small Businesses > Montana MCDPA took effect October 1, 2024. It applies to businesses processing data of 50,000+ Montana consumers — lower than the standard 100,000 threshold. _Published 2026-04-07 by Nikolas_ # Montana Privacy Law (MCDPA): What Small Businesses Need to Know The Montana Consumer Data Privacy Act (MCDPA) took effect **October 1, 2024**, and applies to any business processing the personal data of **50,000 or more Montana consumers** in a calendar year — lower than the 100,000 used by most state privacy laws — with **no annual revenue threshold**. A secondary trigger captures businesses processing data of 25,000 or more Montana consumers and deriving **25% or more** of revenue from data sales (lower than the 50% used by most states). The Montana Attorney General is the sole enforcement authority. Montana's combination of a 50,000 consumer threshold and lower data sale revenue percentage means it catches more businesses than the population alone would suggest. --- ## Does MCDPA Apply to My Business? MCDPA applies to any person that conducts business in Montana or produces products or services targeted to Montana residents AND meets one of two thresholds: - Controls or processes personal data of **50,000 or more Montana consumers** during a calendar year (excluding personal data processed solely to complete a payment transaction), OR - Controls or processes personal data of **25,000 or more Montana consumers** AND derives more than **25%** of gross revenue from the sale of personal data. The threshold logic is **OR**, with no revenue floor under either path. Montana's 50,000 consumer primary threshold sits between the standard 100,000 and the lower 35,000 used by Connecticut, Delaware, Maryland, New Hampshire, and Rhode Island. | Threshold | Montana MCDPA | CCPA/CPRA | Connecticut CTDPA | |-----------|---------------|-----------|-------------------| | Revenue | None | $25M+ | None | | Consumer count | **50,000** | 100,000 | 35,000 | | Data sale alternative | 25K + **25%** | 50% revenue share | 25K + 25% | | Threshold logic | OR | OR | OR | Montana accounts for roughly 0.3% of the US population — among the smallest in absolute terms. Reaching 50,000 Montana consumers from a national e-commerce store typically requires substantial volume. The 25,000 + 25% data sale path is the more aggressive trigger and applies to businesses with meaningful ad tech revenue at lower customer counts. --- ## What Does MCDPA Require? MCDPA grants Montana consumers a standard set of state privacy law rights and follows the Virginia model. **Consumer rights you must honor.** Access, correction, deletion, portability, and opt-out of targeted advertising, sale of personal data, and profiling that produces legal or similarly significant effects. Response deadline is 45 days, with one possible extension. Consumers have the right to appeal denied requests. **Disclosures you must publish.** Privacy notice covering categories of personal data processed, purposes, third-party sharing categories, and instructions for exercising rights and appealing denials. **Operational practices you must implement.** Conduct data protection assessments for high-risk processing activities. Obtain affirmative opt-in consent before processing sensitive personal data. Establish reasonable administrative, technical, and physical security practices. MCDPA requires honoring universal opt-out mechanisms, including the Global Privacy Control browser signal — making Montana one of the states with this technical requirement. --- ## How MCDPA Affects Small Businesses Montana's lower 50,000 consumer threshold means more mid-size businesses can be in scope under MCDPA than under standard 100,000-threshold laws. Combined with the 25% data sale revenue secondary path and the requirement to honor GPC, Montana is more demanding than the population alone suggests. For Shopify merchants and direct-to-consumer brands, the practical takeaway is: do not assume Montana's small population means you are out of scope. Calculate your Montana consumer count carefully. If you have ad tech monetization that meets the 25% data sale revenue threshold with at least 25,000 Montana consumers, you are in scope under that secondary path even if you do not reach 50,000. The GPC handling requirement is the operational issue most likely to catch businesses unaware. If you have already implemented GPC for California, Colorado, or Connecticut compliance, that work covers Montana automatically. If you have not, you need to implement it for any of these states. --- ## Key Differences from Other State Privacy Laws MCDPA stands out on two dimensions: **50,000 consumer primary threshold.** Lower than the 100,000 used by Virginia, Texas, Colorado, and most other states. Higher than the 35,000 used by Connecticut, Delaware, Maryland, New Hampshire, and Rhode Island. Montana sits in the middle. **25% data sale revenue threshold.** Lower than the 50% used by California, Texas, Virginia, and most other states. Catches more businesses with ad tech and affiliate revenue. **Universal opt-out signal mandate.** Like California, Colorado, Connecticut, Delaware, and Maryland, Montana requires honoring GPC. Compared to **Virginia VCDPA**, Montana has a lower consumer threshold and a lower secondary data sale threshold, plus the GPC mandate. Compared to **Connecticut CTDPA**, Montana's primary threshold is higher (50K vs 35K) but the structure is otherwise similar. Compared to **Iowa ICDPA**, Montana is significantly more demanding. --- ## How to Comply with MCDPA If MCDPA applies to your business, the following steps establish baseline compliance. 1. **Confirm scope at the lower threshold.** Calculate Montana consumer count from analytics and customer records. Treat 50,000 as the primary trigger, or 25,000 if 25%+ of revenue comes from data sales. 2. **Update your privacy notice** with categories, purposes, third-party sharing, rights, and appeals process. 3. **Implement automatic GPC signal handling.** Detect Global Privacy Control browser headers and apply opt-out preferences automatically. If you have already implemented this for other states, no additional work is required. 4. **Add explicit opt-out mechanisms** for targeted advertising, sale of personal data, and profiling. 5. **Build a consumer rights request workflow** with the 45-day response deadline tracked. 6. **Build a denial appeals process** with timely written response. 7. **Implement opt-in consent for sensitive data**. 8. **Conduct data protection assessments** for high-risk processing activities. 9. **Document reasonable security practices** appropriate to data volume. --- ## MCDPA Enforcement and Penalties The Montana Attorney General has exclusive enforcement authority for MCDPA. There is no private right of action — Montana consumers cannot sue businesses directly. The AG may seek civil penalties under Montana's Unfair Trade Practices Act, with penalties up to **$10,000 per violation**. MCDPA includes a 60-day cure period before formal enforcement during the first 18 months after the law's effective date (until April 1, 2026), after which the cure period becomes discretionary. Businesses notified of violations during the cure-period window have a clear path to avoid enforcement by acting within 60 days. --- ## Frequently Asked Questions ### When did Montana's privacy law take effect? Montana's Consumer Data Privacy Act (MCDPA) took effect October 1, 2024. It applies to businesses processing data of 50,000 or more Montana consumers annually, with no revenue threshold. ### Does MCDPA have a revenue threshold? No. MCDPA applies based on consumer data volume only: 50,000 or more Montana consumers annually, or 25,000 or more consumers if 25% or more of revenue comes from data sales. ### Why is Montana's consumer threshold lower than most states? Montana set its primary threshold at 50,000 (vs the standard 100,000) to reflect the state's smaller population and to ensure the law captures businesses with meaningful Montana consumer impact. The threshold is still higher than the 35,000 used by Connecticut, Delaware, Maryland, New Hampshire, and Rhode Island. ### Does MCDPA require honoring universal opt-out signals? Yes. MCDPA requires covered businesses to honor universal opt-out mechanisms, including the Global Privacy Control browser signal. This is a technical implementation requirement. ### What are the penalties for MCDPA violations? The Montana AG can seek civil penalties of up to $10,000 per violation under Montana's Unfair Trade Practices Act. There is no private right of action. A 60-day cure period applied during the first 18 months after the effective date. ### Does MCDPA apply if my business is not based in Montana? Yes. MCDPA applies based on where your consumers are located, not where your business is incorporated. If you process data from 50,000 or more Montana consumers annually, MCDPA applies regardless of your business location. --- **Check if MCDPA applies to your business →** [Take the free 5-minute quiz](https://app.getpurview.com/quiz) *This guide is for informational purposes only and does not constitute legal advice. Last updated: April 2026.* ---