Montana Consumer Data Privacy Act: What You Need to Know

The Montana Consumer Data Privacy Act (MTCDPA), signed into law May 19, 2023, goes into effect on October 1, 2024. While the MTCDPA shares similarities with other state privacy laws, such as those in California, Colorado, and Florida, it exempts fewer organizations, making its impact more widespread. If you handle the data of just 5% (or less!) of Montana’s residents, you could be subject to this law. 

As Montana joins a growing number of states with stricter requirements on sensitive data tracking consent and risk assessment, organizations previously exempt from similar state laws may now face significant changes in their privacy operations under the MTCDPA. 

It’s important to note that the MTCDPA does not provide any private right of action. The Montana Office of the Attorney General has the exclusive authority to enforce the MTCDPA. Until April 1, 2026, the Montana Office of the Attorney General will also provide data controllers who are out of compliance a 60-day cure period to rectify any violations and take measures to ensure similar violations do not occur in the future.

Who is impacted by the MTCDPA? 

As always, we cannot provide legal advice and encourage you to consult with an attorney to determine if and how your organization is impacted by MTCDPA. However, here are a few general guidelines: 

Your company is subject to this law if you: 

• Handle the personal data of at least 50,000 Montana residents, excluding data exclusively used to facilitate payment, OR
• Derive more than 25% of your revenue from selling personal data and manages the personal data of at least 25,000 consumers

Certain nonprofits, government agencies, higher education institutions, registered national securities associations, and financial institutions are exempt from this law. All entities regulated by the Gramm-Leach-Bliley Act or Health Insurance Portability and Accountability Act (HIPAA) are exempt. Data overseen by the Family Educational Rights and Privacy Act, Fair Credit Reporting Act, or the federal Farm Credit Act is also excluded from consideration from this law. De-identified data that cannot be associated with an individual is also exempt from consideration under the MTCDPA. 

How does the MTCDPA handle tracking consent?

Data controllers can provide an opt-out model to tracking, except for sensitive data. 

Like Colorado, Connecticut, Virginia, Tennessee, Indiana, Florida, and Washington, sensitive information, including any childrens’ data, cannot follow an opt-out consent model, and must specifically be opted-into by the consumer (for children under 13, the consumer’s legal guardian). Montana also requires that you honor browser opt-out signals such as the Global Privacy Control (GPC). 

How does the MTCDPA handle data subject requests?

Consumers have the right to access, port, correct, and delete their data. Consumers also must be able to opt out of the sale of their data, targeted advertising, and the use of their data to make certain decisions about them.

The process for enabling sell & share opt-out can mirror the standard set by the California Consumer Privacy Act’s Do Not Sell or Share requirements. 

What data protection assessments does the MTCDPA require?

Controllers must conduct and document data protection assessments before conducting certain high-risk activities, including targeted advertising, selling personal data, or using sensitive data. 

Montana Consumer Data Privacy Act: Key Takeaways

On the spectrum of state privacy laws, we ranked Montana’s new law as one of the most strict. Check out our Guide to State Privacy Laws for more details on how each state stacks up. 

• The MTCDPA does not introduce new concepts to privacy regulation, but will enforce them on a larger number of organizations.
• Any collection or tracking of sensitive or childrens’ data must be opted into by the data subject or their legal guardian, while other types of tracking can follow an opt-out consent model.
• Organizations must honor consumer rights to access, delete, port, or modify their data, as well as to opt-out of the sale of their data, targeted advertising, and the use of their data to make certain decisions about them.
• Organizations must complete data protection assessments for new data projects that could imply risk for the consumer. 
• The Montana Office of the Attorney General has exclusive authority to enforce the MTCDPA, consumers are not granted private right of action.

Talk with a DataGrail expert about how we can help you ensure compliance with MTCDPA and other state laws.

Already a DataGrail customer? Reach out to your customer success representative or email [email protected], and our team will adjust your policies to ensure you remain compliant.