# Montana Consumer Privacy Law (MCDPA)[^about] The Montana Consumer Data Privacy Act gives Montana consumers rights over their personal data and imposes notice, contracting, and consent duties on controllers above notably low thresholds — it requires opt-in consent for sensitive data, recognition of a universal opt-out preference signal, and is enforced exclusively by the Attorney General with no private right of action and, after a 2025 amendment, no general cure period. ## Does the MCDPA apply to your business? {#does-mcdpa-apply} **Short answer.** It turns on consumer volume, not revenue, and the thresholds are low. The MCDPA applies to persons that do business in Montana or target its residents and that control or process the personal data of at least 25,000 consumers, or at least 15,000 consumers while deriving more than 25% of gross revenue from the sale of personal data [^stat-2803-apply]. The law is widely called the Montana Consumer Data Privacy Act, or MCDPA, but its codified short title is simply the Consumer Data Privacy Act [^stat-2801-shorttitle]. These thresholds are lower than most state privacy laws and reach mid-market businesses with only a moderate Montana footprint. There is no dollar revenue floor. A consumer is a Montana resident, and the definition excludes individuals acting in a commercial or employment context, so workforce and ordinary business-contact data fall outside the consumer-rights framework [^stat-2802-consumer]. The statute also exempts state and local government bodies, institutions of higher education, GLBA-regulated banks and credit unions, HIPAA covered entities and business associates, and insurers, along with data already regulated under laws such as GLBA, HIPAA, the FCRA, and FERPA [^stat-2804-exempt]. ## What must your Montana privacy policy contain? {#privacy-policy-contents} **Short answer.** A controller must provide a reasonably accessible, clear, and meaningful privacy notice that lists the categories of personal data processed, the purpose for processing, the categories of personal data sold to or shared with third parties, the categories of those third parties, a contact mechanism, an explanation of consumer rights and how to exercise and appeal them, and the date the notice was last updated [^stat-2812-notice]. Section 30-14-2812(5) is the content checklist for a Montana privacy notice. The notice must be posted online through a conspicuous hyperlink on the controller's website homepage or on a mobile device's application store page or download page, and a controller does not need a separate Montana-specific notice if its general notice already contains everything the section requires [^stat-2812-posting]. The MCDPA also requires data minimization — collection limited to what is adequate, relevant, and reasonably necessary to the disclosed purposes — and, where a controller sells personal data or processes it for targeted advertising, a clear and conspicuous opt-out method presented outside the notice itself [^stat-2812-minimize]. ## What must your contracts with vendors and processors include? {#vendor-processor-contracts} **Short answer.** A contract between a controller and a processor must govern the processor's data processing on the controller's behalf — so a written data processing agreement is a statutory requirement, not a best practice [^stat-2813-contract]. Section 30-14-2813(2) then specifies the required terms: processing instructions, the nature and purpose of processing, the type of data and duration, a duty of confidentiality, deletion or return of data at the controller's direction, the information needed to demonstrate compliance, a written contract binding any subcontractor to the same obligations, and cooperation with reasonable assessments [^stat-2813-terms]. A compliant template processor agreement should track each of these. ## Do you need consent for sensitive data, and must you honor an opt-out signal? {#sensitive-data-and-opt-out} **Short answer.** Yes on both counts. A controller may not process a consumer's sensitive data without first obtaining consent, and for a known child it must instead follow the federal Children's Online Privacy Protection Act [^stat-2812-sensitive]. Separately, a controller must let consumers opt out of targeted advertising and the sale of personal data through a universal opt-out preference signal [^stat-2809-signal]. Sensitive data includes data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status; genetic or biometric data processed to uniquely identify an individual; personal data collected from a known child; and precise geolocation data [^stat-2802-sensitive]. The opt-out preference signal must require an affirmative consumer choice rather than a default setting, must be consumer-friendly, and must not unfairly disadvantage another controller; the underlying opt-out rights themselves — including the right to opt out of targeted advertising, sale, and certain profiling — sit in section 30-14-2808 [^stat-2808-optout]. ## Who enforces the MCDPA, and can consumers sue? {#enforcement-and-lawsuits} **Short answer.** The Attorney General has exclusive authority to enforce the MCDPA, so there is no private right of action for consumers [^stat-2817-enforce]. An uncured violation exposes a business to a civil penalty of up to $7,500 for each violation [^stat-2820-penalty]. The statute is explicit that nothing in it provides a basis for a private right of action [^stat-2817-nopra]. The 2025 amendments also reshaped the enforcement posture: the original act's right to cure was scheduled to sunset on April 1, 2026, but the amendments removed the general cure provision early, so the current enforcement section no longer contains one. The penalty section still references a 30-day period described in section 30-14-2817(3), while that subsection now describes the Attorney General's civil-investigative-demand authority rather than a cure process — an unresolved cross-reference that should be treated as a live statutory ambiguity. The practical posture is to build the notice, consent, and contracting controls up front rather than relying on a chance to fix problems after a complaint. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-05. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Montana. This article synthesizes Montana primary law and is not legal advice from a Montana-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^stat-2803-apply]: **Mont. Code Ann. § 30-14-2803** — "(a) control or process the personal data of not less than 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or" *Mont. Code Ann. § 30-14-2803(1)(a).* [^stat-2801-shorttitle]: **Mont. Code Ann. § 30-14-2801** — "30-14-2801. Short title. This part may be cited as the ‘Consumer Data Privacy Act’." *Mont. Code Ann. § 30-14-2801.* [^stat-2802-consumer]: **Mont. Code Ann. § 30-14-2802** — "(b) The term does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit, or government agency." *Mont. Code Ann. § 30-14-2802(7).* [^stat-2804-exempt]: **Mont. Code Ann. § 30-14-2804** — "(e) state or federally chartered bank or credit union or an affiliate or subsidiary that is principally engaged in financial activities as described in 12 U.S.C. 1843(k);" *Mont. Code Ann. § 30-14-2804(1)(e).* [^stat-2812-notice]: **Mont. Code Ann. § 30-14-2812** — "A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:" *Mont. Code Ann. § 30-14-2812(5).* [^stat-2812-posting]: **Mont. Code Ann. § 30-14-2812** — "on the controller's website homepage or on a mobile device's application store page or download page." *Mont. Code Ann. § 30-14-2812(10).* [^stat-2812-minimize]: **Mont. Code Ann. § 30-14-2812** — "limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the personal data is processed, as disclosed to the consumer;" *Mont. Code Ann. § 30-14-2812(1)(a).* [^stat-2813-contract]: **Mont. Code Ann. § 30-14-2813** — "A contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller." *Mont. Code Ann. § 30-14-2813(2).* [^stat-2813-terms]: **Mont. Code Ann. § 30-14-2813** — "(d) engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and" *Mont. Code Ann. § 30-14-2813(2)(d).* [^stat-2812-sensitive]: **Mont. Code Ann. § 30-14-2812** — "process sensitive data concerning a consumer without obtaining the consumer's consent or, in the case of the processing of sensitive data concerning a known child, without processing the sensitive data in accordance with the Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501, et seq.;" *Mont. Code Ann. § 30-14-2812(2)(b).* [^stat-2809-signal]: **Mont. Code Ann. § 30-14-2809** — "(ii) may not make use of a default setting, but require the consumer to make an affirmative, freely given and unambiguous choice to opt out of any processing of a customer's personal data pursuant to this part;" *Mont. Code Ann. § 30-14-2809(3)(b)(ii).* [^stat-2802-sensitive]: **Mont. Code Ann. § 30-14-2802** — "(a) data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, information about a person's sex life, sexual orientation, or citizenship or immigration status;" *Mont. Code Ann. § 30-14-2802(28)(a).* [^stat-2808-optout]: **Mont. Code Ann. § 30-14-2808** — "(e) opt out of the processing of the consumer's personal data for the purposes of:" *Mont. Code Ann. § 30-14-2808(1)(e).* [^stat-2817-enforce]: **Mont. Code Ann. § 30-14-2817** — "The attorney general has exclusive authority and may use the duties and powers provided by Title 30, chapter 14, parts 1 and 2, to enforce violations pursuant to this part." *Mont. Code Ann. § 30-14-2817(1).* [^stat-2820-penalty]: **Mont. Code Ann. § 30-14-2820** — "A person who violates the provisions of this part following the 30-day period described in 30-14-2817(3) is liable for a civil penalty in an amount not to exceed $7,500 for each violation." *Mont. Code Ann. § 30-14-2820(2).* [^stat-2817-nopra]: **Mont. Code Ann. § 30-14-2817** — "Nothing in this part may be construed as providing the basis for or be subject to a private right of action for violations of this part or any other law." *Mont. Code Ann. § 30-14-2817(5).*