Montana Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Montana does not have a standalone biometric privacy statute like Illinois's BIPA or Texas's CUBI. Instead, biometric data protections in Big Sky Country come from the Montana Consumer Data Privacy Act (MCDPA), a comprehensive consumer privacy law that classifies biometric identifiers as sensitive data requiring affirmative consent before processing.

Governor Greg Gianforte signed SB 384 into law in May 2023, making Montana the ninth state to enact a comprehensive consumer data privacy law. The MCDPA originally took effect on October 1, 2024. In 2025, the Montana Legislature passed SB 297, which expanded enforcement authority, lowered applicability thresholds, and strengthened protections for minors and sensitive data. Those amendments took effect October 1, 2025.

For an overview of Montana's broader privacy framework, see the parent guide to Montana Data Privacy Laws.

How the MCDPA Defines Biometric Data

The MCDPA defines biometric data under Mont. Code Ann. 30-14-2802 as data generated by automatic measurements of an individual's biological characteristics that are used to identify a specific individual. The statute provides these examples:

• Fingerprints
• Voiceprints
• Eye retinas
• Irises
• Other unique biological patterns or characteristics

The law draws a clear line around what does not qualify. A physical or digital photograph, a video or audio recording, or data generated from those recordings is not biometric data unless it is specifically generated to identify a particular individual.

This definition follows the approach used in Virginia, Connecticut, and several other state comprehensive privacy statutes. It is narrower than the definition used in Illinois's BIPA, which covers a broader set of biometric identifiers without the same exclusions.

Sensitive Data Classification and Consent

Under the MCDPA, biometric data processed for the purpose of uniquely identifying an individual qualifies as "sensitive data." This is the highest protection category in the law.

Other categories of sensitive data under Mont. Code Ann. 30-14-2802 include:

• Data revealing racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnoses
• Sexual orientation
• Citizenship or immigration status
• Genetic data processed for identification
• Precise geolocation data
• Personal data collected from a known child under 13

Consent requirement. Controllers must obtain a consumer's opt-in consent before processing sensitive data, including biometric data. A business cannot collect your fingerprint, faceprint, or iris scan for identification purposes without first asking for and receiving your affirmative agreement.

The MCDPA defines consent as a "clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." A buried clause in a terms-of-service agreement does not meet this standard. Pre-checked boxes, hovering over content, or closing a pop-up window also do not count. The law specifically prohibits the use of dark patterns to obtain consent.

Restricted Disclosure of Biometric Data

SB 297 added a notable provision that limits how businesses can respond to consumer access requests when biometric data is involved.

Under the amended MCDPA, controllers cannot disclose certain sensitive identifiers in response to data access requests, including:

• Biometric data
• Social security numbers
• Government-issued identification numbers
• Financial account numbers
• Health insurance or medical identification numbers
• Account passwords and security questions

Instead of handing over this raw data, businesses must inform consumers "with sufficient particularity" that such data has been collected. This prevents the access request process itself from becoming a security vulnerability.

Who Must Comply

The MCDPA applies to entities that conduct business in Montana or produce products or services targeted to Montana residents and meet one of these thresholds (as amended by SB 297):

• Process personal data of 25,000 or more Montana consumers during a calendar year (reduced from 50,000 under the original law), or
• Process personal data of 15,000 or more Montana consumers and derive over 25% of gross revenue from the sale of personal data (reduced from 25,000)

These lower thresholds mean more businesses fall under the MCDPA's requirements than when the law first took effect in 2024.

Key Exemptions

The MCDPA carves out several categories of entities and data types from coverage:

Entity exemptions:

• State and local government agencies
• Nonprofit organizations (narrowed under SB 297 to fraud detection in insurance only)
• Higher education institutions
• Tribes and tribal organizations

Data exemptions:

• Data regulated under HIPAA
• Data governed by the Gramm-Leach-Bliley Act (GLBA, data-level exemption only after SB 297)
• Data covered by the Fair Credit Reporting Act (FCRA)
• Data under the Family Educational Rights and Privacy Act (FERPA)
• Data regulated under the Driver's Privacy Protection Act (DPPA)

Employee data exemption. The MCDPA excludes persons acting in a commercial or employment context from the definition of "consumer." Data processed about an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party is exempt when used in the context of that role.

This means that if your employer collects fingerprints for a timekeeping system or uses facial recognition for building access, the MCDPA does not apply to that collection. Montana does not have a separate law regulating employer use of biometric data.

Consumer Rights Over Biometric Data

Because biometric data qualifies as sensitive personal data under the MCDPA, Montana consumers have the following rights under Mont. Code Ann. 30-14-2808:

Right to confirm and access. You can ask any covered business whether it is processing your biometric data and request information about that processing.

Right to correct. If a business holds inaccurate biometric data about you, you can request a correction.

Right to delete. You can request that a business delete the biometric data it holds about you.

Right to data portability. You can obtain a copy of your personal data in a portable and readily usable format, though biometric data itself falls under the restricted disclosure provision.

Right to opt out. You can opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling that produces legal or similarly significant effects.

Right to non-discrimination. Businesses cannot penalize you for exercising any of these rights.

Businesses must respond to consumer rights requests within 45 days. They can extend this period by an additional 45 days when reasonably necessary, provided they notify the consumer of the extension and the reason for it. If a business denies a request, it must explain why and tell the consumer how to appeal.

Data Protection Assessments

Controllers that process sensitive data, including biometric data, must conduct data protection assessments under the MCDPA. SB 297 expanded these requirements, particularly for processing that affects minors.

A data protection assessment must weigh the benefits of the processing against the potential risks to the consumer, including risks of:

• Unfair or deceptive treatment or unlawful disparate impact
• Financial, physical, or reputational injury
• Intrusion upon solitude or seclusion
• Other substantial injury

The Montana Attorney General can request these assessments during an investigation. Under SB 297, assessments must be retained for three years after processing ceases or service discontinuation, whichever is longer.

Breach Notification and Biometric Data

Montana's breach notification law at Mont. Code Ann. 30-14-1704 requires businesses to notify affected individuals when a security breach compromises unencrypted personal information.

However, Montana's definition of personal information for breach notification purposes is limited to an individual's name combined with:

• Social security numbers
• Driver's license, state ID, or tribal ID numbers
• Financial account numbers with required security codes
• Medical record information
• Taxpayer identification numbers
• IRS identity protection PINs

Biometric data is not explicitly listed as a category that triggers breach notification under this statute. This creates a gap between the MCDPA's treatment of biometric data as sensitive and the breach notification law's narrower scope. A business could experience a breach involving biometric data without being required to notify affected individuals under Mont. Code Ann. 30-14-1704.

When notification is required, businesses must report breaches "without unreasonable delay" and simultaneously submit an electronic copy to the Montana Office of Consumer Protection at datarequests@mt.gov. Even a single affected Montana resident triggers the reporting requirement.

Enforcement and Penalties

The Montana Attorney General has exclusive enforcement authority over the MCDPA. There is no private right of action, which means individual consumers cannot file lawsuits against businesses for MCDPA violations.

SB 297 significantly strengthened the Attorney General's enforcement tools:

No more cure period. The original MCDPA gave businesses 60 days to fix violations before facing enforcement action. SB 297 eliminated this cure period, allowing the Attorney General to initiate enforcement actions immediately upon discovering a violation. (Note: some sources indicate the cure period sunsets on April 1, 2026, rather than being immediately eliminated.)

Expanded investigatory power. The Attorney General can now issue civil investigative demands under Montana's Consumer Protection Act and require controllers to submit data protection assessments relevant to investigations.

Civil penalties. Violations of the MCDPA can result in penalties of up to $7,500 per violation under Mont. Code Ann. 30-14-2820. The Attorney General can also seek injunctive relief and recover reasonable attorney fees and investigation costs.

Statute of limitations. SB 297 established a five-year statute of limitations from when the cause of action accrues.

Consumers can file complaints with the Montana Office of Consumer Protection through the Montana Department of Justice website.

How Montana Compares to Other States

Montana's approach to biometric privacy falls in the middle of the spectrum among U.S. states:

Stronger than states with no protections. Many states still lack any specific biometric data protections. Montana's classification of biometric data as sensitive data requiring consent puts it ahead of states without comprehensive privacy laws.

Weaker than dedicated biometric privacy laws. States like Illinois, Texas, and Washington have standalone biometric privacy statutes with specific requirements for notice, consent, retention schedules, and data destruction. Illinois's BIPA includes a private right of action that has produced significant litigation and settlements.

Similar to other comprehensive privacy law states. Montana's approach closely mirrors states like Connecticut, Indiana, and Kentucky, which all classify biometric data as sensitive data within their comprehensive consumer privacy frameworks and require opt-in consent for processing.

Notable gap. Unlike some states that include biometric data in their breach notification definitions, Montana's breach notification statute does not cover biometric data. This is an area where Montana offers less protection than states that have updated their breach notification laws.

More Montana Laws

• Montana Recording Laws
• Montana Recording Laws
• Montana Data Privacy Laws
• Montana Sexting Laws
• Montana Data Privacy Laws
• Montana Recording Laws
• Montana Recording Laws
• Montana Recording Laws

Sources and References

This article references Montana statutes and official state government publications. For the full text of the MCDPA, visit the Montana Code Annotated. For consumer complaints and guidance, visit the Montana Department of Justice Office of Consumer Protection. For breach notification requirements, see the Montana DOJ reporting page.

This article provides general legal information about Montana biometric privacy laws. It is not legal advice. Consult a qualified attorney for guidance on your specific situation. Laws and regulations change frequently. Verify current requirements through official Montana government sources.