Montana
MCDPA Consumer Rights: Montana Privacy Rights (2026)
The Montana Consumer Data Privacy Act (MCDPA), at Mont. Code Ann. 30-14-2808, gives Montana residents five core data rights: to confirm and access their personal data, to correct inaccuracies, to delete data, to obtain a portable copy, and to opt out of targeted advertising, the sale of personal data, and certain profiling. Businesses covered by the law must respond to a verified request within 45 days, with one 45-day extension available when reasonably necessary. As of 2026, these rights are backed by tougher enforcement, because the cure period that once shielded businesses ended April 1, 2026.
Two features make Montana's rights framework stronger than a basic opt-out model. Since January 1, 2025, controllers must honor a universal opt-out signal such as the Global Privacy Control, so a single browser setting can carry a consumer's choice across covered sites. And after SB 297, the law applies heightened protections to consumers a controller knows are minors under 18, requiring consent before their data is used for targeted advertising, sale, or profiling.
Jurisdiction scope: This covers the Montana Consumer Data Privacy Act (Mont. Code Ann. Title 30, Chapter 14, Part 28). It is general legal information, not legal advice.
The five consumer rights under the MCDPA
The heart of the MCDPA is the rights list in Mont. Code Ann. 30-14-2808. A Montana consumer may submit a request to a controller to exercise any of five rights. First is the right to confirm whether a controller is processing the consumer's personal data and to access that data. Second is the right to correct inaccuracies, taking into account the nature of the data and the purposes of processing. Third is the right to delete personal data about the consumer.
Fourth is the right to data portability: the consumer may obtain a copy of the personal data the consumer previously provided to the controller "in a portable and, to the extent technically feasible, readily usable format" that allows the data to be transmitted to another controller without hindrance. Fifth is the right to opt out of processing for purposes of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects.
These rights belong to "consumers," defined as Montana residents acting in an individual or household context. The MCDPA excludes people acting in a commercial or employment capacity, so an employee asking about workplace records or a business contact asking about a vendor relationship is not exercising a consumer right under this statute. That scope mirrors the Virginia-model privacy laws and contrasts with California, which extended its rights to employees and business contacts.
The access and portability rights in practice
The access right lets a consumer find out what a business holds. A controller that receives a verified access request must confirm whether it is processing the consumer's personal data and provide access to that data. In practice this means a business needs to be able to locate a consumer's data across its systems, which is why data mapping is a foundational compliance task rather than a nice-to-have.
Portability goes a step further by requiring the data to come back in a usable form. The statutory phrase "to the extent technically feasible, readily usable format" sets the standard: the format should let the consumer move the data to another service. The portability right is limited to data the consumer "previously provided," so it does not necessarily reach inferences or derived data a controller generated on its own. A controller may also decline to provide portable data where doing so would require it to reveal a trade secret.
Both rights are subject to verification. A controller is not required to comply with a request if it cannot authenticate the request using commercially reasonable efforts, although it must notify the consumer and may request additional information reasonably necessary to authenticate the request. This guards against someone impersonating a consumer to extract another person's data, a real risk that privacy regulators take seriously.
Correction and deletion
The correction right allows a consumer to fix inaccurate personal data, "taking into account the nature of the personal data and the purposes of the processing." This is more limited than it might sound. It addresses factual inaccuracies in the data a controller holds; it does not give a consumer the power to rewrite legitimate records or to dispute a controller's lawful conclusions. The reasonableness qualifier gives controllers room to weigh how the data is used.
The deletion right is broad on its face: a consumer may request that a controller delete personal data about the consumer. Unlike the portability right, deletion reaches data the controller obtained from sources other than the consumer, not just data the consumer provided. That makes deletion one of the more operationally demanding rights, because a controller must be able to find and remove data it acquired from third parties or generated internally.
Deletion is not absolute. The MCDPA's processing rules and exemptions let a controller retain data where another legal obligation requires it, where the data is needed to complete a transaction the consumer requested, to detect security incidents, to comply with the law, or for similar enumerated purposes. A controller that denies a deletion request in reliance on an exemption should be able to point to the specific basis, because the burden of justifying an exemption generally rests on the controller.
The opt-out rights and the universal opt-out signal
The opt-out right under Mont. Code Ann. 30-14-2808 covers three distinct activities: targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. "Sale" under the MCDPA is defined broadly to include the exchange of personal data for monetary or other valuable consideration, which can sweep in data-sharing arrangements that a business might not have labeled a sale.
Controllers must provide a clear and conspicuous method for consumers to exercise these opt-outs, and that method must be available both inside and, for sales and targeted advertising, through an opt-out preference signal. Since January 1, 2025, a controller that processes personal data for targeted advertising or sale must recognize a universal opt-out mechanism, such as the Global Privacy Control, that communicates a consumer's choice to opt out. This is the feature that turns the opt-out from a per-site chore into a one-time setting.
The universal opt-out requirement is significant because it shifts effort from the consumer to the business. A Montanan can configure a browser or platform-level signal once, and every covered controller must treat that signal as a valid opt-out for sales and targeted advertising. Controllers cannot require a consumer to create an account in order to opt out, and they cannot make the opt-out process more burdensome than the opt-in.
The 45-day response window and extension
Timing is governed by Mont. Code Ann. 30-14-2808. A controller must respond to a consumer's request "without undue delay, but not later than 45 days after receipt of the request." The clock starts when the controller receives the request, which is why intake processes matter; a request that sits in a generic inbox still counts against the deadline.
The controller "may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer's requests." To use the extension, the controller must inform the consumer of the extension within the initial 45-day period and explain the reason for it. The extension is not automatic and is meant for genuinely complex or high-volume situations, not routine convenience. The table below lays out the deadlines.
| Action | Deadline | Authority |
|---|---|---|
| Respond to a consumer request | 45 days from receipt | Mont. Code Ann. 30-14-2808 |
| Extension of response period | One additional 45 days | Mont. Code Ann. 30-14-2808 |
| Respond to an appeal | 60 days from receipt | Mont. Code Ann. 30-14-2808 |
If a controller declines to act on a request, it must inform the consumer without undue delay and within 45 days of the reasons for not taking action and instructions for how to appeal. Information provided in response to a request must generally be furnished free of charge once per consumer during any 12-month period, although a controller may charge a reasonable fee or decline to act on requests that are manifestly unfounded, excessive, or repetitive.
The right to appeal
The MCDPA builds in a second look. Under Mont. Code Ann. 30-14-2808, a controller must establish a process for a consumer to appeal the controller's refusal to act on a request within a reasonable period after the consumer receives the refusal. The appeal process must be conspicuously available and similar to the process for submitting the original request.
Within 60 days after receipt of an appeal, the controller must inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. This written-explanation requirement gives the consumer a record of the controller's reasoning, which can matter if the dispute escalates.
If the appeal is denied, the controller must provide the consumer with an online mechanism, if available, or another method through which the consumer may contact the Montana Attorney General to submit a complaint. The appeal route does not create a private lawsuit; instead, it channels unresolved disputes to the Attorney General, who is the sole enforcer of the MCDPA. Consumers cannot sue a business directly under the statute.
Sensitive data and the opt-in default
For sensitive data, the MCDPA flips the default. Under Mont. Code Ann. 30-14-2812, a controller may not process sensitive data without first obtaining the consumer's consent. "Consent" means a clear affirmative act signifying a freely given, specific, informed, and unambiguous agreement, and it cannot be obtained through deceptive design or so-called dark patterns. This opt-in standard is materially stronger than the opt-out that governs ordinary processing.
Sensitive data is defined to include personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data processed for the purpose of uniquely identifying an individual, personal data collected from a known child, and precise geolocation data. Because the consequences of mishandling these categories are serious, controllers should identify sensitive data in their inventory and confirm a lawful consent basis before processing it.
The known-child category links the sensitive-data rule to federal law. Data of a child under 13 is processed in accordance with the Children's Online Privacy Protection Act, so COPPA-compliant consent satisfies the MCDPA for that age group. For older minors, Montana's strengthened minor protections apply instead, which the next section addresses.
Strengthened protections for minors
SB 297 made Montana one of the more protective states for the data of teenagers, not just young children. Under Mont. Code Ann. 30-14-2811, for a consumer the controller knows is a minor, defined as an individual under 18, the controller may not process personal data for targeted advertising, the sale of personal data, or profiling without consent. The controller also may not collect precise geolocation data unless it is reasonably necessary, and it must apply data minimization so that a minor's data is not kept longer than reasonably necessary to provide the requested service.
These rules reach further than COPPA, which generally governs children under 13. By extending consent requirements and processing limits to all known minors under 18, Montana treats teenagers as a protected class. The companion provisions at Mont. Code Ann. 30-14-2818 and 30-14-2819 allocate responsibility by role and require data protection assessments for processing that presents a heightened risk of harm to minors, so a teen-facing service carries documentation duties on top of the consent rules.
For consumers and parents, the practical upshot is meaningful control over how a minor's data is used. A business that knows a user is under 18 cannot quietly enroll that user in behavioral advertising, sell the user's data, or run profiling that drives significant decisions without obtaining consent. As of 2026, these are among the most demanding obligations in the MCDPA, and they sit alongside the same access, correction, deletion, and portability rights that apply to all consumers.
Related guides
- Montana Data Privacy Laws hub
- What is the MCDPA?
- MCDPA Compliance Checklist
- US State Privacy Laws Comparison
- What is the CCPA?
Sources
Sources and References
- Mont. Code Ann. 30-14-2808, Consumer personal data, opt-out, appeals(mca.legmt.gov).gov
- Mont. Code Ann. 30-14-2812, Data processing limitations(mca.legmt.gov).gov
- Mont. Code Ann. 30-14-2811, Duties of controllers, minors(mca.legmt.gov).gov
- Mont. Code Ann. 30-14-2802, Definitions(mca.legmt.gov).gov
- Mont. Code Ann. 30-14-2801 et seq., Montana Consumer Data Privacy Act(mca.legmt.gov).gov
- Montana DOJ Office of Consumer Protection, Montana Consumer Data Privacy(dojmt.gov).gov
- Montana Legislature, SB 297 (2025 session)(bills.legmt.gov).gov
- Global Privacy Control technical specification(globalprivacycontrol.org)