Active on every WordPress site

Montana · MCDPA

WordPress hosting with MCDPA plugin built into the platform.

Opt-out signals for sale and targeted advertising, opt-in for sensitive data, Universal Opt-Out Mechanism honoring since January 1, 2025, a 45-day response workflow, and an appeal channel — handled by Yovale's compliance MU-plugin. You don't install it. You don't update it. You don't pay for it. With the lowest applicability threshold in US state privacy law — 50,000 Montana residents — even modest sites with a Montana audience are covered. The same platform also handles CCPA, VCDPA, CPA, CTDPA, TDPSA, and OCDPA — one stack, every US state privacy law.

Effective: October 1, 2024Penalty: up to $7,500 per violationJurisdiction: Montana, USA

Start free trial See pricing

yoursite.com

Your Montana privacy rightsMontana detected

Under the MCDPA, you can opt out of the sale of personal data, targeted advertising, and profiling. You can also access, correct, delete, or export the data we hold about you, and appeal a denied request.

handled by Yovale · no plugin installed

what the MCDPA requires

Six obligations you have to meet.

The Montana Consumer Data Privacy Act took effect on October 1, 2024 and carries the lowest applicability threshold of any US state privacy law: 50,000 Montana residents, or 25,000 when 25% or more of revenue comes from selling personal data. Because Montana's population is small, the bar to qualify as a covered controller is correspondingly low — many sites that fall under the CCPA or VCDPA radar still trigger the MCDPA. Enforcement sits with the Montana Attorney General, with civil penalties of up to $7,500 per violation under the Montana Unfair Trade Practices Act. The 60-day right-to-cure period sunsets on April 1, 2026.

01
Consumer rights: access, correct, delete, port
Montana consumers can request access to the personal data you hold, correct inaccuracies, delete it, and obtain a portable copy in a readily usable format. You respond within 45 days, extendable once by 45 days when reasonably necessary.
02
Opt-out for sale, targeted ads, profiling
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal or similarly significant effects. The mechanism has to be clear, conspicuous, and free of dark patterns.
03
Opt-IN for sensitive data
You cannot process sensitive data without explicit consent. Sensitive data covers race, ethnicity, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship and immigration status, genetic and biometric data, precise geolocation, and personal data from a known child.
04
Universal Opt-Out Mechanism (UOOM)
Since January 1, 2025, controllers must recognize and honor universal opt-out signals such as Global Privacy Control (GPC). The browser-level signal counts as a valid opt-out request for sale and targeted advertising — without any consent UI click required from the consumer.
05
Low 50,000-resident threshold
The MCDPA applies to controllers processing personal data of 50,000+ Montana residents, or 25,000+ residents when 25% or more of revenue comes from data sales. This is the lowest bar of any US state law, so smaller sites with a Montana audience are still in scope.
06
Appeal process and 45-day response
Respond to consumer requests within 45 days. When you deny a request, give the consumer a clear way to appeal and respond to the appeal within 60 days. If denied, provide an explanation and a link to file a complaint with the Montana Attorney General.

how Yovale handles it

Built into the platform. Not a plugin you install.

Yovale ships MCDPA compliance as a signed must-use plugin — part of the hosting itself, not something you install from the WordPress repository. It's version-pinned, fetched from R2 with SHA-256 verification, and dropped into a per-site bind-mounted mu-plugins directory at provision time. Updates ship through the same channel your hosting updates do.

Geo-aware consent and UOOM honoring

Montana visitors see MCDPA opt-out controls for sale, targeted advertising, and profiling. The Cloudflare edge worker reads the GPC signal on every request and applies the opt-out before any analytics or ad pixel fires — no banner click required, exactly as the MCDPA mandates since January 2025.

Privacy portal

/.well-known/privacy on every Yovale site. Montana consumers can submit access, correction, deletion, and portability requests without filing a support ticket. Every request shows up in your Compliance dashboard tab with a 45-day SLA timer.

Appeal workflow

When a request is denied, the consumer gets a one-click appeal link. The appeal opens a separate 60-day SLA case in your dashboard, with the original decision attached. If you deny the appeal, the platform attaches the Montana AG complaint link automatically.

Signed processor contract

Pre-signed controller-processor contract that meets MCDPA requirements. Lists every sub-processor (Cloudflare, Anexia, R2), purpose limits, confidentiality, deletion at end of service, and assistance with consumer requests. PDF download from the dashboard.

plugin vs platform

Why infrastructure beats a plugin.

Typical WordPress MCDPA plugin

Adds 200-500ms to every page load (banner JS, geo lookup, DB writes)
Stores opt-out signals in wp_options — slow, untyped, breaks with object caching
Almost no consent plugin honors GPC server-side — the UOOM requirement quietly fails
Costs $49-149/year per site and rarely covers the appeal workflow
Breaks when you migrate hosts; opt-out history and appeal records lost

Yovale's built-in approach

0ms latency — opt-out state computed at the edge worker, cached in the CDN
GPC honored at the edge on every request, logged for audit
Audit log in a dedicated database, queryable, never blocks page render
Included on every plan ($149 / $249 / $499 per year), no per-site compliance fees
Travels with your site forever — opt-out and appeal history is yours to export

Your dashboard

14 regulations. One toggle each. All automatic.

Regulations14

OPT-IN

MCDPA

Montana Consumer Data Privacy Act

OPT-IN

CCPA

California Consumer Privacy Act

VCDPA

Virginia Consumer Data Protection Act

CPA

Colorado Privacy Act

OCDPA

Oregon Consumer Data Privacy Act

+ 9 more regulations · all opt-in

MCDPA

Montana Consumer Data Privacy Act

OPT-IN

Effective

October 1, 2024

Consent mode

Opt-out (opt-in for sensitive)

Authority

Montana AG

Max penalty

$7,500

Key requirements

Opt-out for sale, targeted ads, profiling
Opt-in for sensitive data
Universal Opt-Out Mechanism since Jan 1, 2025
45-day consumer request response
Appeal process within 60 days

common questions

MCDPA + Yovale, answered.

Does the MCDPA apply to my site?

It applies if you control personal data of 50,000 or more Montana residents in a calendar year, or 25,000 or more when 25% or more of your gross revenue comes from selling personal data. That 50,000-resident bar is the lowest of any US state privacy law — Montana's population is small, so the threshold is set proportionally lower. Government bodies, certain non-profits, HIPAA-covered entities, and FERPA-covered education data are out of scope. If you have any meaningful Montana audience, assume you're covered and run Yovale's default protections from day one.

What is the Universal Opt-Out Mechanism, and when is it required?

Since January 1, 2025, Montana controllers must recognize and honor a universal opt-out signal — in practice, the Global Privacy Control (GPC) header sent by browsers like Brave, DuckDuckGo, and Firefox. The signal counts as a valid opt-out for sale and targeted advertising without the consumer clicking anything. Yovale's Cloudflare edge worker reads GPC on every request and applies the opt-out before analytics, ad pixels, or third-party tags fire.

How is the MCDPA different from CCPA, VCDPA, and the other state laws?

The MCDPA follows the VCDPA template — opt-out for sale and targeted advertising, opt-IN for sensitive data, formal appeal process, no private right of action — but with two distinguishing features. First, the 50,000-resident applicability threshold is the lowest in the country, so smaller sites with Montana audiences are in scope when they would not be under VCDPA's 100,000-consumer floor. Second, UOOM honoring is mandatory and active since January 2025. Yovale handles all US state regimes from one platform.

Is there still a cure period for violations?

Yes, but only until April 1, 2026. As originally enacted, the MCDPA gives controllers a 60-day right-to-cure window after the Montana Attorney General sends a notice of violation. That provision sunsets on April 1, 2026, after which the AG can pursue penalties immediately under the Montana Unfair Trade Practices Act — up to $7,500 per violation. Yovale's defaults are built to keep you out of cure-notice territory entirely.

What counts as sensitive data and how is the opt-in handled?

Sensitive data under the MCDPA covers race or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to uniquely identify a person, precise geolocation, and personal data from a known child. Yovale's MU-plugin blocks any plugin or script that touches a sensitive category until the consumer has actively opted in through the consent UI.

Do you provide a processor contract?

Yes. A pre-signed controller-processor contract that meets MCDPA requirements is available as a PDF in your dashboard. We're listed as your processor, you're the controller. It lists every sub-processor (Cloudflare, Anexia, R2), purpose limits, confidentiality terms, return or deletion of data at end of service, and our duty to assist with consumer requests and data protection assessments.

Ship an MCDPA-compliant WordPress site in 60 seconds.

Every Yovale site is MCDPA-ready from the moment you deploy. UOOM honoring, the appeal workflow, the processor contract — already shipped. Start the free Growth trial and see your first compliance dashboard.

Start free trialfree Growth trial · no credit card · MCDPA active from minute one