What is the Montana Consumer Data Privacy Act (MCDPA)?
The Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024, establishes data privacy rights for Montana residents and compliance obligations for organizations that process personal data in the state. In 2025, Montana enacted amendments (SB 297) that expand the law’s scope and strengthen enforcement and consumer protections, with changes effective October 1, 2025.
As amended, the MCDPA applies to organizations that:
- Control or process personal data of 25,000 or more consumers annually, or
- Control or process personal data of 15,000 or more consumers and derive more than 25% of gross revenue from the sale of personal data.
The law includes exemptions for certain data and entities, but SB 297 narrowed the financial institution exemption, removing broad entity-level exclusions under GLBA and limiting exemptions to specific categories of data. Government entities, nonprofits, and certain educational institutions remain exempt.
Consumer Rights and Business Obligations
The MCDPA grants Montana residents the right to:
- Access, correct, delete, and obtain a portable copy of their personal data
- Opt out of the sale of personal data
- Opt out of targeted advertising
- Opt out of profiling that produces legal or similarly significant effects
Organizations subject to the law must:
- Publish clear and transparent privacy notices
- Obtain affirmative consent before processing sensitive data
- Provide consumer-friendly opt-out mechanisms
- Recognize valid universal opt-out preference signals
- Conduct data protection assessments for high-risk processing activities
- Implement reasonable administrative, technical, and physical data security measures
The 2025 amendments also strengthen protections for children’s personal data and require clearer opt-out visibility and updated privacy notice disclosures, including a visible “last updated” date.
Who Must Comply with the MCDPA?
The MCDPA applies to:
- Data controllers – organizations that determine the purposes and means of processing personal data
- Data processors – organizations that process personal data on behalf of a controller
The law clearly distinguishes the responsibilities of controllers and processors, requiring written contracts, defined processing instructions, and accountability for each role. Where a processor determines the purposes or means of processing independently, it may be treated as a controller for that activity.
What Are the Requirements of the MCDPA?
To comply with the MCDPA, data controllers must:
- Limit Data Collection
Collect only personal data that is adequate, relevant, and reasonably necessary for disclosed purposes. - Publish Transparent Privacy Notices
Privacy notices must clearly describe processing activities, consumer rights, methods to exercise those rights, and include a visible “last updated” date. - Obtain Consent for Sensitive Data
Affirmative consumer consent is required before processing sensitive data, including precise geolocation, biometric, genetic, health, or similar information. - Provide Clear Opt-Out Mechanisms
Controllers must offer clear and conspicuous opt-out options for data sales and targeted advertising, including mechanisms available outside the privacy notice. - Conduct Data Protection Assessments
Assessments are required for processing that presents a heightened risk to consumers, including targeted advertising, sale of personal data, profiling, and sensitive data processing. - Protect Deidentified Data
Deidentified data must remain non-identifiable, with safeguards and contractual obligations preventing reidentification. - Comply with Children’s Data Protections
Targeted advertising or sale of personal data involving known children requires verifiable parental or guardian consent, in addition to COPPA-related obligations.
Data processors must:
- Follow controller instructions
- Assist with consumer rights requests and security obligations
- Enter into binding contracts governing processing activities
- Support audits, assessments, and compliance demonstrations
What Rights Does the MCDPA Grant to Consumers?
Montana residents have the right to:
- Confirm whether their personal data is being processed
- Access personal data
- Correct inaccurate data
- Request deletion of personal data
- Obtain a portable copy of their data
- Opt out of data sales, targeted advertising, and certain profiling activities
Controllers must respond to requests within 45 days, with one allowable 45-day extension when reasonably necessary. Consumers may appeal denied requests, and controllers must respond to appeals within required timeframes.
Enforcement and Penalties
Under the 2025 amendments, the MCDPA eliminates the 60-day cure period. The Montana Attorney General may initiate enforcement actions immediately upon identifying a violation, increasing the importance of proactive compliance and documented controls.
Why Be MCDPA Compliant?
MCDPA compliance helps organizations:
- Build trust with consumers through responsible data practices
- Reduce regulatory and enforcement risk
- Strengthen data governance and security controls
- Align privacy programs with broader U.S. state privacy requirements
How to Achieve Compliance with MCDPA
Compliance with the MCDPA is achieved by determining applicability, implementing processes to support consumer rights, and ensuring personal data is processed in line with disclosed purposes and legal requirements. Using Centraleyes, organizations can assess their posture against MCDPA requirements, document how obligations are met, identify gaps, track remediation activities, and stay informed of relevant regulatory updates, supporting ongoing compliance as the law evolves.
