Montana Enacts Law Amending Consumer Data Privacy Act, Increasing Consumer Protections And Enforcement

Montana is the most recent state to amend its Consumer Data Privacy Act.

The Montana Legislature passed 2025R Mont. S.B. 297 (Enrolled) on April 15, 2025, amending the Montana Consumer Data Privacy Act (MTCDPA). The amendment, which Governor Gianforte signed into law on May 8, 2025, significantly lowers the threshold for applicability of the law and incorporates elements from other states' privacy laws. The changes, which will take effect October 1, 2025, reduce the processing thresholds for the law to apply, extend heightened protections for minors and add more specific privacy notice requirements. Key changes to note are as follows:

1. Privacy protections for consumers under the age of 18 ("minors"). These new provisions apply more broadly than the rest of the law, covering entities that conduct business in Montana without any small business exceptions (i.e., there are no numerical applicability thresholds, although the law's entity-level and data-level exemptions still apply).
2. Presumption of reasonable care for controllers that comply with statutory requirements relating to the new privacy protections for minors. There are specific design and processing requirements. Controllers subject to these provisions must also conduct data protection assessments for an online service "if there is a heightened risk of harm to minors" as prescribed by the statute.
3. The bill clarifies that Montana's privacy law does not require age verification. The existing requirement that a controller obtain a consumer's consent before engaging in targeted advertising or selling personal data for consumers ages 13 to 15 now applies when a controller willfully disregardsthe consumer's age, not just if the controller has actual knowledge of their age.
4. Changed applicability requirements expand the law's reach. The law will now apply to controllers that either (1) control or process the personal data of at least 25,000 consumers, or (2) control or process the personal data of at least 15,000 consumers (down from 25,000) if the controller derives at least 25% of gross revenue from the sale of personal data.
5. The newly narrowed right to access now prohibits controllers from disclosing certain types of highly sensitive information, such as Social Security numbers. SB 297 also slightly expands one of the law's opt-out rights. Consumers can now opt out of profiling in furtherance of "automated decisions" that produce legal or similarly significant effects, rather than only "solely automated decisions."
6. The MTCDPA now includes more prescriptive privacy notice requirements. SB 297 significantly expands the requirements for privacy notices and related disclosures.
7. The Attorney General now has increased investigatory power.

Thompson Coburn attorneys are here to help your organization navigate the ever-evolving legal landscape when it comes to responsible data privacy governance. Our attorneys will continue to monitor the law and provide relevant updates.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.