MCDPA Compliance Checklist: Montana Privacy (2026)

Complying with the Montana Consumer Data Privacy Act (MCDPA), Mont. Code Ann. 30-14-2801 et seq., starts with one question: do you control or process the personal data of 25,000 Montana consumers, or 15,000 if more than 25 percent of your gross revenue comes from selling personal data? As of 2026 those are the lowest coverage thresholds of any state privacy law, so far smaller businesses are now in scope than were a year earlier. If you are covered, the law requires a privacy notice, opt-in consent for sensitive data, recognition of a universal opt-out signal, data protection assessments, processor contracts, and heightened safeguards for minors.

There is no longer a safety net. The 60-day cure period that once let a business fix an alleged violation before any enforcement action ended April 1, 2026. As of 2026 the Montana Attorney General can sue without sending a warning letter, and civil penalties reach up to $7,500 per violation under Mont. Code Ann. 30-14-142. Compliance now needs to be in place before a complaint arrives, not assembled afterward.

Jurisdiction scope: This covers the Montana Consumer Data Privacy Act (Mont. Code Ann. Title 30, Chapter 14, Part 28). It is general legal information, not legal advice.

Step 1: Run the applicability test at the low thresholds

The first compliance step is deciding whether the MCDPA applies to you at all, and after SB 297 that question catches more businesses than it used to. Under Mont. Code Ann. 30-14-2803, the law applies to a person that conducts business in Montana, or that produces products or services targeted at Montana residents, and that during a calendar year controls or processes the personal data of either 25,000 or more Montana consumers, or 15,000 or more Montana consumers while deriving more than 25 percent of gross revenue from the sale of personal data.

Count Montana consumers, not your total user base. A business with a large national footprint but few Montana customers may fall below the line, while a Montana-focused business can be covered with a comparatively small number of users. The primary 25,000 count excludes personal data processed solely to complete a payment transaction, but that carve-out is narrow and does not cover the customer data you keep afterward. The table below compares Montana's triggers to other major state laws.

Document your analysis. Because the thresholds are now so low, businesses that previously concluded they were exempt should re-run the test against the 25,000 and 15,000 figures that took effect October 1, 2025. A dated written determination is useful if the Attorney General later asks how you reached your conclusion.

Step 2: Check the exemptions before you build

Even above the thresholds, a business may be wholly or partly exempt. Under Mont. Code Ann. 30-14-2803, exempt entities include government bodies, federally recognized tribes, nonprofit organizations, and institutions of higher education. Data-level exemptions cover protected health information under HIPAA, consumer report data under the Fair Credit Reporting Act, education records under FERPA, and similar categories already regulated by federal law.

SB 297 reworked the financial-sector and nonprofit treatment, so old assumptions may no longer hold as of 2026. The broad entity-level exemption for financial institutions under the Gramm-Leach-Bliley Act was reshaped, with specific exemptions retained for banks, credit unions, and certain insurers, while the data-level GLBA exemption for regulated data remains. The nonprofit exemption was narrowed in scope. Confirm your status against the current statutory text rather than a pre-SB 297 summary.

Mixed-status businesses are common. A company may handle some exempt data, such as HIPAA-protected records, alongside non-exempt consumer data that the MCDPA covers. The exemptions apply to the specific entity or data type, so the covered portions of your operation still need full compliance. Map which data sits inside and outside the exemptions so you can apply MCDPA controls precisely where they are required.

Step 3: Publish a compliant privacy notice

The MCDPA requires a controller to provide consumers with a reasonably accessible, clear, and meaningful privacy notice. The notice must describe the categories of personal data the controller processes, the purposes for processing, how consumers may exercise their rights and appeal a decision, the categories of personal data the controller shares with third parties, and the categories of third parties with whom it shares data.

If the controller sells personal data or processes it for targeted advertising, the notice must disclose that and explain how a consumer may opt out. SB 297 enhanced these notice requirements, so a privacy policy drafted for the original 2024 version of the law should be reviewed against the amended standard. The notice should also explain that consumers can submit a complaint to the Montana Attorney General if an appeal is denied.

Keep the notice current. The MCDPA contemplates that consumers be informed of material changes to a controller's privacy practices, so a process for updating the notice and, where appropriate, notifying consumers of material changes belongs in your compliance program. Treat the privacy notice as a living document tied to your actual data practices, not a one-time legal artifact.

Step 4: Build opt-out and universal opt-out handling

Covered controllers must give consumers a clear and conspicuous way to opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects, as set out in Mont. Code Ann. 30-14-2808. The opt-out cannot be hidden behind an account requirement, and it cannot be more burdensome than the corresponding opt-in. A practical setup includes a visible link and a request intake that routes to the right system.

The harder technical requirement is the universal opt-out mechanism. Since January 1, 2025, a controller that processes personal data for targeted advertising or sale must recognize an opt-out preference signal, such as the Global Privacy Control, that communicates a consumer's choice. That means your web properties need to detect the signal and apply the opt-out automatically, without requiring the consumer to do anything else on your site. Test this end to end, because a signal that is received but not acted on is a violation waiting to be found.

Treat opt-out logging as part of the build. You should be able to show that a given opt-out, whether submitted directly or via a preference signal, was received and honored. Records of opt-out handling help demonstrate compliance now that there is no cure period to fall back on.

Step 5: Require opt-in consent for sensitive data

Sensitive data carries an opt-in rule under Mont. Code Ann. 30-14-2812: a controller may not process sensitive data without first obtaining the consumer's consent. Consent must be a clear affirmative act that is freely given, specific, informed, and unambiguous, and it cannot be extracted through dark patterns or deceptive interface design. Pre-checked boxes and bundled consent do not meet the standard.

Sensitive data includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data used to identify a person, personal data of a known child, and precise geolocation. The first compliance task here is identification: inventory your data and flag which fields fall into these categories, because you cannot apply an opt-in gate to data you have not located.

For a known child under 13, processing must follow the federal Children's Online Privacy Protection Act, and COPPA-compliant consent satisfies the MCDPA for that group. For older minors, the strengthened minor protections in the next section apply. Build the consent flow so that sensitive-data processing simply does not start until valid consent is captured and recorded.

Step 6: Conduct data protection assessments

The MCDPA requires controllers to conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, under Mont. Code Ann. 30-14-2814. Covered activities include processing for targeted advertising, the sale of personal data, certain profiling, and the processing of sensitive data. The assessment must weigh the benefits of the processing against the potential risks to consumers, taking into account safeguards that mitigate those risks.

SB 297 increased the stakes by expanding the Attorney General's authority to require production of these assessments. An assessment is no longer just internal hygiene; the Attorney General may demand it during an investigation, and it must be made available in a way that does not waive attorney-client privilege or work-product protection. That means your assessments need to actually exist, be reasonably current, and be retrievable on request.

The companion provisions at Mont. Code Ann. 30-14-2818 and 30-14-2819 add a minor-specific assessment duty for processing that presents a heightened risk of harm to minors. A teen-facing service therefore carries documentation obligations on top of its consent obligations. Build a repeatable assessment template and run it whenever you launch a new high-risk processing activity rather than treating it as a one-time exercise.

Step 7: Put processor contracts and data security in place

When a controller engages a processor to handle personal data on its behalf, the MCDPA requires a binding contract that governs the processing. The contract must set out the processing instructions, the nature and purpose of processing, the type of data and duration, and obligations on the processor to maintain confidentiality, delete or return data at the end of the engagement, assist the controller with its obligations, and submit to reasonable audits. Review and paper your vendor relationships so each processor is under a compliant contract.

Controllers also owe a baseline data-security duty. The MCDPA requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and nature of the personal data at issue. There is no single prescribed standard, so the obligation scales with risk: more sensitive or higher-volume data calls for stronger safeguards.

Data minimization underlies both duties. The MCDPA limits collection to what is adequate, relevant, and reasonably necessary for the disclosed purposes, and bars processing for incompatible new purposes without consent. Keeping less data reduces both your security exposure and the scope of consumer requests you must service.

Step 8: Apply heightened safeguards for minors

SB 297 made minors a focal point of Montana compliance. Under Mont. Code Ann. 30-14-2811, for a consumer the controller knows is a minor, defined as an individual under 18, the controller may not process personal data for targeted advertising, the sale of personal data, or profiling without consent. The controller may not collect precise geolocation data unless reasonably necessary, and it must apply data minimization so a minor's data is not retained longer than reasonably necessary to provide the requested service.

These obligations reach further than COPPA, which generally governs children under 13, because Montana extends consent and processing limits to all known minors under 18. If your service is likely to be used by teenagers, build age-aware logic so that, once a user is known to be a minor, the targeted-advertising, sale, and profiling pathways are blocked absent consent. Pair that logic with the minor-specific data protection assessment required by Mont. Code Ann. 30-14-2819.

Document the controls. Because the Attorney General can require assessments and there is no cure period, a teen-facing business should be able to show what age signals it uses, what processing it restricts, and how it captures any consent. This is among the most demanding parts of the MCDPA as of 2026.

The bottom line: no cure period, real penalties

The single most important compliance fact for 2026 is that the safety net is gone. The MCDPA originally included a 60-day right to cure that was set to sunset 18 months after the effective date, on April 1, 2026, and SB 297 removed the cure mechanism from the statute effective October 1, 2025. Either way, the result is the same and should be stated plainly: as of April 1, 2026, there is no mandatory cure period, and the Montana Attorney General may bring an enforcement action without first sending a warning letter or allowing a business to fix the violation.

Enforcement runs through the Montana Unfair Trade Practices and Consumer Protection Act, with civil penalties up to $7,500 per violation under Mont. Code Ann. 30-14-142, plus injunctive relief and the recovery of investigation and enforcement costs. SB 297 also expanded the Attorney General's investigative powers, including civil investigative demands and the authority to require production of data protection assessments. There is no private right of action, so enforcement is centralized in the Attorney General's office.

Because there is no longer a grace period, the practical advice is to close gaps before a complaint lands. Keep your applicability analysis, privacy notice, consent records, opt-out logs, processor contracts, and data protection assessments current and retrievable. A business that can demonstrate a working compliance program is in a far stronger position now that a first violation can lead directly to penalties.

Related guides

• Montana Data Privacy Laws hub
• What is the MCDPA?
• MCDPA Consumer Rights
• US State Privacy Laws Comparison
• What is the CCPA?

Sources