Montana Consumer Data Privacy Act (MCDPA): Complete 2026 Compliance Guide

Montana’s Strengthened Privacy Law

The Montana Consumer Data Privacy Act (MCDPA) took effect on October 1, 2024, after being signed into law on May 19, 2023. While the original law was already considered consumer-friendly, the 2025 SB 297 amendments (effective October 1, 2025) significantly expanded its scope — lowering applicability thresholds, eliminating the cure period, adding a duty of care for minors, and broadening enforcement powers.

If your business operates in Montana or serves Montana consumers, the amended MCDPA may now apply to you even if you were previously below the thresholds. Use our Privacy Law Calculator to check your compliance obligations.

Who Must Comply with the MCDPA?

Following the SB 297 amendments, the MCDPA applies to entities that conduct business in Montana or deliver commercial products or services targeted to Montana residents, AND meet either of these thresholds during a calendar year:

• Control or process personal data of 25,000 or more Montana consumers, OR
• Control or process personal data of 15,000 or more Montana consumers AND derive over 25% of gross revenue from the sale of personal data

Key change: These thresholds were significantly lowered from the original law’s 50,000/25,000 consumer counts. Given Montana’s relatively small population (approximately 1.1 million), the 25,000-consumer threshold means that even businesses with a moderate Montana customer base may now be covered.

Exemptions

The MCDPA exempts several categories of entities and data types:

• Entity exemptions: Government bodies, nonprofit organizations, entities covered by HIPAA, institutions of higher education. Note that SB 297 eliminated the blanket GLBA financial institution exemption, replacing it with more specific exemptions for banks, credit unions, insurers, and insurance producers.
• Data exemptions: Data governed by HIPAA, GLBA, FCRA, FERPA, DPPA, and certain employment and B2B contact data

Consumer Rights Under the MCDPA

Montana provides its consumers with a comprehensive set of privacy rights:

• Right to access — Confirm whether a controller is processing their personal data and access that data
• Right to correction — Request correction of inaccurate personal data
• Right to deletion — Request deletion of personal data
• Right to data portability — Obtain a copy of personal data in a portable, readily usable format
• Right to opt out of sale — Opt out of the sale of personal data
• Right to opt out of targeted advertising — Opt out of processing for targeted advertising
• Right to opt out of profiling — Opt out of profiling in furtherance of automated decisions (SB 297 removed the “solely” modifier, broadening this right)
• Right to appeal — Appeal a controller’s denial of a consumer rights request

Controllers must respond to consumer requests within 45 days, with one 45-day extension if reasonably necessary.

Key SB 297 Amendments — What Changed in 2025

The SB 297 amendments represent one of the most significant expansions of an existing state privacy law. Here is what changed:

Lower Applicability Thresholds

The consumer count thresholds were cut in half — from 50,000 to 25,000 for the primary tier, and from 25,000 to 15,000 for the secondary tier (with data sale revenue). This brings significantly more businesses under the law’s coverage.

Cure Period Eliminated

The original 60-day cure period was removed entirely (accelerated from its planned January 1, 2026, sunset to October 1, 2025). The Montana Attorney General now has immediate enforcement discretion without offering businesses an opportunity to cure alleged violations first.

Duty of Care for Minors

SB 297 added a specific duty of care with respect to minors, requiring controllers to take additional measures to protect the data of consumers under 18. The MCDPA already required opt-in consent for processing data of known children under 13 and enhanced protections for teen data.

Expanded Profiling Opt-Out

The removal of the “solely” modifier from the profiling opt-out right means consumers can now opt out of profiling in furtherance of any automated decisions with legal or similarly significant effects, not just decisions made solely by automated means.

Financial Institution Exemption Changes

SB 297 eliminated the blanket Gramm-Leach-Bliley Act entity exemption but added more targeted exemptions for banks, credit unions, insurers, and insurance producers. This is a nuanced change that may affect some financial services companies.

Key Business Obligations

Universal Opt-Out (GPC) Requirement

Montana requires businesses to recognize and honor universal opt-out mechanisms such as Global Privacy Control (GPC) for opt-out of data sales and targeted advertising. This requirement has been in effect since January 1, 2025. Check your GPC obligations across states with our GPC Compliance Checker.

Privacy Notices

Controllers must provide a reasonably accessible, clear privacy notice covering: categories of personal data processed, purposes of processing, how consumers can exercise their rights, categories of data shared with third parties, and categories of third parties.

Sensitive Data Consent

Processing sensitive data requires opt-in consent. Sensitive data under the MCDPA includes: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, and biometric data used for identification.

Data Protection Assessments

Controllers must conduct and document data protection assessments before engaging in processing that presents a heightened risk of harm to consumers, including targeted advertising, data sales, profiling, and sensitive data processing.

Processor Contracts

Controllers engaging processors must establish written contracts specifying: the nature and purpose of processing, type of data, duration, rights and obligations, confidentiality requirements, and data return or deletion provisions.

Enforcement and Penalties

The Montana Attorney General has exclusive enforcement authority. There is no private right of action.

• Penalties: Up to $7,500 per violation
• Cure period: None (eliminated by SB 297, effective October 1, 2025)

The elimination of the cure period means the Montana AG can take immediate enforcement action without first providing notice and an opportunity to fix the violation. This places Montana among the strictest enforcers alongside California and Colorado. View enforcement trends on our Enforcement Tracker.

How Montana Compares to Other State Privacy Laws

The post-amendment MCDPA places Montana among the more consumer-friendly state privacy laws:

• Lower thresholds: 25,000/15,000 consumers — among the lowest alongside Delaware (35,000/10,000) and New Hampshire (35,000/10,000)
• GPC required: Montana joins California, Colorado, Connecticut, Oregon, Texas, and Delaware in requiring universal opt-out recognition
• No cure period: Joining California, Colorado, and Oregon — unlike Iowa (permanent 90 days) or Tennessee (60 days)
• Full consumer rights: All eight core rights (access, correction, deletion, portability, opt-out sale, opt-out ads, opt-out profiling, appeal)
• Minor protections: Specific duty of care plus opt-in consent for under-13 and enhanced protections for teens
• Population context: With ~1.1 million residents, the 25,000-consumer threshold covers a proportionally larger share of businesses operating in Montana

Use our State Comparison Tool for a detailed side-by-side analysis.

7-Step MCDPA Compliance Plan

1. Reassess applicability under new thresholds — If you previously fell below the 50,000/25,000 consumer counts, check again. The thresholds are now 25,000/15,000. Use the Privacy Law Calculator.
2. Implement GPC recognition — Ensure your website and apps recognize and honor Global Privacy Control and other universal opt-out signals.
3. Update privacy notices — Include all MCDPA-required disclosures, especially regarding universal opt-out methods and the expanded profiling opt-out right.
4. Review minor data practices — Ensure opt-in consent for children under 13, enhanced protections for teens, and compliance with the new duty of care for all minors.
5. Build consumer rights processes — Establish intake, verification, fulfillment, and appeals workflows for all eight consumer rights. Set up a 45-day response timeline.
6. Conduct data protection assessments — Document DPAs for targeted advertising, data sales, profiling, and sensitive data processing.
7. Review processor contracts — Ensure all data processor agreements include MCDPA-mandated provisions. Financial services companies: review whether the new exemption structure still covers your entity.

For a detailed walkthrough, visit our Montana Compliance Checklist.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 29, 2026.