The Montana Consumer Data Privacy Act (MTCDPA) is Montana's comprehensive consumer data-privacy law. It has been in effect since October 1, 2024 and was broadened by SB 297 effective October 1, 2025. The law grants Montana residents rights over their personal data and places compliance duties on covered businesses, wherever those businesses are based.
Montana's applicability thresholds are among the lowest of any US state privacy law, with no revenue-size gate. This guide covers who must comply, what the law requires, how SB 297 changed it, and what it means for your website's cookies.
What Is the Montana Consumer Data Privacy Act (MTCDPA)?
The Montana Consumer Data Privacy Act (MTCDPA, also called the MCDPA) is Montana's comprehensive data-privacy statute. It creates personal-data rights for Montana consumers and compliance duties for the businesses that control or process their data, codified at MCA 30-14-2801 et seq. within Montana's Unfair Trade Practices and Consumer Protection chapter.
Montana passed the law as part of a wave of state privacy statutes that followed California's lead. The Montana Consumer Data Privacy Act joined the growing wave of US state privacy laws that now covers most of the country.
Montana is also unusually protective of privacy at the constitutional level. The Montana Constitution grants residents a fundamental individual right to privacy under Article II, Section 10. That constitutional backdrop is separate from the MTCDPA itself.
Do not confuse the MTCDPA with Montana's other 2025 privacy laws, the Right to Compute Act and the data-broker warrant law. When this article says "Montana privacy law," it means the MTCDPA.
When Did the Montana Consumer Data Privacy Act Take Effect?
The Montana Consumer Data Privacy Act took effect October 1, 2024, and a major amendment broadened it a year later. Governor Greg Gianforte signed the original bill, SB 384, on May 19, 2023, after unanimous passage.
The law's timeline runs as follows.
- May 19, 2023: Governor Gianforte signs SB 384, the original MTCDPA, into law.
- October 1, 2024: The MTCDPA becomes effective and enforceable.
- April 15, 2025: The Montana legislature unanimously passes SB 297, an amendment bill.
- October 1, 2025: SB 297 takes effect. It lowers the applicability thresholds, adds minors' protections and privacy-notice duties, codifies the $7,500 civil penalty, and eliminates the automatic right to cure.
The original MTCDPA also built in a 60-day right-to-cure period for businesses, giving them a chance to fix a violation before facing enforcement. That cure period was designed to sunset automatically on April 1, 2026. SB 297 eliminated it early, effective October 1, 2025, so covered businesses have had no automatic cure period since that date.
Who Has to Comply with the Montana Consumer Data Privacy Act?
The MTCDPA applies to businesses that conduct business in Montana, or intentionally target products and services at Montana residents. A covered business must also meet one of two consumer-count thresholds. There is no overall revenue-size threshold, unlike California's law.
A business is covered if it:
- Controls or processes the personal data of 25,000 or more Montana consumers (lowered from 50,000 by SB 297)
- Derives more than 25% of its gross revenue from selling personal data and processes the data of 15,000 or more consumers (lowered from 25,000 by SB 297)
Meeting either threshold triggers coverage, regardless of where the business is headquartered. SB 297's 2025 threshold cuts pulled Montana's law into range for smaller companies than most state privacy laws reach. A business needs no minimum revenue to qualify, only enough Montana consumers in its data.
Who Is Exempt from the MTCDPA?
The MTCDPA carves out specific entities and data types, and SB 297 changed several of them in 2025. Three exemptions matter most after the 2025 amendments.
- Banks, credit unions, insurers, and insurance producers: added as new entity-level exemptions by SB 297
- Gramm-Leach-Bliley Act data: the GLBA data-level exemption still applies, even though SB 297 removed the broader GLBA "financial institution" entity exemption
- Nonprofits: narrowed by SB 297 to only nonprofit organizations that detect or prevent insurance fraud, not nonprofits generally
A business that previously relied on a general financial-institution or nonprofit exemption should re-check its status under these narrower 2025 rules.
What Rights Does the MTCDPA Give Montana Consumers?
Montana residents get five core rights, and covered businesses must act on requests within 45 days.
| Right | What it lets a consumer do |
|---|---|
| Know and access | Confirm whether a controller is processing their personal data and access it |
| Correct | Fix inaccuracies in their personal data |
| Delete | Request deletion of their personal data |
| Portability | Obtain a copy of their personal data in a portable, usable format |
| Opt out | Stop the sale of their personal data, targeted advertising, and profiling that produces legal or similarly significant effects |
Controllers must respond to a verified request within 45 days of receipt, extendable once by another 45 days when the request's complexity requires it. A consumer can designate an authorized agent to exercise the opt-out right on their behalf.
What Counts as Sensitive Data Under the MTCDPA?
Sensitive data under the MTCDPA covers ten specific categories, and it requires affirmative opt-in consent even though the rest of the law is opt-out. The statute defines sensitive data as personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- A mental or physical health condition or diagnosis
- Sex life information
- Sexual orientation
- Citizenship or immigration status
- Genetic data collected to uniquely identify someone
- Biometric data collected to uniquely identify someone
- A known child's personal data
- Precise geolocation data
This is the one place the MTCDPA departs from its own opt-out design. Everywhere else, a business can collect and process data by default and must honor an opt-out. For sensitive data, a business needs the consumer's affirmative "yes" before it processes the data at all.
What Does the MTCDPA Require Businesses to Do?
Covered businesses, called controllers under the statute, carry a defined set of duties around transparency, minimization, and consumer choice. Seven core obligations define what the law expects.
- Post a privacy notice through a conspicuous hyperlink using the word "privacy" on the homepage, explaining consumer rights and showing the date it was last updated
- Minimize data collection to what relates to the purposes disclosed to the consumer
- Provide an opt-out mechanism that is at least as easy to use as the mechanism for giving consent
- Disclose any sale or targeted-advertising processing in the privacy notice and offer a clear opt-out method
- Notify consumers of material changes to the privacy notice or practices, and give them a reasonable chance to withdraw consent
- Honor consumer requests within the 45-day window
- Run data protection assessments for processing that presents a heightened risk of harm
A processor working on a controller's behalf must follow the controller's instructions and help it meet these duties. That help includes supplying the information controllers need for data protection assessments.
Data Protection Assessments
A data protection assessment is a documented risk review a controller must complete before high-risk processing. Triggers include targeted advertising, profiling, selling data, or processing sensitive data. The assessment documents the processing's purpose, the categories of data involved, and the safeguards in place.
The Montana Attorney General can request a controller's data protection assessments as part of an investigation. Processors must supply the information controllers need to complete and document these assessments.
How Does the MTCDPA Protect Minors?
SB 297 added some of the strongest minors' protections among current US state privacy laws. These duties apply even to businesses below the general consumer thresholds. They bind any controller that offers an online service to a user it knows, or willfully disregards, is a minor. Such a controller must meet six duties.
- Use reasonable care to avoid a "heightened risk of harm" to the minor
- Skip targeted advertising, sale, or profiling of a minor's data without consent
- Avoid processing beyond the disclosed purpose or retaining data longer than necessary
- Not use a system design feature that significantly increases, sustains, or extends a minor's use of the service without consent
- Limit precise geolocation collection to what is necessary, with an ongoing collection signal
- Add safeguards on direct-messaging features that limit unsolicited adult contact with minors
A controller can rely on the minor's own consent or COPPA-compliant verifiable parental consent, matching the federal children's-privacy standard. Following the statute's specific requirements creates a rebuttable presumption that a controller met its reasonable-care duty.
These minors' provisions were entirely new in 2025 and apply regardless of the small-business consumer-count thresholds.
How Is the Montana Consumer Data Privacy Act Enforced? (Penalties and the Attorney General)
The Montana Attorney General has exclusive authority to enforce the MTCDPA. There is no private right of action, so individual consumers cannot sue businesses directly, and only the Attorney General's office can bring an enforcement case.
SB 297 codified a maximum civil penalty of up to $7,500 per violation. The Attorney General can also seek an injunction plus attorney fees and investigation costs. A civil investigative demand can compel a controller to produce its data protection assessments.
Before SB 297, the original 2023 law gave businesses a 60-day right to cure a violation before facing enforcement. That period was built to expire automatically on April 1, 2026. SB 297 removed it early, effective October 1, 2025, so businesses now face enforcement without an automatic warning window.
Consumers who believe their rights were violated can file a complaint with the Montana Office of Consumer Protection.
How Is the MTCDPA Different from the CCPA and GDPR?
The MTCDPA, the CCPA, and the GDPR take three different approaches to consent, coverage, and enforcement. The clearest gap is consent model: the MTCDPA and CCPA both start from opt-out, while the GDPR requires opt-in by default.
| MTCDPA | CCPA/CPRA | GDPR | |
|---|---|---|---|
| Consent model | Opt-out, with opt-in for sensitive data | Opt-out, with opt-in for minors under 16 | Opt-in by default |
| What triggers coverage | Montana consumer-count thresholds, no revenue gate | Revenue, data-volume, or data-sale-revenue thresholds | Processing any EU resident's data |
| Terminology | "Controller" and "processor" | "Business" and "service provider" | "Controller" and "processor" |
| Private right of action | None | Limited, for certain data breaches | Not applicable (regulator-driven) |
The MTCDPA follows the "controller/processor" model that Virginia's law popularized, not California's "business/service provider" language. Unlike the CCPA, the MTCDPA sets no revenue-size threshold, so it can reach smaller multi-state businesses that California's law would exclude.
Europe's GDPR requires opt-in consent by default, a stricter starting point than either US state law.
What the Montana Consumer Data Privacy Act Means for Your Website and Cookies
A covered site needs to translate the MTCDPA's rights and duties into concrete changes to its privacy notice and cookie setup. Five practical actions cover most of that work.
- Post a clear privacy notice through a conspicuous "privacy" link on the homepage
- Show Montana visitors a clear way to opt out of targeted-advertising cookies and data sales, often a "Your Privacy Rights" link
- Get affirmative opt-in consent before any tool processes sensitive data, such as precise geolocation
- Make opting out at least as easy as opting in
- Keep records of each visitor's consent choice as proof of compliance
This is much like the GDPR's cookie consent rules: both laws expect a visible, working consent control rather than a policy page nobody reads.
A site that already runs the same banner-and-records discipline to make its website GDPR compliant is most of the way to a working Montana setup.
How Consently Helps You Meet Montana's Opt-Out and Consent Requirements
Consently supports the consumer-facing side of MTCDPA compliance. It shows Montana visitors an opt-out consent banner built on the CCPA and US state-law model. The banner's opt-out control doubles as the site's "Your Privacy Rights" mechanism.
Consently's region-based, geotargeted banner display uses automatic geotargeting and country-code script loading. Montana visitors see the opt-out banner, while EU visitors see the opt-in model GDPR requires, and one account runs both models on the same site.
Two more features back the record-keeping and disclosure side. Consent logs give a timestamped record of who opted out and when, useful if the Attorney General ever requests proof of compliance. The cookie, privacy, and terms-and-conditions policy generators help produce the clear privacy notice the MTCDPA requires, with the last-updated date the statute calls for.
One thing to know: Consently does not detect or honor browser-level Global Privacy Control signals. Honoring GPC remains a separate task for the business to configure elsewhere. A banner and policy-generator tool supports specific compliance tasks; it is not a substitute for legal advice or a guarantee of MTCDPA compliance.
Consently's CCPA and US state-law opt-out tools are free to try for 14 days, no credit card required. Try Consently free to see the opt-out banner and consent log running on your own site.
FAQs
What is the Montana Consumer Data Privacy Act in simple terms?
The Montana Consumer Data Privacy Act is a Montana law that gives residents rights over their personal data. It makes covered businesses honor consumer opt-outs and get affirmative consent before processing sensitive data.
When did the Montana Consumer Data Privacy Act take effect?
The MTCDPA took effect October 1, 2024. SB 297 broadened it effective October 1, 2025, lowering the applicability thresholds and adding new duties.
Who has to comply with the Montana Consumer Data Privacy Act?
A business must comply if it controls or processes the data of 25,000 or more Montana consumers. The threshold drops to 15,000 consumers if the business derives over 25% of revenue from selling personal data. There is no revenue-size threshold.
Does the Montana privacy law apply to small businesses?
Only if a business meets one of the consumer-count thresholds. Montana's thresholds are among the lowest of any state privacy law. Check whether your site reaches 25,000 Montana consumers, or sells data and reaches 15,000, before assuming it is exempt.
What are the penalties for violating the Montana Consumer Data Privacy Act?
Violations carry a civil penalty of up to $7,500 per violation. The Attorney General can also seek an injunction and its attorney fees and investigation costs. There is no automatic cure period since SB 297 eliminated it effective October 1, 2025.
Who enforces the Montana Consumer Data Privacy Act?
The Montana Attorney General enforces the MTCDPA exclusively. Consumers who believe their rights were violated file a complaint with the Montana Office of Consumer Protection rather than suing directly.
Is there a private right of action under the MTCDPA?
No. The statute explicitly states nothing in the law provides the basis for a private right of action. Individual consumers cannot sue a business directly for a violation.
What did the 2025 SB 297 amendments change?
SB 297 lowered the applicability thresholds and removed the GLBA-entity exemption while narrowing the nonprofit exemption. It also added minors' protections and privacy-notice duties, codified the $7,500 penalty, and eliminated the automatic right to cure.
How is the Montana privacy law different from the CCPA?
The MTCDPA uses "controller and processor" terminology, sets no revenue-size threshold, and gives consumers no private right of action. The CCPA uses "business and service provider" terminology and allows a limited private right of action for certain data breaches.

