What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All states·MCDPA

Montana (MCDPA) Privacy Law Compliance

Montana's Consumer Data Privacy Act (effective October 1, 2024) uses one of the lowest thresholds in the country — only 50,000 consumers — making it relevant for surprisingly small SaaS with US-wide user bases. The law follows the Connecticut template closely, including mandatory UOOM honouring from January 1, 2025.

Statute

Montana Consumer Data Privacy Act

Mont. Code §30-14-2801 et seq.

Effective

Oct 1, 2024

Enforcer

Montana Attorney General

(exclusive)

Consumer rights

8 business obligations

Run free policy audit Does this apply to me? ↓

Who must comply

Persons that conduct business in Montana OR produce products/services targeted to Montana residents
AND one of: (a) control or process personal data of 50,000+ Montana consumers (excluding for payment-only); OR (b) control/process data of 25,000+ consumers AND derive 25%+ gross revenue from sale of personal data

Exemptions

State agencies, GLBA financial institutions, HIPAA PHI + BA processing
Employment + B2B data fully exempt
Non-profits, FCRA, DPPA, FERPA in context

Consumer rights (8)

Right to access / know

Confirm whether personal data is processed and obtain a copy in a portable format

Right to correct

Correct inaccurate personal data

Right to delete

Request deletion of personal data the controller has collected

Right to data portability

Receive data in a portable, machine-readable format

Right to opt out of sale

Opt out of the sale of personal data to third parties

Right to opt out of targeted advertising

Opt out of cross-context behavioural advertising

Right to opt out of profiling with legal effect

Opt out of automated decisions producing legal or similarly significant effects

Right to appeal

Appeal a controller's refusal to honour a rights request (typically 45–60 days)

Business obligations (8)

Public privacy notice

Clear, accessible notice of categories collected, purposes, third parties, rights, and contact channel

Rights response within 45 days

Respond to consumer rights requests within 45 days (extendable by 45 more with notice)

Data processing agreements

Written contracts with processors restricting their processing to the controller's documented instructions

Data protection assessments

Document risk assessment for targeted advertising, sale, profiling, sensitive data processing

Honour universal opt-out signals (GPC)

Recognise the Global Privacy Control browser signal as a valid opt-out (where required)

Reasonable security practices

Administrative, technical, physical safeguards appropriate to the data's sensitivity

Data minimisation + purpose limitation

Collect only what is adequate, relevant, and reasonably necessary for the disclosed purposes

Opt-in for sensitive data + minors 13–16

Affirmative consent before processing sensitive data and before processing teen data for targeted ads or sale

Required privacy notice elements

Categories of personal data processed
Purpose of processing
Categories of personal data shared + categories of third parties
Rights + how to exercise + appeal process
Sale / targeted advertising disclosure + opt-out
Statement of UOOM recognition

Don't hand-check this. Drop your existing privacy policy into the free policy audit and we'll grade every required element and surface the missing language.

Common compliance pitfalls

⚠ Low threshold catches surprisingly small SaaS

The 50,000 consumer threshold is the lowest in the country. A modestly successful B2C SaaS or media site with US distribution can easily hit 50K Montana users.

⚠ GPC not honoured by Jan 2025

Montana mandates UOOM (GPC) honouring from January 1, 2025. The 90-day delay between effective date and UOOM was a configuration window — now closed.

FAQ

Why is the 50K threshold significant?

Most state laws use 100K. Montana's lower 50K threshold makes the law applicable to many more companies. Combined with the 'producing products/services targeted to Montana residents' language, any US-wide consumer app is likely in scope.

How does Montana compare to Connecticut?

Very similar (rights, structure, enforcement). Montana has a lower threshold (50K vs 100K), higher penalty cap ($10K vs $5K via CUTPA), and applies similar UOOM honouring.

Grade your Montana privacy policy in 20 seconds

Paste your privacy policy and we'll score it against MCDPA requirements — categories collected, rights enumeration, opt-out mechanism, sensitive data handling. Free, 3 audits/day, no signup.

Run free audit for Montana