Montana Consumer Data Privacy Act

Share this article:

Montana Consumer Data Privacy Act: What Background Screeners Need to Know


On May 19, 2023, Montana became the latest state to enact a comprehensive privacy law with the signing of the Montana Consumer Data Privacy Act (MCDPA). Taking effect on October 1, 2024, this landmark legislation reflects a growing national trend toward enhancing consumer data protections—and poses significant compliance obligations for businesses handling personal data, particularly consumer reporting agencies (CRAs) and background screening providers.


At Eagle Eye Screening Solutions, we know that navigating new privacy regulations can be complex. Our systems and services are built to align with legal compliance, real-time data integrity, and operational precision. In this guide, we’ll break down the MCDPA’s key provisions, explore its implications for public records retrieval, and explain how CRAs can prepare for compliance.


Understanding the Montana Consumer Data Privacy Act


The Montana Consumer Data Privacy Act is modeled closely after similar legislation enacted in Virginia (VCDPA), Colorado (CPA), and Connecticut (CTDPA). These state-level data privacy laws aim to give consumers more control over how their personal information is collected, processed, shared, and sold.


Montana's law applies specifically to for-profit businesses that meet either of the following thresholds:

  • Control or process the personal data of at least 50,000 Montana residents annually, excluding data collected solely for payment transactions
  • Derive more than 25% of gross revenue from the sale of personal data and process the data of at least 25,000 residents.

These applicability standards are relatively consistent with other state laws but tailored to Montana’s demographic and commercial landscape.

Importantly, the MCDPA defines “sale” of personal data broadly—as the exchange of data for monetary or other valuable consideration to a third party. This means even indirect monetization strategies could trigger obligations under the Act.


Key Provisions of the Montana Data Privacy Law


Montana's law places a dual responsibility on data controllers (those who determine the purpose and means of processing personal data) and data processors (those who handle data on behalf of controllers). CRAs and background screening vendors often act in both roles, depending on the specific nature of the service.


1. Consumer Rights

Montana residents will gain several new rights under the MCDPA, including the right to:


  • Access personal data held about them

  • Correct inaccuracies in their data

  • Delete personal data

  • Obtain a copy of their data in a portable and usable format

  • Opt out of:

  • The sale of personal data

  • Targeted advertising

  • Profiling that produces significant legal or similar effects

For CRAs, these rights necessitate robust data access and modification workflows. Consumers must be able to submit requests, and businesses must be able to verify identity and respond within 45 days—extendable by an additional 45 days if reasonably necessary.

These consumer rights create direct operational implications for CRAs, especially those processing non-FCRA data for marketing, analytics, or lead generation.


2. Responsibilities for Data Controllers


Data controllers must comply with a number of obligations, including:


  • Data minimization: Collect only data that is “adequate, relevant, and reasonably necessary” for the intended purpose.

  • Purpose limitation: Do not use personal data for a materially different purpose without consent.

  • Transparency: Provide a clear and accessible privacy notice that describes:

  • Categories of data processed

  • Purposes of processing

  • How consumers can exercise their rights

  • Whether personal data is sold or used for targeted advertising

  • Security: Implement reasonable administrative, technical, and physical safeguards to protect personal data.

  • Contractual controls: Execute Data Processing Agreements (DPAs) with third-party vendors that process data on the controller’s behalf.

  • Data Protection Assessments (DPAs): Conduct and document assessments for processing activities that present a heightened risk of harm, such as profiling or selling sensitive data.

These requirements are particularly critical for background screeners, who often process large volumes of sensitive public record data and must maintain tight compliance and data governance procedures.


Exemptions Relevant to Background Screeners and CRAs


A key aspect of the MCDPA is the FCRA exemption. Personal data that is collected, maintained, and disseminated solely for purposes governed by the Fair Credit Reporting Act (FCRA) is exempt from the law’s requirements.


This means that:


  • Most background check data used for employment, housing, or credit purposes—as long as it falls squarely under the FCRA—will not be subject to MCDPA obligations.

  • However, non-FCRA data activities are not exempt. For example:

  • Website cookies and analytics

  • CRM or sales data

  • Email marketing lists

  • Operational or HR data unrelated to FCRA purposes

This dual-status means CRAs and screening providers must segregate data flows and apply different compliance frameworks depending on the data type and purpose.


At Eagle Eye, we help our clients clearly define these boundaries and provide guidance on maintaining FCRA-aligned protocols, while identifying and minimizing exposure to non-FCRA obligations.

Impact on Public Records Retrieval and Criminal Research


Although public court records are typically used for FCRA-compliant background screening, the methods used to collect, process, and store this information must still reflect privacy best practices—especially as more states introduce their own consumer privacy frameworks.

Under the Montana law and similar statutes, background screeners should:


  • Use encryption for the transmission and storage of personally identifiable information (PII)

  • Minimize unnecessary data retention, particularly where data no longer serves an operational or compliance purpose

  • Configure automated retrieval tools to exclude irrelevant, outdated, or sealed records

  • Implement role-based access controls to restrict internal access to sensitive information

At Eagle Eye Screening Solutions, our real-time data extraction systems are purpose-built for public record retrieval with compliance in mind. We ensure that our processes are efficient, accurate, and secure—and that the data returned is filtered to match the legal and operational requirements of our clients.


Preparing for the October 2024 Compliance Deadline


The MCDPA officially goes into effect on October 1, 2024. For CRAs and employers, now is the time to assess current processes, review vendor relationships, and establish clear compliance procedures.


Recommended Next Steps for CRAs and Employers:


  1. Inventory and classify data:

  2. Understand what data is collected and processed

  3. Identify whether it falls under FCRA or non-FCRA use cases

  4. Update privacy policies and notices:

  5. Ensure they align with MCDPA requirements and clearly explain consumer rights

  6. Revise vendor contracts:

  7. Include MCDPA-specific data processing terms and flow-down obligations in all agreements

  8. Implement consumer rights workflows:

  9. Prepare systems to respond to data access, correction, deletion, and portability requests within the required timelines

  10. Train compliance teams:

  11. Educate staff and clients on the distinctions between FCRA-exempt data and data that falls under state privacy laws

  12. Perform Data Protection Assessments (DPAs):

  13. For high-risk activities, develop written assessments that document the necessity and proportionality of data use

At Eagle Eye, we proactively monitor state privacy legislation and incorporate compliance safeguards into our platform and partner ecosystem. Our goal is to help you stay ahead of the curve—so you can focus on delivering accurate, actionable background screening data with confidence.


Conclusion



The Montana Consumer Data Privacy Act is another significant development in the expanding world of U.S. privacy law. While many CRAs will benefit from the law’s FCRA exemption, it’s essential to recognize that not all data activities are excluded. Marketing, analytics, and internal HR data may still trigger obligations under MCDPA.


To navigate this evolving landscape, CRAs and employers need transparent data practices, secure retrieval workflows, and reliable partners who understand the operational challenges of background screening in a regulated environment.


At Eagle Eye Screening Solutions, we’re committed to helping our clients maintain compliance while delivering fast, reliable, and legally sound public record data. If you’re unsure how the MCDPA or other state laws affect your operations, our team is here to help you assess, plan, and move forward confidently.



Connect with Us:

New Jersey Expungement Laws Guide: What CRAs and Background Screeners Must Know in 2025

28 March 2025
Learn how New Jersey’s evolving expungement laws, especially under Assembly Bill A4151, impact CRAs and background screeners in 2025.

San Diego Fair Chance Ordinance: What CRAs Need to Know About the County's New Hiring Rules

11 February 2025
Learn how San Diego’s Fair Chance Ordinance changes criminal background checks and what CRAs must do to stay compliant with local hiring rules.
A statue of justice is sitting on top of a book in front of a flag

Understanding the Colorado Clean Slate Act (Senate Bill 22-099)

4 December 2024
Learn about Colorado's Clean Slate Act (SB 22-099), its impact on sealing 100k+ criminal records, eligibility requirements, and promoting second chances.