Montana
What Is the MCDPA? Montana Data Privacy Law (2026)
The Montana Consumer Data Privacy Act (MCDPA), codified at Mont. Code Ann. 30-14-2801 et seq., is Montana's comprehensive consumer privacy law. It took effect October 1, 2024, and it gives Montana residents the right to access, correct, delete, and port their personal data, plus the right to opt out of targeted advertising, the sale of personal data, and certain profiling. As of 2026, after the SB 297 overhaul, it reaches more businesses than any other state privacy law because it carries the lowest coverage thresholds in the country.
The most consequential recent change is about enforcement, not rights. The MCDPA originally gave businesses a 60-day window to "cure" an alleged violation before the Attorney General could sue. That safety net is gone. As of April 1, 2026, the Montana Attorney General may bring an enforcement action without first sending a warning letter or allowing a cure, so a first violation can now lead directly to penalties of up to $7,500 each under Mont. Code Ann. 30-14-142.
Jurisdiction scope: This covers the Montana Consumer Data Privacy Act (Mont. Code Ann. Title 30, Chapter 14, Part 28). It is general legal information, not legal advice.
What the MCDPA is and when it took effect
The Montana Consumer Data Privacy Act is a comprehensive consumer privacy statute, meaning it governs how businesses collect, use, share, and protect the personal data of Montana residents across the board rather than regulating one narrow sector. It was enacted in 2023 as Senate Bill 384, signed by Governor Greg Gianforte, and it took effect on October 1, 2024. The operative text lives in Mont. Code Ann. Title 30, Chapter 14, Part 28, beginning at Mont. Code Ann. 30-14-2801.
The MCDPA belongs to the family of state privacy laws that trace their structure to the Virginia and Connecticut models rather than to California. That lineage matters. Like the Connecticut Data Privacy Act, the MCDPA gives consumers a defined slate of rights, imposes duties on the businesses that decide why and how data is processed, and is enforced solely by the state Attorney General. It does not create the kind of private lawsuit right that California's data-breach provisions allow.
A "consumer" under the MCDPA is a Montana resident acting in an individual or household capacity. The law deliberately excludes people acting in a commercial or employment context, so business-to-business contacts and employee data fall outside the core consumer-rights framework. This is a common feature of the Virginia-model laws and distinguishes Montana from California, which extended its protections to employees and B2B contacts.
The SB 297 overhaul, effective October 1, 2025
The most important thing to understand about the MCDPA as of 2026 is that it was significantly rewritten before most businesses had finished their first year of compliance. Senate Bill 297, passed during the 2025 legislative session, took effect on October 1, 2025, and it changed the law in four major directions at once: it lowered the coverage thresholds, it removed the cure period, it tightened protections for minors, and it expanded the Attorney General's investigative powers.
Each of those changes pushes in the direction of broader coverage and tougher enforcement. The threshold reductions sweep in smaller businesses. The removal of the cure period eliminates the grace period that businesses relied on. The minor protections add new opt-in consent obligations. And the expanded investigative tools, including civil investigative demands and the power to require production of data protection assessments, give the Attorney General more ways to test compliance. The table below summarizes the before-and-after picture.
| Provision | Before SB 297 | As of 2026 (after SB 297) |
|---|---|---|
| Primary consumer threshold | 50,000 consumers | 25,000 consumers (Mont. Code Ann. 30-14-2803) |
| Data-sale threshold | 25,000 consumers + 25% revenue | 15,000 consumers + 25% revenue |
| Cure period | 60 days, sunsetting April 1, 2026 | No cure period as of April 1, 2026 |
| Minor protections | General duty | Opt-in consent for ads, sale, profiling; geolocation limits |
| AG investigative tools | Standard | Civil investigative demands; may require assessments |
The lowest coverage thresholds in the nation
The MCDPA applies to a person who conducts business in Montana, or who produces products or services targeted at Montana residents, and who during a calendar year controls or processes the personal data of either of two consumer counts under Mont. Code Ann. 30-14-2803. As of 2026 the first count is 25,000 or more Montana consumers, excluding data processed solely to complete a payment transaction. The second count is 15,000 or more Montana consumers where the business derives more than 25 percent of its gross revenue from the sale of personal data.
These are, as the Montana Department of Justice Office of Consumer Protection notes, the lowest thresholds of any state privacy law. SB 297 cut the primary number nearly in half, from 50,000 to 25,000, and dropped the sale-based number from 25,000 to 15,000. Because Montana has a small population, a 25,000-consumer trigger captures a meaningful share of the businesses that touch Montanans online. A national e-commerce site, a regional service provider, or an app with modest Montana reach can land inside the law without doing anything that looks like a large data operation.
Note that the thresholds count Montana consumers, not nationwide users or total revenue. A business with millions of customers elsewhere but very few in Montana may fall below the line, while a business heavily focused on Montana could be covered with a comparatively small footprint. The payment-transaction carve-out in the primary count is narrow: it excludes only data processed solely to complete a payment, not the broader customer data a business keeps afterward.
What the MCDPA does not cover: exemptions
The MCDPA, like its sister laws, layers entity-level and data-level exemptions on top of the thresholds. These carve-outs exist because other federal and state regimes already regulate certain organizations and data types. Under the applicability provisions in Mont. Code Ann. 30-14-2803, the law does not apply to a range of bodies and information.
Exempt categories include state and local government entities and federally recognized tribes; nonprofit organizations; institutions of higher education; and information already governed by sector-specific federal law. Data regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, and the federal Farm Credit Act is excluded as protected health or financial information under those regimes.
SB 297 reworked the financial-sector and nonprofit treatment. It narrowed the Gramm-Leach-Bliley Act (GLBA) carve-out: the data-level exemption for information regulated under GLBA remains, but the broad entity-level exemption for financial institutions was reshaped, with specific exemptions retained for banks, credit unions, and certain insurers. The nonprofit exemption was likewise narrowed in scope. The practical effect is that businesses should not assume an old reading of the GLBA exemption still holds; the post-SB 297 text controls as of 2026.
Consumer rights and the opt-in for sensitive data
The MCDPA gives Montana consumers the now-familiar slate of rights under Mont. Code Ann. 30-14-2808: the right to confirm whether a controller is processing their personal data and to access it, the right to correct inaccuracies, the right to delete, the right to obtain a portable copy of data they provided, and the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Controllers must respond without undue delay and no later than 45 days, with one 45-day extension available when reasonably necessary.
Sensitive data gets stronger treatment. Under Mont. Code Ann. 30-14-2812, a controller may not "process sensitive data concerning a consumer without obtaining the consumer's consent." This is an opt-in rule, the opposite of the opt-out default that applies to ordinary processing. Sensitive data includes categories such as data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed to identify a person, personal data of a known child, and precise geolocation.
Controllers must also recognize a universal opt-out mechanism. Since January 1, 2025, a controller that processes personal data for targeted advertising or sale must honor a consumer's choice communicated through an opt-out preference signal, such as the Global Privacy Control. That requirement means a consumer can set a single browser or device signal and have it respected across covered sites, rather than clicking through an opt-out on each one.
Strengthened minor protections
SB 297 placed Montana among the stricter states on children's and teens' data. For consumers a controller knows are minors, a term Mont. Code Ann. 30-14-2802 defines as individuals under 18, Mont. Code Ann. 30-14-2811 restricts processing personal data for targeted advertising, the sale of personal data, or profiling without consent. It also limits the collection of precise geolocation data and requires data minimization, so a service may not keep a minor's data longer than reasonably necessary to provide the requested online service, product, or feature.
These protections reflect a national trend toward treating teenagers, not just young children, as a protected class in privacy law. The federal Children's Online Privacy Protection Act (COPPA) generally addresses children under 13, but Montana's rules extend to the full under-18 population for known minors. The companion provisions at Mont. Code Ann. 30-14-2818 and 30-14-2819 assign responsibility by role and require data protection assessments for processing that presents a heightened risk of harm to minors. Businesses that operate teen-facing services should treat these as among the most demanding obligations in the statute.
How the MCDPA compares to California's CCPA
Montana and California reach similar goals through different machinery. The CCPA and its amendments grew from a ballot-initiative tradition and use the language of "businesses," "consumers," and a dedicated regulator, the California Privacy Protection Agency. The MCDPA uses the Virginia-model vocabulary of "controllers" and "processors" and is enforced by the Attorney General alone. The table below highlights the practical differences.
| Feature | Montana MCDPA | California CCPA/CPRA |
|---|---|---|
| Coverage trigger | 25,000 / 15,000 Montana consumers | $25M revenue, 100,000 consumers, or 50% revenue from sale/share |
| Employee and B2B data | Excluded | Included |
| Sensitive data | Opt-in consent required | Right to limit use |
| Cure period | None as of April 1, 2026 | Discretionary, no mandatory cure |
| Private right of action | None | Limited, for certain data breaches |
| Regulator | Attorney General | California Privacy Protection Agency |
The headline contrast is reach versus depth. California's revenue and large-consumer triggers aim at bigger operators, while Montana's low consumer counts pull in far smaller businesses. A company too small for the CCPA can easily be covered by the MCDPA. For multistate businesses, the MCDPA's 25,000-consumer trigger and its opt-in sensitive-data rule often set the floor for what a privacy program must support nationwide.
Enforcement after the cure period ended
The Montana Attorney General is the sole enforcer of the MCDPA. Enforcement runs through the Montana Unfair Trade Practices and Consumer Protection Act, and civil penalties reach up to $7,500 per violation under Mont. Code Ann. 30-14-142. There is no private right of action, so individual consumers cannot sue a business directly for an MCDPA violation; they can submit complaints to the Attorney General, who decides whether to investigate and act.
The defining enforcement fact as of 2026 is the end of the cure period. The original statute included a 60-day right to cure that was set to sunset 18 months after the effective date, on April 1, 2026. SB 297 removed the cure mechanism from the statute effective October 1, 2025. Whether one looks to the SB 297 repeal or the original sunset, the outcome is the same and should be stated plainly: as of April 1, 2026, there is no mandatory cure period, and the Attorney General may bring an enforcement action without first allowing a business to fix the problem. SB 297 also expanded the Attorney General's investigative powers, authorizing civil investigative demands and the authority to require production of a controller's data protection assessments. For businesses, the takeaway is that compliance now needs to be right the first time.
Related guides
- Montana Data Privacy Laws hub
- MCDPA Consumer Rights
- MCDPA Compliance Checklist
- US State Privacy Laws Comparison
- What is the CCPA?
Sources
Sources and References
- Mont. Code Ann. 30-14-2801 et seq., Montana Consumer Data Privacy Act(mca.legmt.gov).gov
- Mont. Code Ann. 30-14-2803, Applicability(mca.legmt.gov).gov
- Mont. Code Ann. 30-14-2808, Consumer personal data, opt-out, appeals(mca.legmt.gov).gov
- Mont. Code Ann. 30-14-2812, Data processing limitations(mca.legmt.gov).gov
- Mont. Code Ann. 30-14-2811, Duties of controllers, minors(mca.legmt.gov).gov
- Montana DOJ Office of Consumer Protection, Montana Consumer Data Privacy(dojmt.gov).gov
- Montana Legislature, SB 297 (2025 session)(bills.legmt.gov).gov
- Mont. Code Ann. 30-14-142, Civil penalties(mca.legmt.gov).gov
- California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq.(leginfo.legislature.ca.gov).gov