Montana

• Montana Consumer Data Privacy Act (MTCDPA)
• Code: Mont. Code Ann. § 30-14-28 (2023)

Effective Date:  October 1, 2024

Threshold

Companies that conduct business in Montana or target products or services to Montana residents that:

1. Control or process the personal data of not less than 50,000 state residents, excluding personal data controlled or processed solely for purposes of completing a payment transaction; or
2. Control or process the personal data of not less than 25,000 state residents and derive more than 25 percent of gross revenue from the sale of personal data

Definition of "Sensitive Data"

As with all state general privacy laws, includes the following Personal Data:

• Race or ethnic origin;
• Religious beliefs;
• Citizenship or immigration status;
• Genetic data;
• Biometric data;
• Physical or mental health diagnosis; and 
• Sexual orientation.

In addition, Montana's definition also includes:

• Sex life;
• Precise geolocation data; and
• Personal data of a known child.

Definition of "Personal Data"

Any information that is linked or reasonably linkable to an identified or identifiable natural person. Does not include de-identified data or publicly available information. Personal data does not include data from people acting in an employment or commercial context.

Definition of "Sale"

Exchange of personal data for monetary or other valuable consideration by a controller to a third party

Data-Protection Assessments

Required for targeted advertising, sale, sensitive data, certain profiling

Impact assessments must weigh the benefits to the controllers against the risks to consumers' rights as mitigated by any safeguards

Opt-In Consent Required for Processing Sensitive Data 

Consumer Rights to Confirm Processing, Request Access, Correction, Deletion & Portability

Yes

Consumer Right to Opt Out of Sale

Yes

Consumer Right to Opt Out of Targeted Ads

Yes

Consumer Right to Opt Out of Profiling

Yes

Pseudonymous Data Exempt from Consumer Requests

Yes

Appeal Rights

Yes

Universal Opt-Out Mechanism Required Recognition/Date

Yes, no later than January 1, 2025

Data of Minors

Prohibits businesses from selling personal data or processing the personal data of a consumer for the purposes of targeted advertising without consent when a controller has actual knowledge that the consumer is at least 13 years of age but younger than 16 years of age (if data on a child under 13, compliance reverts to COPPA)

GLBA Exemption

Yes (both entity-level and data-level)

HIPAA Exemption

Yes (entity-level and data level)

Applies/Does Not Apply to Personal Information in a Commercial or Employment Context

Does not apply to commercial or employment context; applies in an individual or household context

Nonprofit Exemption

Yes

Private Right of Action

No

Cure Period

60 Days

Cure Period Expiration

April 1, 2026

Enforcement Authority/Damages

Attorney General/Not Defined

Disclaimer: States may periodically amend their laws and regulations and such amendments may affect or modify certain legal requirements or compliance obligations. There is no guarantee that this research is up to date as laws and regulations in the state consumer data privacy space continue to evolve. You should consult an attorney to assess the applicability of any existing, new, or proposed state consumer data privacy laws. By accessing this site, you acknowledge your understanding that the underlying content is not a replacement for legal counsel and does not constitute legal advice.