Skip to main content

Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act grants residents rights over personal data and requires controllers to honor opt-outs, obtain consent for sensitive data, and conduct assessments. It uses low applicability thresholds and is enforced by the Montana Attorney General.

Jurisdiction
Montana

Montana Consumer Data Privacy Act

The Montana Consumer Data Privacy Act (MCDPA), enacted as Senate Bill 384, is Montana's comprehensive consumer privacy statute. It establishes rights for Montana residents over their personal data and imposes obligations on the businesses that control and process it. The law took effect on October 1, 2024. The MCDPA closely follows the Connecticut privacy model, including comparatively low applicability thresholds that bring more mid-sized businesses into scope.

Who It Applies To

The MCDPA applies to persons that conduct business in Montana or target products and services to Montana residents and that control or process the personal data of either 50,000 or more consumers (excluding data processed solely to complete a payment transaction), or 25,000 or more consumers while deriving more than 25 percent of gross revenue from the sale of personal data. The law exempts entities and data covered by HIPAA and the Gramm-Leach-Bliley Act, as well as government bodies and certain nonprofits.

Key Requirements

Controllers must publish a clear privacy notice, limit collection to what is reasonably necessary, and maintain reasonable data security. Consumers may confirm processing, access, correct, delete, obtain a portable copy, and opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions producing legal or similarly significant effects. Sensitive data may not be processed without consent. Controllers must recognize universal opt-out preference signals, a requirement that became effective January 1, 2025. Data protection assessments are required for higher-risk processing activities.

Penalties for Non-Compliance

The Montana Attorney General has exclusive enforcement authority; there is no private right of action. Violations are enforced under the Montana Unfair Trade Practices and Consumer Protection Act. The law included a 60-day right to cure that expired on April 1, 2026, after which the cure period is no longer guaranteed.

How to Comply

Determine whether you meet the relatively low consumer thresholds. Publish an accurate privacy notice and implement processes to fulfill consumer requests within 45 days. Build consent flows for sensitive data and ensure your systems honor browser-based universal opt-out signals. Conduct and retain data protection assessments for targeted advertising, data sales, sensitive data, and significant profiling. Update processor agreements accordingly.

Relationship to Other Laws

Montana's low thresholds make it a useful reminder that state privacy obligations can attach well below the 100,000-consumer mark common in larger states. Organizations should size their data populations carefully, because Montana counts consumers rather than transactions and excludes only payment-completion data from its primary threshold. The MCDPA's alignment with Connecticut means controls built for Connecticut, including universal opt-out signal recognition and data protection assessments, transfer well to Montana. Treating these as shared platform capabilities keeps per-state compliance costs low.

Operational Mechanics

Like its sibling state statutes, this law sets concrete operational requirements that engineering and operations teams must implement. Controllers must respond to a verified consumer rights request without undue delay and within 45 days of receipt, with a single 45-day extension permitted where reasonably necessary given the complexity and volume of requests, provided the consumer is notified of the extension and the reason. Where a controller declines to act, it must inform the consumer of the reason and provide instructions for appealing the decision; the law requires an internal appeal process, and if an appeal is denied the controller must give the consumer a method to contact the state Attorney General to submit a complaint. Controllers may not charge a fee for the first request in a defined period and must establish a secure, reliable means for consumers to submit requests, taking into account the ways consumers normally interact with the controller. Relationships with processors must be governed by a binding contract that sets out processing instructions, confidentiality duties, deletion or return of data at the end of the engagement, and the duty to assist the controller with security, breach response, and assessments. Treating these mechanics as shared platform services, rather than rebuilding them per state, is the most efficient path to durable, multistate compliance.