Montana Consumer Data Privacy Act: A Guide for Montana Businesses
Guide to Montana's MTCDPA for small businesses. With a 50K consumer threshold, Montana's law catches more businesses than most states.
Last updated: 2026-02-08
You run a regional e-commerce business serving customers across the Mountain West. You do not think of your operation as particularly large -- maybe 60,000 customers spread across Montana, Idaho, and Wyoming. But as of October 1, 2024, Montana's Consumer Data Privacy Act (MTCDPA) may already apply to you. Why? Because Montana set its consumer threshold at just 50,000 -- significantly lower than the 100,000 figure used by most other state privacy laws. That lower bar means businesses that might fly under the radar in Colorado or Virginia could be fully covered in Montana. This guide explains who the MTCDPA applies to, what rights Montana consumers have, and what your business needs to do about it.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the Montana Consumer Data Privacy Act (Mont. Code Ann. § 30-14-2801 et seq., SB 384), as of the date of publication.
Does This Law Apply to Your Business?
The MTCDPA applies to businesses that conduct business in Montana or produce products or services targeted at Montana residents and that during a calendar year meet at least one of two thresholds.
The first threshold is the one that makes Montana unusual: your business controls or processes the personal data of 50,000 or more Montana consumers, excluding data processed solely to complete a payment transaction. Most state privacy laws set this number at 100,000. Montana's lower threshold reflects the state's smaller population (roughly 1.1 million) and ensures the law is not rendered irrelevant by applying only to a handful of the largest companies operating in the state. In practice, this means a Shopify store with 55,000 Montana customers who have provided an email address or had cookies placed on their browsers is likely covered.
The second threshold requires your business to control or process the personal data of 25,000 or more Montana consumers while deriving revenue from the sale of personal data. Unlike some states that require a specific percentage (such as 50 percent), Montana does not specify a minimum revenue percentage -- any revenue from data sales combined with the 25,000-consumer count triggers the law.
Exempt entities include state and local government agencies, entities regulated under HIPAA, financial institutions covered by the Gramm-Leach-Bliley Act, nonprofits, and institutions of higher education. Data governed by the Fair Credit Reporting Act, the Driver's Privacy Protection Act, FERPA, and the Farm Credit Act is also excluded.
Given Montana's population, a business that operates nationally may hit the 50,000 threshold more easily than it expects. If 5 percent of your national customer base is in Montana and you have a million customers nationwide, you have 50,000 Montana consumers. That is the threshold, right there.
What Rights Do Consumers Have?
The MTCDPA grants Montana consumers a set of rights closely modeled on those in Oregon's OCPA and Colorado's CPA. Your business must respond to consumer requests within 45 days, with a possible 45-day extension if reasonably necessary.
Right to Access. Consumers can confirm whether your business is processing their personal data and request a copy of that data. This is the core of a data subject access request. You need to be able to locate, compile, and deliver the relevant data in a timely manner.
Right to Correction. Consumers can request that you correct inaccurate personal data. You must take commercially reasonable steps to correct the data, taking into account the nature of the data and the purposes for which it is processed.
Right to Deletion. Consumers can ask you to delete the personal data your business has collected about them. You must also direct your processors to delete it. Exceptions exist for data needed to complete a transaction, detect fraud, comply with a legal obligation, or for other specified purposes.
Right to Portability. When a consumer exercises their right to access, the data must be provided in a portable, readily usable format. This allows the consumer to transmit it to another entity.
Right to Opt Out. Consumers can opt out of the processing of their personal data for three purposes: targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
| Right | Granted? | Notes |
|---|---|---|
| Access | ✅ | Confirm processing and provide a copy of data |
| Correction | ✅ | Commercially reasonable efforts required |
| Deletion | ✅ | Must also instruct processors to delete |
| Portability | ✅ | Data in portable, machine-readable format |
| Opt out of sale | ✅ | Consumers can stop sale of their data |
| Opt out of targeted ads | ✅ | Must honor opt-out of ad targeting |
| Opt out of profiling | ✅ | For decisions with legal or significant effects |
What Your Business Must Do
Start with your privacy notice. The MTCDPA requires a reasonably accessible, clear privacy notice that identifies the categories of personal data your business processes, the purposes for processing, how consumers can exercise their rights (including how to appeal a denial), the categories of data you share with third parties, and the categories of third parties you share data with. If you sell personal data or process it for targeted advertising, you must clearly disclose that.
When consumer requests come in, you have 45 calendar days to respond. An additional 45-day extension is available when reasonably necessary, provided you notify the consumer of the delay and the reason. You must establish a method for consumers to submit requests and verify their identity before fulfilling a request.
For sensitive data, the MTCDPA requires opt-in consent before processing. Sensitive data under this law includes racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data processed for identification purposes, personal data from a known child, and precise geolocation data. If your mobile app collects precise GPS location from Montana users, you need a clear opt-in before that data is processed.
Your business must conduct data protection assessments for processing activities that pose a heightened risk of harm. This includes targeted advertising, the sale of personal data, certain types of profiling, the processing of sensitive data, and any processing that presents a heightened risk of harm to consumers. These assessments must be documented and made available to the Attorney General on request.
Processor contracts must define the nature and purpose of processing, the type of data involved, the duration of processing, and the obligations and rights of both parties. Your processors must assist you in responding to consumer requests and must delete or return personal data at the end of the service relationship.
How Is It Enforced?
The MTCDPA is enforced exclusively by the Montana Attorney General. There is no private right of action. Individual consumers cannot bring lawsuits directly under this law.
Violations are subject to penalties under the Montana Unfair Trade Practices and Consumer Protection Act, which allows for penalties of up to $7,500 per violation. Fines scale with the number of affected consumers, so a systemic failure can result in significant aggregate penalties.
The law includes a 60-day cure period that remains available until April 1, 2026. During this period, if the Attorney General identifies a violation, your business has 60 days to cure it and provide an express written statement that the violation has been remedied and will not recur. After April 1, 2026, the Attorney General has discretion to decide whether to offer a cure opportunity based on factors like the number of violations, the business's size, and the likelihood of future violations.
Because the MTCDPA took effect in October 2024, public enforcement actions are limited. However, businesses should not treat the cure period as a reason to delay compliance.
How This Compares to Other State Laws
Montana's 50,000-consumer threshold is its most distinctive feature. Here is how it compares to Oregon, Colorado, and California:
| Feature | MTCDPA (MT) | OCPA (OR) | CPA (CO) | CCPA/CPRA (CA) |
|---|---|---|---|---|
| Effective date | Oct 1, 2024 | Jul 1, 2024 | Jul 1, 2023 | Jan 1, 2020 |
| Consumer threshold | 50K | 100K | 100K | 100K |
| Revenue-from-sales threshold | Any revenue + 25K | Any revenue + 25K | Any revenue + 25K | 50% + no count needed |
| Cure period | 60 days (sunsets Apr 2026) | 30 days (sunsets Jan 2026) | 60 days (sunset 2025) | None |
| Covers nonprofits | No | Yes | No | No |
| Private right of action | No | No | No | Yes (breaches only) |
| Sensitive data consent | Opt-in | Opt-in | Opt-in | Opt-out |
The key takeaway is Montana's 50,000-consumer threshold. A business that operates comfortably below the 100,000 threshold in Oregon or Colorado may find itself covered in Montana. If you serve customers across the Mountain West, do not assume your Oregon or Colorado analysis applies to Montana without checking the numbers. Montana's smaller population means the threshold was intentionally set lower to ensure meaningful coverage, and businesses with a regional presence need to pay attention.
Action Checklist for Small Businesses
-
Count your Montana consumers. Review your customer database, analytics, and marketing lists. Remember that "consumers" includes anyone whose data you process, not just paying customers. Visitors who drop a cookie count.
-
Assess the 50,000 threshold carefully. Montana's bar is half the standard set by most other states. If you have even a modest Montana presence, you may be covered.
-
Update your privacy notice. Add the required disclosures about data categories, processing purposes, third-party sharing, consumer rights, and the appeals process.
-
Establish a DSAR intake and response process. Set up a web form and email for receiving requests. Document your workflow for intake, verification, processing, and response within 45 days.
-
Implement opt-in consent for sensitive data. If you collect health data, biometric data, precise geolocation, or data about children from Montana consumers, you need affirmative consent before processing.
-
Conduct data protection assessments. Document the risks and benefits for targeted advertising, data sales, profiling, and sensitive data processing activities.
-
Review your processor contracts. Make sure your vendor agreements include MTCDPA-required terms on purpose, scope, confidentiality, and consumer request assistance.
-
Train your team. Brief customer-facing staff on recognizing privacy requests and routing them to the right person.
Key Dates
- May 19, 2023: Governor Greg Gianforte signed the MTCDPA into law (SB 384).
- October 1, 2024: MTCDPA took effect.
- April 1, 2026: 60-day cure period expires; AG gains discretion on cure opportunities.
References
- Montana Consumer Data Privacy Act: Mont. Code Ann. § 30-14-2801 et seq. (SB 384, 2023). Full text on Montana Legislature
- Montana Attorney General's Office: Consumer protection resources
Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.
Need a framework for responding to consumer data requests? Download our DSAR Response Templates for a step-by-step process you can implement this week.