Montana Consumer Data Privacy Act: 2026 Business Guide

Montana’s privacy law has changed since many businesses first reviewed it in 2024. SB 297 took effect on October 1, 2025, updating who the law applies to, how penalties work, and what privacy notices must include.

If your website reaches Montana consumers, this guide explains where the law stands in 2026, based on the current version of the Montana Consumer Data Privacy Act rather than the original 2023 bill.

What is the Montana Consumer Data Privacy Act?

The Montana Consumer Data Privacy Act (MCDPA), codified at MCA 30-14-2801, is a comprehensive state privacy law that gives Montana consumers control over how their personal data is collected and used. It grants rights including the right to access, correct, delete, and obtain a portable copy of personal data, and the right to opt out of data sales, targeted advertising, and certain profiling activities.

The law originally took effect on October 1, 2024. Senate Bill 297 was signed into law in 2025 and became effective October 1, 2025, significantly revising the MCDPA by lowering applicability thresholds, adding civil penalties, removing the cure period, and tightening privacy notice requirements. The Montana Department of Justice has published guidance on what these changes mean for businesses and consumers.

What changed under Montana SB 297?

SB 297 was not a minor update. It changed who the MCDPA applies to, how enforcement works, and what businesses must include in their privacy notices.

Key changes at a glance

The most significant change from a practical standpoint is the removal of the cure period. Under the original law, the Attorney General was required to give businesses 60 days to fix a violation before taking action. That safety net is gone. If the AG investigates and finds a violation today, enforcement can proceed immediately.

Civil penalties, which were not addressed in the original law, are now capped at $7,500 per violation. There is no overall statutory cap, which means penalties can accumulate quickly across multiple or repeated violations. The AG can also seek an injunction and recover attorney fees and enforcement costs.

Revised exemptions under SB 297

SB 297 adjusted which organizations are exempt. The Gramm-Leach-Bliley Act entity exemption was removed, but specific exemptions were added for banks, credit unions, insurers, and insurance producers. The nonprofit exemption is now limited to organizations that detect or prevent fraud in connection with insurance.

If your organization previously relied on a GLBA entity-level exemption, this is worth reviewing with your legal team to determine whether a specific exemption under SB 297 applies instead.

Who does the Montana privacy law apply to in 2026?

The MCDPA applies to any person or entity that conducts business in Montana, or produces products or services intentionally targeted at Montana residents, and meets one of the following thresholds:

• Controls or processes the personal data of at least 25,000 Montana consumers per year, OR

• Controls or processes the personal data of at least 15,000 Montana consumers per year, and derives more than 25% of gross revenue from the sale of personal data.

SB 297 cut the previous thresholds in half. Before the amendment, the thresholds were 50,000 and 25,000 consumers, respectively. Montana already had unusually low applicability thresholds compared with other U.S. state privacy laws. SB 297 lowered them further.

For context: Montana has a population of around 1.1 million. The 25,000-consumer threshold represents roughly 2% of the state's total population. Even businesses that primarily operate outside Montana could cross this threshold if they serve Montana residents through a website, e-commerce platform, or app.

The MCDPA includes several standard exemptions. It does not apply to government entities, higher education institutions, HIPAA-covered entities or business associates with respect to HIPAA-regulated data, or data regulated under certain federal frameworks. As noted above, the nonprofit exemption has been narrowed under SB 297.

What rights do Montana consumers have?

Under the MCDPA, Montana residents have the following rights over their personal data:

• The right to confirm whether a controller is processing their data and to access that data.

• The right to correct inaccuracies in their personal data.

• The right to delete their personal data.

• The right to obtain a portable copy of their data in a usable format.

• The right to opt out of (i) the sale of personal data, (ii) targeted advertising, and (iii) profiling in connection with decisions that produce legal or similarly significant effects.

Controllers must respond to consumer requests within 45 days of receipt. That window can be extended by another 45 days when reasonably necessary, provided the consumer is notified within the initial period.

Under SB 297, the revocation mechanism for consent must be at least as easy to use as the original mechanism for giving consent. A buried opt-out link or a multi-step withdrawal process is unlikely to meet this standard.

What must businesses do to comply with the MCDPA?

If the MCDPA applies to your organization, here is what the law requires in 2026.

Privacy notice requirements

SB 297 added specific requirements to what a privacy notice must include and how it must be presented. Your privacy notice must:

• Describe the categories of personal data you process and the purposes for processing.

• Clearly explain all consumer rights under the MCDPA.

• Include the date the notice was last updated.

• Be accessible through a conspicuous hyperlink using the word 'privacy' on your website's homepage.

• Be available in each language in which you offer a product or service.

• Be reasonably accessible to individuals with disabilities.

If you make a material change to your privacy notice or data practices, you must notify consumers and give them a reasonable opportunity to withdraw consent.

Clym helps teams manage privacy and cookie policy workflows, including versioning, update dates, language variations, and website deployment from one place.

Opt-out requirements

If your business sells personal data to third parties or processes data for targeted advertising, SB 297 requires you to:

• Clearly and conspicuously disclose that processing in your privacy notice.

• Provide consumers with a clear, accessible method to opt out.

The opt-out mechanism must be at least as easy to use as the mechanism you used to collect consent originally.

Data subject request handling

You need a working process that allows consumers to submit rights requests and that routes, tracks, and documents responses within the 45-day window. Clym’s DSR tools help teams manage intake, routing, deadline tracking, and documentation across multiple U.S. state privacy laws, without maintaining separate workflows for each state.

Data protection assessments

Controllers must conduct data protection impact assessments (DPIAs) for processing activities that present heightened risks, including targeted advertising, data sales, certain profiling, and the processing of sensitive personal data.

Under SB 297, the AG can request a copy of a DPIA as part of a civil investigative demand. That is a meaningful shift: assessments are no longer just a compliance exercise. They can be reviewed during an investigation.

Processor contracts and data minimization

Controllers must have written data processing agreements with processors that cover specific instructions, security requirements, and MCDPA obligations. Controllers must also limit data collection to what is adequate, relevant, and necessary for the stated purpose.

Minors' data

SB 297 added a duty of care requirement for businesses offering online services, products, or features to consumers they know or willfully disregard are minors. Those businesses must use reasonable care to avoid heightened risks of harm to minors caused by the service, product, or feature.

This requirement applies to any business conducting business in Montana or targeting Montana residents, regardless of whether they meet the general consumer data threshold. If your digital service is accessible to minors, this section applies to you.

How does the MCDPA treat universal opt-out mechanisms?

The MCDPA requires controllers to recognize universal opt-out preference signals. From January 1, 2025, if a consumer sends an opt-out signal through a browser or device setting, such as Global Privacy Control (GPC), a controller that sells personal data or processes it for targeted advertising must honor that signal.

GPC adoption has grown significantly since 2024. As browsers and privacy tools have added support for the standard, more consumers are now sending opt-out signals passively, without explicitly interacting with a consent banner. If your website uses advertising pixels, analytics tools that share data, or retargeting campaigns, this is a practical area to check.

Clym’s consent management platform can help detect GPC signals and support opt-out preference workflows for jurisdictions where those signals need to be honored.

What are the penalties for violating the MCDPA?

The Montana Attorney General is the sole enforcement authority. There is no private right of action, meaning consumers cannot sue businesses directly for violations.

Under SB 297:

• Civil penalties are capped at $7,500 per violation, with no overall statutory cap.

• The AG can seek injunctive relief.

• The AG can recover reasonable attorney fees and enforcement costs.

• The 60-day cure period has been removed. Enforcement can begin immediately upon finding a violation.

The removal of the cure period is the change that most directly affects enforcement risk. Before SB 297, receiving an AG notice gave businesses guaranteed time to fix issues. That buffer no longer exists. An investigation can lead to penalties from the outset.

MCDPA website compliance checklist for 2026

If your website may be subject to the MCDPA, review these areas:

Does your privacy notice include all required elements under SB 297, including a rights explanation and a last-updated date?

Is your privacy notice accessible through a conspicuous 'privacy' hyperlink on your homepage?

Is your privacy notice available in every language in which you offer products or services?

Is your privacy notice reasonably accessible to users with disabilities?

Do you have a clear, accessible opt-out method for data sales and targeted advertising?

Are you recognizing and honoring Global Privacy Control signals from Montana visitors?

Do you have a working mechanism for consumers to submit data subject requests?

Are your data processor contracts up to date with MCDPA requirements?

Have you completed data protection assessments for high-risk processing activities?

Do you know whether any of your online services or features are accessed by minors?

For businesses that operate websites or digital services available to Montana residents, the MCDPA may require updates to privacy notices, opt-out workflows, consent controls, and internal request-handling processes. Clym helps teams manage privacy notices, consent preferences, opt-out signals, and data subject requests across multiple U.S. state privacy laws from one platform, without building and maintaining separate workflows for each state.

What businesses should do next

The MCDPA has changed significantly since its original passage in 2023. SB 297 lowered applicability thresholds, added civil penalties of up to $7,500 per violation, expanded privacy notice requirements, and removed the cure period before enforcement.

If your business reaches Montana consumers through a website, app, or digital service, 2026 is a practical time to review your privacy notice, opt-out mechanism, GPC handling, and data subject request process.

For businesses operating across multiple U.S. states, Montana is also worth watching because its lower thresholds may bring smaller digital businesses into scope sooner than other state privacy laws.