Montana Consumer Data Privacy Act

Montana’s Consumer Data Privacy Act (MTCDPA) passed unanimously through the state legislature and went into effect October 1, 2024. Amendments that went into effect October 1, 2025, significantly changed and strengthened the law, lowering its scoping threshold, providing strong protections for minors up to 18 regardless of whether businesses meet the scoping thresholds, and removing the cure period.

Schedule a Free Consultation

What you need to know about the MTCDPA:

To Whom Does MTCPDA Apply?

The MTCDPA applies to entities that:

  1. Conduct business or provide products or services to residents of Montana (consumers), and 
  2. Control or process the personal information of either:
    1. 25,000 consumers, excluding PI solely used for completing payment transactions; or
    2. 15,000 consumers and derives more than 25% of gross revenue from sale of PI.

Note: The MCDPA’s rules protecting minors’ personal information apply regardless of whether organizations meet the above applicability thresholds.

When Does MTCPDA NOT Apply?

Exempt Entities: Exempt entities include:

  • Non-profits established to detect and prevent insurance fraud;
  • State government entities;
  • Higher education institutions;
  • HIPAA-covered entities;
  • Certain chartered banks and credit unions;
  • Insurers and self-insurers;
  • National securities associations registered under the federal Securities Exchange Act

Exempt Data:  MTCPDA exempts certain personal information, including but not limited to:

  • Protected Health Information under HIPAA;
  • Data covered by the Gramm-Leach-Bliley Act;
  • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more; and
  • Various forms of credit data regulated by the Fair Credit Reporting Act; and
  • Data covered by a wide variety of other federal laws including Family Educational Rights, Farm Credit Act, and Privacy Act, and Driver’s Privacy Protection Act.

Exempt Use Cases: The MTCPDA is not applicable in some circumstances, such as:

  • Processing PI in an employment or commercial (B2B) context;
  • Processing PI for emergency contact purposes; and
  • Processing PI of an individual in relation to the provision of benefits.

In addition, Montana specifies that its law should not be construed to restrict a business’s collection, use, or retention of PI for:

  • Conducting internal research for development, improvement, and repair of products, services, and technology (R&D);
  • Product recalls;
  • Identifying and repairing technical errors that impair existing or intended functionality; and
  • Performing internal operations.

Key Components of the MTCDPA

What Constitutes Personal Information in Montana?

The MTCDPA covers “personal data,” also called personal information or PI, which Montana defines as: “any information that is linked or reasonably linkable to an identified or identifiable individual.”

The definition exempts de-identified information and information made publicly available by government records, the media, or the consumer.

What Constitutes Sensitive PI?

Montana’s definition of sensitive PI is in keeping with older laws, like Colorado and California. Whereas some of the newer laws include financial information, transgender status and more, Sensitive PI in MTCDPA consists of:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical condition or diagnosis;
  • Sex life or sexual orientation;
  • Citizenship or immigration status;
  • PI about a known child;
  • Precise geolocation data; and
  • Genetic or biometric data processed for identification purposes.
Children and Minors

Parental consent is required to process PI about a known child (under 13) in accordance with COPPA, and individual consent is required to sell the PI of minors ages of 13 through 15 or use it for targeted advertising.

Controllers must obtain the consent of minors between the ages of 13 and 18 years for selling their PI, processing it for targeted advertising, profiling with significant effects and to retain it longer than necessary to provide the service.

Controllers must also get consent to process precise geolocation information unless reasonably necessary, and must provide a persistent signal that the minor’s precise location is being collected.

The MTCDPA also requires controllers to exercise a duty of care to avoid a heightened risk of harm when providing online products and services to minors. And must avoid dark patterns in consent interfaces.

Controllers that provide messaging tools are required under the law to implement safeguards limiting the ability for adults to send unsolicited messages to minors.

De-identified and Pseudonymous Data

Where a controller processes de-identified data, MTCPDA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with MTCPDA.

MTCPDA also exempts pseudonymous data from access, correction, and deletion rights requests where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

Is Consent Needed to Process Sensitive PI?

In a word: YES!

Additionally, 2025 amendments prohibit businesses from disclosing sensitive PI that would trigger the state’s breach notification law, such as Social Security numbers or biometric data.

Is Consent Needed for Any Other Processing?

In addition to consent requirements for sensitive SPI and the PI of children and minors (see above), consent is also required for secondary use of information that is not necessary or compatible with the purpose for collection and hasn’t been noticed to the consumer.

What Needs to Be Included in the Privacy Notice?

Under the MTCDPA, privacy notices must be available in all languages in which the organization does business and must include:

  • Categories of PI processed;
  • Business purpose for processing PI;
  • Categories of PI shared with third parties;
  • Categories of third parties with which PI is shared;
  • Explanation of consumer rights and the methods for a consumer to exercise their privacy rights (see below) and appeal a rights decision;
  • Date of the latest update, and
  • An active email address or other electronic method for a consumer to contact the company.

Organizations must notify consumers of any material changes to their privacy notice using reasonable electronic measures and provide a reasonable opportunity for consumers to revoke consent for materially different uses of their PI.

What Constitutes “Sale” of PI?

Montana defines “sale” to include exchange for monetary or other valuable consideration.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of PI to provide a product or service requested by the consumer, the disclosure of PI to an affiliate, disclosure of PI intentionally made public, and the disclosure of PI as part of a merger or bankruptcy.

How Will the MTCDPA be Enforced?

The Montana Attorney General (AG) will have the sole enforcement authority. Notably, Montana does not list the financial penalty for violations. While the law was originally passed with a a 60-day cure period, 2025 amendments removed the cure period, meaning the AG can enforce the MTCDPA without advanced notice.

Privacy Rights Under the MTCDPA

The individual rights created under MTCDPA align well with those provided under other state laws. If MTCDPA applies to your business, you must allow consumers to:

  • Right to know whether a business is processing your PI;
  • Right to access PI;
  • Right to correct inaccuracies in PI;
  • Right to delete PI about them;
  • Right to obtain a copy of PI provided by them (data portability)
  • Opt-out of targeted advertising, the sale of PI, and profiling.

Businesses must respond within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge at least once per year. Businesses may deny a rights request in certain circumstances, including inability to verify the identity of a requestor. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.

The appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must allow consumers to submit a complaint via an online mechanism (if available) or another method for contacting the Montana State Attorney General.

Universal Opt Out

Starting January 1, 2025, Montana requires that controllers recognize universal opt-out signals. Universal opt-out, or global privacy control, is a technical standard that enables users to automatically communicate their privacy preferences, such as opting out of the sale of their personal information, to websites through their web browser or other technologies.

Privacy Impact Assessments

Montana requires that covered organizations conduct data protection impact assessments, or privacy impact assessments (PIAs), for certain high-risk processing carried out after January 1, 2025.

MTCDPA requires assessments for activities that present a heightened risk of harm, specifically including:

  • Processing for targeted advertising;
  • Processing sensitive PI;
  • Selling PI;
  • Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of:
    • Unfair or deceptive treatment or unlawful disparate impact on consumers;
    • Financial, physical or reputational injury to consumers;
    • Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
    • Other substantial injury.

 

Vendor Contracts

The MTCDPA requires controllers to have a contract in place with vendors that dictates obligations with respect to processing PI. Contracts must include:

  • Instructions for processing PI;
  • The nature and purpose of processing;
  • Type of data that is subject to processing;
  • The duration of processing;
  • Rights and obligations of both parties;
  • A duty of confidentiality for individuals who process the PI;
  • Obligation to delete or return all PI at the controller’s direction or when it has completed the services, unless retention of the PI is required by law;
  • Obligation to make available all information necessary to demonstrate the vendor’s compliance with its obligations;
  • Compliance with audits by the controller or independent auditor and to provide a report of the assessment to the controller; and
  • Pass along obligations to any subcontractor in a written contract.

 

Data Minimization

MTCDPA limits the collection of PI “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer.” Where processing is not necessary or compatible with the purpose for collection, organizations must obtain consumers’ consent for the processing.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation