On this pageDoes the MCDPA apply to your business?
State Law Practice Note

Montana Consumer Privacy Law (MCDPA)

The Montana Consumer Data Privacy Act gives Montana consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above notably low thresholds — it requires opt-in consent for sensitive data, recognition of a universal opt-out preference signal, and is enforced exclusively by the Attorney General with no private right of action and, after a 2025 amendment, no general cure period.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary lawMont. Code Ann. § 30-14-2801; Mont. Code Ann. § 30-14-2803; Mont. Code Ann. § 30-14-2802; Mont. Code Ann. § 30-14-2804; Mont. Code Ann. § 30-14-2812; Mont. Code Ann. § 30-14-2813; Mont. Code Ann. § 30-14-2809; Mont. Code Ann. § 30-14-2808; Mont. Code Ann. § 30-14-2817; Mont. Code Ann. § 30-14-2820

Does the MCDPA apply to your business?

It turns on consumer volume, not revenue, and the thresholds are low. The MCDPA applies to persons that do business in Montana or target its residents and that control or process the personal data of at least 25,000 consumers, or at least 15,000 consumers while deriving more than 25% of gross revenue from the sale of personal data .

The law is widely called the Montana Consumer Data Privacy Act, or MCDPA, but its codified short title is simply the Consumer Data Privacy Act . These thresholds are lower than most state privacy laws and reach mid-market businesses with only a moderate Montana footprint. There is no dollar revenue floor. A consumer is a Montana resident, and the definition excludes individuals acting in a commercial or employment context, so workforce and ordinary business-contact data fall outside the consumer-rights framework . The statute also exempts state and local government bodies, institutions of higher education, GLBA-regulated banks and credit unions, HIPAA covered entities and business associates, and insurers, along with data already regulated under laws such as GLBA, HIPAA, the FCRA, and FERPA .

Sources for this answer

Primary law

A.2 Mont. Code Ann. § 30-14-2801

The codified short title of the act is the Consumer Data Privacy Act.

30-14-2801. Short title. This part may be cited as the "Consumer Data Privacy Act".

See Mont. Code Ann. § 30-14-2801.

Primary law

A.1 Mont. Code Ann. § 30-14-2803

The MCDPA applies to persons doing business in Montana or targeting its residents that control or process the data of at least 25,000 consumers, with payment-transaction-only data excluded from the count.

(a) control or process the personal data of not less than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

See Mont. Code Ann. § 30-14-2803(1)(a).

Primary law

A.5 Mont. Code Ann. § 30-14-2803

The MCDPA also applies to persons that process the data of at least 15,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

(b) control or process the personal data of not less than 15,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

See Mont. Code Ann. § 30-14-2803(1)(b).

Primary law

A.3 Mont. Code Ann. § 30-14-2802

A consumer is a Montana resident, and the term excludes individuals acting in a commercial or employment context, so employee and business-contact data fall outside the consumer-rights framework.

(b) The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency.

See Mont. Code Ann. § 30-14-2802(7).

Primary law

A.4 Mont. Code Ann. § 30-14-2804

The MCDPA exempts state agencies, higher-education institutions, GLBA-regulated banks and credit unions, HIPAA covered entities and business associates, and insurers, along with categories of data regulated under federal laws.

(e) state or federally chartered bank or credit union or an affiliate or subsidiary that is principally engaged in financial activities as described in 12 U.S.C. 1843(k);

See Mont. Code Ann. § 30-14-2804(1)(e).

What must your Montana privacy policy contain?

A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, the categories of personal data sold to or shared with third parties, the categories of those third parties, a contact mechanism, an explanation of consumer rights and how to exercise and appeal them, and the date the notice was last updated .

Section 30-14-2812(5) is the content checklist for a Montana privacy notice. The notice must be posted online through a conspicuous hyperlink on the controller's website homepage or on a mobile device's application store page or download page, and a controller does not need a separate Montana-specific notice if its general notice already contains everything the section requires . The MCDPA also requires data minimization — collection limited to what is adequate, relevant, and reasonably necessary to the disclosed purposes — and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous opt-out method presented outside the notice itself .

Sources for this answer

Primary law

B.1 Mont. Code Ann. § 30-14-2812

A controller must provide a reasonably accessible, clear, and meaningful privacy notice listing the categories of personal data processed and the purpose for processing, among other required disclosures.

A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

See Mont. Code Ann. § 30-14-2812(5).

Primary law

B.2 Mont. Code Ann. § 30-14-2812

The privacy notice must be posted online through a conspicuous hyperlink on the controller's website homepage or on a mobile device's application store page or download page.

on the controller's website homepage or on a mobile device's application store page or download page.

See Mont. Code Ann. § 30-14-2812(10).

Primary law

B.3 Mont. Code Ann. § 30-14-2812

A controller must limit data collection to what is adequate, relevant, and reasonably necessary to the disclosed purposes for processing.

limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer;

See Mont. Code Ann. § 30-14-2812(1)(a).

What must your contracts with vendors and processors include?

A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a written data processing agreement is a statutory requirement, not a best practice .

Section 30-14-2813(2) then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, a written contract binding any subcontractor to the same obligations, and cooperation with reasonable assessments . A compliant template processor agreement should track each of these.

Sources for this answer

Primary law

C.1 Mont. Code Ann. § 30-14-2813

A contract between a controller and a processor must govern the processor's data processing performed on behalf of the controller.

A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

See Mont. Code Ann. § 30-14-2813(2).

Primary law

C.2 Mont. Code Ann. § 30-14-2813

The controller-processor contract must require that any subcontractor be engaged under a written contract that binds it to the processor's obligations for the personal data.

(d) engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and

See Mont. Code Ann. § 30-14-2813(2)(d).

Do you need consent for sensitive data, and must you honor an opt-out signal?

Yes on both counts. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act . Separately, a controller must let consumers opt out of targeted advertising and the sale of personal data through a universal opt-out preference signal .

Sensitive data includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data . The opt-out preference signal must require an affirmative consumer choice rather than a default setting, must be consumer-friendly, and must not unfairly disadvantage another controller; the underlying opt-out rights themselves — including the right to opt out of targeted advertising, sale, and certain profiling — sit in section 30-14-2808 .

Sources for this answer

Primary law

D.1 Mont. Code Ann. § 30-14-2812

A controller may not process a consumer's sensitive data without consent, and must handle a known child's sensitive data in accordance with COPPA.

process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq.;

See Mont. Code Ann. § 30-14-2812(2)(b).

Primary law

D.3 Mont. Code Ann. § 30-14-2802

Sensitive data includes data revealing race or ethnicity, religious beliefs, health condition, sex life, sexual orientation, or immigration status.

(a) data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;

See Mont. Code Ann. § 30-14-2802(28)(a).

Primary law

D.2 Mont. Code Ann. § 30-14-2809

Controllers must allow consumers to opt out of targeted advertising or the sale of personal data through an opt-out preference signal that requires an affirmative choice and uses no default setting.

(ii) may not make use of a default setting, but require the consumer to make an affirmative, freely given and unambiguous choice to opt out of any processing of a customer's personal data pursuant to this part;

See Mont. Code Ann. § 30-14-2809(3)(b)(ii).

Primary law

D.4 Mont. Code Ann. § 30-14-2808

Consumers have the right to opt out of processing of their personal data for the purposes of targeted advertising, the sale of personal data, and certain profiling.

(e) opt out of the processing of the consumer's personal data for the purposes of:

See Mont. Code Ann. § 30-14-2808(1)(e).

Who enforces the MCDPA, and can consumers sue?

The Attorney General has exclusive authority to enforce the MCDPA, so there is no private right of action for consumers . An uncured violation exposes a business to a civil penalty of up to $7,500 for each violation .

The statute is explicit that nothing in it provides a basis for a private right of action . The 2025 amendments also reshaped the enforcement posture: the original act's right to cure was scheduled to sunset on April 1, 2026, but the amendments removed the general cure provision early, so the current enforcement section no longer contains one. The penalty section still references a 30-day period described in section 30-14-2817(3), while that subsection now describes the Attorney General's civil-investigative-demand authority rather than a cure process — an unresolved cross-reference that should be treated as a live statutory ambiguity. The practical posture is to build the notice, consent, and contracting controls up front rather than relying on a chance to fix problems after a complaint.

Sources for this answer

Primary law

E.1 Mont. Code Ann. § 30-14-2817

The Attorney General has exclusive authority to enforce the MCDPA.

The attorney general has exclusive authority and may use the duties and powers provided by Title 30, chapter 14, parts 1 and 2, to enforce violations pursuant to this part.

See Mont. Code Ann. § 30-14-2817(1).

Primary law

E.3 Mont. Code Ann. § 30-14-2817

The MCDPA provides no private right of action for violations.

Nothing in this part may be construed as providing the basis for or be subject to a private right of action for violations of this part or any other law.

See Mont. Code Ann. § 30-14-2817(5).

Primary law

E.2 Mont. Code Ann. § 30-14-2820

A violator is liable for a civil penalty of up to $7,500 for each violation, which the Attorney General may recover by action in the name of the state.

A person who violates the provisions of this part following the 30-day period described in 30-14-2817(3) is liable for a civil penalty in an amount not to exceed $7,500 for each violation.

See Mont. Code Ann. § 30-14-2820(2).