Montana Data Privacy Laws: MCDPA Consumer Rights Guide (2026)

Montana's Consumer Data Privacy Act (MCDPA), codified at Mont. Code Ann. 30-14-2801, gives residents the right to access, correct, delete, and obtain portable copies of their personal data and to opt out of data sales and targeted advertising. The law covers businesses processing data of 25,000 or more Montana consumers.

Montana has built one of the most layered state privacy frameworks in the country. The Montana Consumer Data Privacy Act (MCDPA), codified at Mont. Code Ann. 30-14-2801 et seq., gives Montana residents substantial control over how businesses collect, use, and sell their personal information. That statute sits on top of something most states lack: an explicit constitutional privacy guarantee.

Article II, Section 10 of the Montana Constitution declares that individual privacy is essential to a free society and may not be infringed without a compelling state interest. That constitutional floor means Montana courts apply stricter scrutiny to government intrusions on personal data than courts in states that rely only on federal Fourth Amendment doctrine.

This guide covers the full MCDPA framework as amended by SB 297 in 2025, Montana's constitutional privacy protection, the Genetic Information Privacy Act, the data breach notification statute, the Montana wiretap law, and what these laws collectively mean for consumers and businesses.

Montana's Constitutional Right to Privacy

Montana is one of only ten states with an explicit privacy right written into its constitution. Article II, Section 10 provides:

"The right of individual privacy is essential to the well-being of a free society and shall not be infringed without the showing of a compelling state interest."

That language was adopted in Montana's 1972 constitutional convention, predating most modern data privacy legislation by decades. The provision applies to government action, not private conduct, so it does not independently create claims against businesses. But it shapes how Montana courts interpret privacy statutes and how the legislature has approached the MCDPA.

The constitutional privacy right has been cited in Montana Supreme Court decisions addressing law enforcement access to information, government record-keeping, and the scope of public health reporting requirements. For practical purposes, businesses operating in Montana face a legal environment where privacy is treated as a constitutional value, not merely a regulatory preference.

The MCDPA itself was drafted in that context. Montana's low applicability thresholds, its early recognition of universal opt-out signals, and the relatively broad definition of sensitive data all reflect a legislature that takes the constitutional privacy guarantee seriously.

What Is the Montana Consumer Data Privacy Act (MCDPA)?

The MCDPA was signed into law on May 19, 2023, as Senate Bill 384. It became effective on October 1, 2024, making Montana one of a growing number of states with comprehensive consumer data privacy legislation.

The law was substantially amended by Senate Bill 297, which Governor Gianforte signed on May 8, 2025. Those amendments took effect on October 1, 2025, and lowered applicability thresholds, removed the cure period language from the statute, and added strong protections for minors.

The Montana Department of Justice oversees enforcement through the Office of Consumer Protection.

Who Must Comply With the MCDPA?

Under Mont. Code Ann. 30-14-2803, the MCDPA applies to any person or entity that conducts business in Montana or produces products or services targeted to Montana residents and meets one of two thresholds.

Applicability Thresholds (Updated by SB 297)

The original SB 384 set the threshold at 50,000 consumers. SB 297 lowered it significantly, effective October 1, 2025.

The 25,000-consumer general threshold is among the lowest of any comprehensive state privacy law. More small and mid-sized businesses fall under Montana's requirements than under comparable laws in other states. The consumer count excludes data processed solely for completing payment transactions.

Broader Coverage for Minors' Protections

Sections of the MCDPA dealing with protections for minors apply to any entity that conducts business in Montana or targets Montana residents with commercial products or services, regardless of how many consumers' data it processes. There is no numerical threshold for the children's provisions.

Key Exemptions

The MCDPA exempts certain entities and data types from its requirements:

• Banks, credit unions, insurers, and insurance producers are exempt at the entity level
• Nonprofit organizations are exempt only if they are established to detect and prevent fraudulent acts in connection with insurance
• GLBA-covered data is exempt, though financial institutions that process data outside the Gramm-Leach-Bliley Act's scope must comply with the MCDPA for that processing
• HIPAA-covered health information is exempt
• Employment data processed in the context of employment relationships is exempt
• Government agencies are not covered

SB 297 narrowed several of these exemptions. Financial institutions previously had a broader entity-level exemption under the GLBA. The revised law limits that exemption to specific entity types (chartered banks, credit unions, insurers) and only for GLBA-covered activities.

Consumer Rights Under the MCDPA

The MCDPA grants Montana residents five core privacy rights under Mont. Code Ann. 30-14-2804. These rights apply to anyone who qualifies as a "consumer" under the law: an individual who is a Montana resident acting in a personal (not commercial or employment) capacity.

Right to Know and Access

Consumers can confirm whether a business is processing their personal data and request access to that data. Under SB 297, controllers cannot disclose certain sensitive identifiers (social security numbers, government IDs, financial account numbers, passwords, biometric data) in response to access requests. Instead, they must confirm collection with "sufficient particularity."

Right to Correct

Consumers can request that a business correct inaccurate personal data, taking into account the nature of the data and the purposes for processing it.

Right to Delete

Consumers can request that a business delete personal data that the consumer provided or that the business obtained about the consumer.

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable, readily usable format that allows transfer to another entity without hindrance.

Right to Opt Out

Consumers can opt out of three types of data processing:

• Targeted advertising based on personal data obtained from the consumer's activities across nonaffiliated websites
• Sale of personal data to third parties for monetary or other valuable consideration
• Profiling that produces legal effects or similarly significant effects on the consumer

SB 297 expanded the profiling opt-out right by removing the word "solely," meaning the right now covers decisions that involve profiling as a component, not just decisions made entirely by automated systems.

How to Exercise These Rights

Businesses must provide at least one clear method for consumers to submit requests. Controllers must respond to verified requests within 45 days and may extend the response period by an additional 45 days if reasonably necessary, with notice to the consumer. Consumers may designate an authorized agent to submit requests on their behalf.

Universal Opt-Out Mechanism

Since January 1, 2025, the MCDPA has required controllers to recognize universal opt-out preference signals. These signals allow consumers to communicate their opt-out preferences automatically through browser settings or privacy tools like the Global Privacy Control (GPC).

The opt-out mechanism must be consumer-friendly and easy to use. Controllers must be able to accurately determine whether the consumer is a Montana resident and whether the request is legitimate. This requirement places Montana alongside California, Colorado, Connecticut, and other states that have mandated recognition of universal opt-out signals.

Sensitive Data Protections

The MCDPA defines "sensitive data" under Mont. Code Ann. 30-14-2802 and requires heightened protections for it. Controllers may not process sensitive data without first obtaining the consumer's affirmative consent.

Categories of Sensitive Data

Sensitive data includes:

• Racial or ethnic origin
• Religious beliefs
• Health diagnosis or condition
• Sexual orientation
• Citizenship or immigration status
• Genetic data
• Biometric data used for identification purposes
• Data from a known child (under 13)
• Precise geolocation data

The consent requirement for sensitive data is one of the MCDPA's strongest provisions. "Consent" is defined strictly as a "clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." General terms of service, pre-checked boxes, and dark patterns do not qualify.

Children's Data Protections

The MCDPA includes layered protections for minors, significantly strengthened by SB 297.

Children Under 13

Personal data from a known child under 13 is automatically classified as sensitive data. Processing it requires prior consent from a parent or guardian.

Teenagers Aged 13 to 16

If a controller has actual knowledge that a consumer is between 13 and 16 years of age (or willfully disregards that fact), the controller must obtain the consumer's consent before selling their personal data or using it for targeted advertising.

All Minors Under 18

SB 297 introduced a "duty of care" standard requiring controllers to exercise reasonable care to avoid a "heightened risk of harm" to any minor under 18 when offering online services, products, or features. Controllers must conduct data protection assessments for online services that present a heightened risk of harm to minors. If the assessment identifies such a risk, the controller must establish and implement a plan to mitigate or eliminate it.

The law does not require age verification or age-gating. Controllers may use commercially reasonable age estimation methods and will not be held liable for erroneous age estimates made in good faith.

Business Obligations

The MCDPA imposes several requirements on businesses that qualify as "controllers" (entities that determine the purpose and means of processing personal data).

Data Minimization

Controllers must limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" for a disclosed purpose. They may not process personal data for purposes incompatible with the disclosed purpose without obtaining additional consent.

Privacy Notice Requirements

Controllers must provide a clear, accessible privacy notice that includes:

• The categories of personal data processed
• The purposes of processing
• How consumers can exercise their rights
• The categories of personal data shared with third parties
• The categories of third parties that receive data
• A clear and conspicuous disclosure if the controller sells data or uses it for targeted advertising
• The date the notice was last updated

SB 297 added requirements that privacy notices must be available in all languages in which the controller offers services and must be accessible to individuals with disabilities. Material changes to privacy practices require consumer notification with an opportunity to withdraw consent.

Data Security

Controllers must implement reasonable administrative, technical, and physical security measures to protect personal data from unauthorized access, use, or disclosure.

Data Protection Assessments

Under Mont. Code Ann. 30-14-2814, controllers must conduct and document data protection assessments for processing activities that present a heightened risk of harm. These include:

• Processing personal data for targeted advertising
• Selling personal data
• Processing sensitive data
• Profiling that presents a foreseeable risk of harm
• Processing data in connection with online services that pose a heightened risk of harm to minors

The Attorney General may require submission of these assessments during an investigation.

Processor Obligations

Processors (entities that process data on behalf of controllers) must follow the controller's instructions and provide appropriate technical and organizational measures to assist with compliance. Processor contracts must include specific provisions regarding data processing, confidentiality, and audit rights.

Enforcement and Penalties

The Montana Attorney General has exclusive enforcement authority over the MCDPA. There is no private right of action, meaning individual consumers cannot sue businesses directly for violations.

Penalties

Montana's statute allows the Attorney General to treat each affected consumer as a separate violation, which means aggregate penalties can be substantial for large-scale data practices that violate the law.

Cure Period Expired April 1, 2026

The original MCDPA (SB 384) included a 60-day cure period that ran for 18 months from the law's October 1, 2024, effective date. That statutory window expired on April 1, 2026. SB 297, which took effect October 1, 2025, removed the cure period language from the statute before the original sunset. The practical result is the same: the Montana Attorney General can now initiate enforcement actions immediately upon discovering a violation, without providing an opportunity to cure.

Investigatory Powers

SB 297 expanded the Attorney General's enforcement toolkit by authorizing the use of civil investigative demands under Montana's existing Consumer Protection Act. A 5-year statute of limitations applies to enforcement actions. The AG's Office of Consumer Protection accepts consumer complaints through its online portal.

AG Enforcement Context

The Montana Attorney General's office has been active on technology and privacy issues. AG Austin Knudsen pursued the nation's first state-level TikTok ban under SB 419 (2023), arguing that TikTok's data collection practices posed consumer protection risks under Montana's authority. That ban was enjoined by a federal court and ultimately did not take effect, but the litigation demonstrated the AG's willingness to use consumer protection authority aggressively in the technology sector. With the cure period now expired, the MCDPA provides a cleaner enforcement vehicle for data privacy violations.

Montana Genetic Information Privacy Laws

Montana has two layers of genetic privacy protection that operate alongside the MCDPA.

Genetic Information Privacy Act (Title 30, Chapter 23)

The Genetic Information Privacy Act, enacted as SB 351 in 2023 and effective October 1, 2023, governs entities that collect, use, or disclose consumer genetic data, including direct-to-consumer DNA testing companies. It is codified at Mont. Code Ann. Title 30, Chapter 23.

Key requirements under the Act:

• Consent: Entities must obtain initial express consent from consumers before collecting genetic data. Separate consent is required for transferring data to third parties, using data beyond the original testing purpose, retaining biological samples, research, marketing, or selling consumer data.
• Consumer rights: Individuals have the right to access their genetic data, delete it, revoke consent, and request destruction of biological samples.
• Insurance disclosure prohibition: An entity may not disclose a consumer's genetic data to any entity offering health insurance, life insurance, or long-term care insurance without the consumer's express consent.
• Employment prohibition: Genetic data may not be disclosed to any employer without the consumer's express consent.
• Data storage restrictions: Genetic or biometric data of Montana residents collected in-state may only be transferred or stored outside the United States with the resident's consent.
• Security: Covered entities must maintain comprehensive security programs.

The Act includes a clinical research exception for participants in properly conducted trials with informed consent.

Insurer Restrictions (Mont. Code Ann. 33-18 Part 9)

Montana's insurance code separately restricts how insurers use genetic information. Under Mont. Code Ann. 33-18-901 et seq., insurers, health service corporations, and health maintenance organizations may not:

• Require an individual to obtain a genetic test as a condition of insurance coverage (with limited exceptions such as establishing parentage or metabolic screening for newborns)
• Seek genetic information for purposes unrelated to assessing or managing an individual's current health, or in asymptomatic individuals for purposes unrelated to identifiable research

These restrictions do not apply to life insurance, disability income insurance, or long-term care insurance transactions, where federal GINA protections are more limited.

Montana Data Breach Notification Law

Separate from the MCDPA, Montana has a data breach notification statute at Mont. Code Ann. 30-14-1704 that requires businesses to notify residents when their personal information is compromised.

What Triggers a Notification?

A notification is required when there is an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information and causes or is reasonably believed to cause loss or injury to a Montana resident.

Good-faith access by an employee or agent of the business does not trigger notification requirements, provided the information is not used improperly or further disclosed.

What Qualifies as Personal Information?

The breach law covers an individual's first name or initial plus last name combined with one or more of the following unencrypted data elements:

• Social Security number
• Driver's license, state ID, or tribal ID number
• Account, credit, or debit card number with any required security code or password
• Medical record information
• Taxpayer identification number
• IRS identity protection personal identification number

Publicly available information from government records is excluded.

Notification Timeline and Methods

Businesses must notify affected Montana residents "without unreasonable delay," consistent with the legitimate needs of law enforcement. Law enforcement may request a delay if notification would impede a criminal investigation.

Acceptable notification methods include:

• Written notice
• Electronic notice (compliant with the federal E-SIGN Act, 15 U.S.C. 7001)
• Telephonic notice
• Substitute notice (if costs exceed $250,000, more than 500,000 people are affected, or insufficient contact information is available)

Substitute notice requires a combination of email, conspicuous website posting, and statewide media notification.

Attorney General Notification

Any business that sends breach notifications to consumers must simultaneously submit an electronic copy of the notice to the Montana Attorney General's Office of Consumer Protection at datab[email protected]. The copy sent to the AG must exclude information that personally identifies individual consumers.

Montana Wiretap and Electronic Communications Law

Montana's wiretap statute, Mont. Code Ann. 45-8-213, prohibits recording a conversation with a hidden electronic or mechanical device without the knowledge of all parties. Montana is not a simple "all-party consent" state. The statute is triggered by two elements: a hidden device and the absence of all-party knowledge. Remove either element and the prohibition does not apply.

The statute includes an announcement exception: once any party audibly warns that a conversation is being recorded, either party may record. No response or acknowledgment from the other party is required.

Violations are a misdemeanor, with penalties starting at up to six months in jail and a $500 fine, increasing with each conviction.

The wiretap statute and the MCDPA operate independently. Businesses that lawfully collect data under the MCDPA may still face wiretap liability if they intercept electronic communications without proper notice. For a full analysis of Montana recording law, see Montana Recording Laws.

Federal Privacy Overlay

Federal privacy laws apply to Montana businesses and residents alongside state law. Key federal statutes include:

TAKE IT DOWN Act (Pub. L. 119-12, signed May 19, 2025): This federal law criminalizes knowingly publishing non-consensual intimate imagery (NCII), including AI-generated deepfakes. Criminal penalties took effect immediately upon signing. Online platforms have until May 19, 2026, to implement takedown processes for reported NCII, with FTC enforcement of the platform obligations.

HIPAA: The Health Insurance Portability and Accountability Act governs protected health information held by covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates. HIPAA-regulated health data is exempt from the MCDPA's scope, but HIPAA's own privacy and security rules apply independently.

GLBA: The Gramm-Leach-Bliley Act governs how financial institutions handle consumer financial information. GLBA-covered data is exempt from the MCDPA. Montana's amended exemption covers specific financial entity types (chartered banks, credit unions, insurers) for GLBA-covered activities.

FCRA: The Fair Credit Reporting Act regulates consumer reporting agencies and the use of consumer reports for credit, employment, insurance, and similar decisions. Data subject to the FCRA is exempt from the MCDPA.

COPPA: The Children's Online Privacy Protection Act requires verifiable parental consent before collecting personal information from children under 13. COPPA operates alongside (not instead of) the MCDPA's children's data provisions.

FTC Act Section 5: The Federal Trade Commission can bring unfair or deceptive trade practice claims against businesses that make material misrepresentations about their data practices or fail to implement reasonable security. The FTC's authority applies in Montana regardless of whether the MCDPA applies to a given business.

APRA (American Privacy Rights Act): A federal comprehensive privacy bill was introduced in 2024 and reintroduced as APRA 2.0 in 2025 but had not been enacted as of May 2026. Montana's MCDPA continues to govern absent federal preemption.

How the MCDPA Compares to Other State Privacy Laws

Montana's MCDPA shares a common framework with privacy laws in states like Virginia, Colorado, and Connecticut, but several provisions set it apart.

Montana's 25,000-consumer threshold and its constitutional privacy backdrop make it one of the more protective state regimes. The comparison table above covers only the main consumer privacy law; Montana's Genetic Information Privacy Act and wiretap statute add layers that most comparable states lack.

More Montana Laws

Understanding Montana's data privacy laws is important, but the state has many other legal requirements that may affect you. Explore these related guides:

• Montana Recording Laws: Consent Rules and Penalties
• Montana Surveillance Camera Laws
• Montana Background Check Laws
• Montana Medical Records Retention Laws
• Montana Whistleblower Laws
• Montana Statute of Limitations
• Montana AI Meeting Recording Laws
• Montana Alimony Laws
• Montana At-Will Employment Laws
• Montana Car Accident Laws
• Montana Car Seat Laws
• Montana Child Custody Laws
• Montana Child Support Laws
• Montana Common Law Marriage Laws
• Montana Deepfake Laws
• Montana Divorce Laws
• Montana Dog Bite Laws
• Montana Emancipation Laws
• Montana Expungement Laws
• Montana Hit and Run Laws
• Montana Landlord-Tenant Laws
• Montana Lemon Laws

In-depth guides

• What Is the MCDPA? Montana Consumer Data Privacy Act
• MCDPA Consumer Rights: Your Data Privacy Rights
• MCDPA Compliance Checklist for Businesses (2026)