Montana Data Privacy Laws: MCDPA Consumer Rights Guide (2026)

Montana has one of the most protective state data privacy laws in the country. The Montana Consumer Data Privacy Act (MCDPA), codified at Mont. Code Ann. 30-14-2801 et seq., gives Montana residents significant control over how businesses collect, use, and sell their personal information.

This guide covers the full scope of the MCDPA as amended by SB 297 in 2025, Montana's data breach notification requirements, and what these laws mean for both consumers and businesses operating in the state.

What Is the Montana Consumer Data Privacy Act (MCDPA)?

The MCDPA was signed into law on May 19, 2023, as Senate Bill 384. It became effective on October 1, 2024, making Montana one of a growing number of states with comprehensive consumer data privacy legislation.

The law was substantially amended by Senate Bill 297 during the 2025 legislative session. Those amendments took effect on October 1, 2025, and lowered applicability thresholds, removed the cure period for violations, and added strong protections for minors.

The Montana Department of Justice oversees enforcement through the Office of Consumer Protection.

Who Must Comply With the MCDPA?

Under Mont. Code Ann. 30-14-2803, the MCDPA applies to any person or entity that conducts business in Montana or produces products or services targeted to Montana residents and meets one of two thresholds.

Applicability Thresholds (Updated by SB 297)

The original SB 384 set the threshold at 50,000 consumers, the same number used by most other state privacy laws. SB 297 lowered it significantly, effective October 1, 2025.

Threshold	Original (SB 384)	Amended (SB 297)
General threshold	50,000 consumers	25,000 consumers
Revenue-based threshold	25,000 consumers + 25% revenue from data sales	15,000 consumers + 25% revenue from data sales

The 25,000-consumer general threshold is the lowest of any comprehensive state privacy law in the nation, which means more businesses are covered under Montana's law than under comparable laws in other states.

The consumer count excludes data processed solely for completing payment transactions.

Broader Coverage for Minors' Protections

Sections of the MCDPA dealing with protections for minors apply to any entity that conducts business in Montana or targets Montana residents with commercial products or services, regardless of how many consumers' data it processes. There is no numerical threshold for the children's provisions.

Key Exemptions

The MCDPA exempts certain entities and data types from its requirements:

• Banks, credit unions, insurers, and insurance producers are exempt at the entity level
• Nonprofit organizations are exempt only if they are established to detect and prevent fraudulent acts in connection with insurance
• GLBA-covered data is exempt, though financial institutions that process data outside the Gramm-Leach-Bliley Act's scope must comply with the MCDPA for that processing
• HIPAA-covered health information is exempt
• Employment data processed in the context of employment relationships is exempt
• Government agencies are not covered

SB 297 narrowed several of these exemptions. Financial institutions previously had a blanket entity-level exemption under the GLBA. Now only specific types of financial entities (chartered banks, credit unions, insurers) retain that exemption, and only for GLBA-covered activities.

Consumer Rights Under the MCDPA

The MCDPA grants Montana residents five core privacy rights under Mont. Code Ann. 30-14-2804. These rights apply to anyone who qualifies as a "consumer" under the law, defined as an individual who is a Montana resident acting in a personal (not commercial or employment) capacity.

Right to Know and Access

Consumers can confirm whether a business is processing their personal data and request access to that data. Under SB 297, controllers cannot disclose certain sensitive identifiers (social security numbers, government IDs, financial account numbers, passwords, biometric data) in response to access requests. Instead, they must confirm collection with "sufficient particularity."

Right to Correct

Consumers can request that a business correct inaccurate personal data, taking into account the nature of the data and the purposes for processing it.

Right to Delete

Consumers can request that a business delete personal data that the consumer provided or that the business obtained about the consumer.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable, readily usable format that allows transfer to another entity without hindrance.

Right to Opt Out

Consumers can opt out of three types of data processing:

• Targeted advertising based on personal data obtained from the consumer's activities across nonaffiliated websites
• Sale of personal data to third parties for monetary or other valuable consideration
• Profiling that produces legal effects or similarly significant effects on the consumer

SB 297 expanded the profiling opt-out right by removing the word "solely," which means the right now covers decisions that involve profiling as a component, not just decisions made entirely by automated systems.

How to Exercise These Rights

Businesses must provide at least one clear method for consumers to submit requests. Controllers must respond to verified requests within 45 days and may extend the response period by an additional 45 days if reasonably necessary, provided they notify the consumer of the extension.

Consumers may designate an authorized agent to submit requests on their behalf.

Universal Opt-Out Mechanism

Since January 1, 2025, the MCDPA has required controllers to recognize universal opt-out preference signals. These signals allow consumers to communicate their opt-out preferences automatically through browser settings or privacy tools like the Global Privacy Control (GPC).

The opt-out mechanism must be consumer-friendly and easy to use. Controllers must be able to accurately determine whether the consumer is a Montana resident and whether the request is legitimate.

This requirement places Montana alongside California, Colorado, Connecticut, and other states that have mandated recognition of universal opt-out signals.

Sensitive Data Protections

The MCDPA defines "sensitive data" under Mont. Code Ann. 30-14-2802 and requires heightened protections for it. Controllers may not process sensitive data without first obtaining the consumer's affirmative consent.

Categories of Sensitive Data

Sensitive data includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnosis or condition
• Sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data used for identification purposes
• Data from a known child (under 13)
• Precise geolocation data

The consent requirement for sensitive data is one of the MCDPA's strongest provisions. "Consent" is defined strictly as a "clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." General terms of service, pre-checked boxes, and dark patterns do not qualify.

Children's Data Protections

The MCDPA includes layered protections for minors, significantly strengthened by SB 297.

Children Under 13

Personal data from a known child under 13 is automatically classified as sensitive data. Processing it requires prior consent from a parent or guardian.

Teenagers Aged 13 to 15

If a controller has actual knowledge that a consumer is between 13 and 16 years of age (or willfully disregards that fact), the controller must obtain the consumer's consent before selling their personal data or using it for targeted advertising.

All Minors Under 18

SB 297 introduced a "duty of care" standard requiring controllers to exercise reasonable care to avoid a "heightened risk of harm" to any minor under 18 when offering online services, products, or features.

Controllers must conduct data protection assessments for online services that present a heightened risk of harm to minors. If the assessment identifies such a risk, the controller must establish and implement a plan to mitigate or eliminate it.

The law does not require age verification or age-gating. Controllers may use commercially reasonable age estimation methods and will not be held liable for erroneous age estimates made in good faith.

Business Obligations

The MCDPA imposes several requirements on businesses that qualify as "controllers" (entities that determine the purpose and means of processing personal data).

Data Minimization

Controllers must limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" for a disclosed purpose. They may not process personal data for purposes that are not reasonably necessary to or compatible with the disclosed purpose without obtaining additional consent.

Privacy Notice Requirements

Controllers must provide a clear, accessible privacy notice that includes:

• The categories of personal data processed
• The purposes of processing
• How consumers can exercise their rights
• The categories of personal data shared with third parties
• The categories of third parties that receive data
• A clear and conspicuous disclosure if the controller sells data or uses it for targeted advertising
• The date the notice was last updated

SB 297 added requirements that privacy notices must be available in all languages in which the controller offers services and must be accessible to individuals with disabilities. Material changes to privacy practices require consumer notification with an opportunity to withdraw consent.

Data Security

Controllers must implement reasonable administrative, technical, and physical security measures to protect personal data from unauthorized access, use, or disclosure.

Data Protection Assessments

Under Mont. Code Ann. 30-14-2814, controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm. These include:

• Processing personal data for targeted advertising
• Selling personal data
• Processing sensitive data
• Profiling that presents a foreseeable risk of harm
• Processing data in connection with online services that pose a heightened risk of harm to minors

The Attorney General may require submission of these assessments during an investigation.

Processor Obligations

Processors (entities that process data on behalf of controllers) must follow the controller's instructions and provide appropriate technical and organizational measures to assist with compliance. Processor contracts must include specific provisions regarding data processing, confidentiality, and audit rights.

Enforcement and Penalties

The Montana Attorney General has exclusive enforcement authority over the MCDPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations.

Penalties

Violation Type	Maximum Penalty
Each MCDPA violation	$7,500 per violation
Attorney fees and investigation costs	Recoverable by the AG
Injunctive relief	Available

Cure Period Eliminated

The original MCDPA included a 60-day cure period that gave businesses an opportunity to fix violations before the Attorney General could take enforcement action. SB 297 eliminated this cure period as of October 1, 2025, six months ahead of its original January 1, 2026, sunset date.

This means the Attorney General can now initiate enforcement actions immediately upon discovering a violation, without providing an opportunity to cure.

Investigatory Powers

SB 297 expanded the Attorney General's enforcement toolkit by authorizing the use of civil investigative demands under Montana's existing Consumer Protection Act. A 5-year statute of limitations applies to enforcement actions.

Filing a Complaint

Montana consumers who believe their data privacy rights have been violated can file a complaint with the Office of Consumer Protection through its online portal.

Montana Data Breach Notification Law

Separate from the MCDPA, Montana has a data breach notification statute at Mont. Code Ann. 30-14-1704 that requires businesses to notify residents when their personal information is compromised.

What Triggers a Notification?

A notification is required when there is an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information and causes or is reasonably believed to cause loss or injury to a Montana resident.

Good-faith access by an employee or agent of the business does not trigger notification requirements, provided the information is not used improperly or further disclosed.

What Qualifies as Personal Information?

The breach law covers an individual's first name or initial plus last name combined with one or more of the following unencrypted data elements:

• Social Security number
• Driver's license, state ID, or tribal ID number
• Account, credit, or debit card number with any required security code or password
• Medical record information
• Taxpayer identification number
• IRS identity protection personal identification number

Publicly available information from government records is excluded.

Notification Timeline and Methods

Businesses must notify affected Montana residents "without unreasonable delay," consistent with the legitimate needs of law enforcement. Law enforcement may request a delay if notification would impede a criminal investigation.

Acceptable notification methods include:

• Written notice
• Electronic notice (compliant with the federal E-SIGN Act, 15 U.S.C. 7001)
• Telephonic notice
• Substitute notice (if costs exceed $250,000, more than 500,000 people are affected, or insufficient contact information is available)

Substitute notice requires a combination of email, conspicuous website posting, and statewide media notification.

Attorney General Notification

Any business that sends breach notifications to consumers must simultaneously submit an electronic copy of the notice to the Montana Attorney General's Office of Consumer Protection at datab[email protected]. The copy sent to the AG must exclude information that personally identifies individual consumers.

How the MCDPA Compares to Other State Privacy Laws

Montana's MCDPA shares a common framework with privacy laws in states like Virginia, Colorado, and Connecticut, but several provisions set it apart.

Feature	Montana (MCDPA)	Virginia (VCDPA)	Colorado (CPA)
Consumer threshold	25,000	100,000	100,000
Revenue-based threshold	15,000 + 25% revenue	25,000 + 50% revenue	25,000 + revenue
Universal opt-out required	Yes (Jan. 2025)	No	Yes (Jul. 2024)
Cure period	Eliminated (Oct. 2025)	30 days (sunsets 2026)	Eliminated (Jan. 2025)
Minor protections (under 18)	Yes (duty of care)	Limited	No specific provision
Max penalty per violation	$7,500	$7,500	$20,000

Montana's 25,000-consumer threshold is the lowest general threshold of any state with a comprehensive privacy law. This means more small and mid-sized businesses fall under Montana's requirements compared to other states.

More Montana Laws

Understanding Montana's data privacy laws is important, but the state has many other legal requirements that may affect you. Explore these related guides:

• Montana Recording Laws: Consent Rules and Penalties
• Montana Surveillance Camera Laws
• Montana Background Check Laws
• [Montana Medical Records Retention Laws
• Montana Whistleblower Laws
• Montana Statute of Limitations

For a complete overview of data privacy laws across all 50 states, visit our Data Privacy Laws hub page.

This article is for informational purposes only and does not constitute legal advice. If you need legal guidance regarding data privacy compliance or your rights under Montana law, consult with a qualified attorney licensed to practice in Montana.