ARTICLE
20 May 2025

Big Sky, Bigger Privacy: Montana Broadens Its Consumer Data Privacy Act

BB
Bass, Berry & Sims

Contributor

Bass, Berry & Sims logo
Bass, Berry & Sims is a national law firm with nearly 350 attorneys dedicated to delivering exceptional service to numerous publicly traded companies and Fortune 500 businesses in significant litigation and investigations, complex business transactions, and international regulatory matters. For more than 100 years, our people have served as true partners to clients, working seamlessly across substantive practice disciplines, industries and geographies to deliver highly-effective legal advice and innovative, business-focused solutions. For more information, visit www.bassberry.com.
Explore Firm Details
On May 8, Montana Governor Greg Gianforte signed into law Senate Bill 297 (SB 297), a bill that significantly revises the existing Montana Consumer Data Privacy Act (MCDPA).
United States Privacy
Alexandria Wood Davenport,Samantha Ross Liskey, and Roy Wyman

On May 8, Montana Governor Greg Gianforte signed into law Senate Bill 297 (SB 297), a bill that significantly revises the existing Montana Consumer Data Privacy Act (MCDPA). Although the MCDPA took effect on October 1, 2024, SB 297 accelerates Montana's march toward a more protective, minors-focused privacy regime and further aligns the statute with provisions in other states, including Colorado, Connecticut, and Minnesota. The amendments take effect on October 1, 2025, and merit immediate attention from businesses operating in Montana – particularly those offering online products or services that may reach children or teenagers. Below is an overview of the most consequential changes.

Applicability: Lower Thresholds, Broader Reach, and Exemption Changes

Applicability Threshold Reduced

The MCDPA will, as of October 1, 2025, apply to any entity that either: (1) controls or processes the personal data of at least 25,000 Montana consumers in a calendar year (rather than 50,000), or (2) controls or processes the personal data of at least 15,000 Montana consumers (down from 25,000) and derives more than 25% of gross revenue from the sale of personal data.

Broadened Applicability of Minor Privacy Provisions

SB 297 specifies that the MCDPA's privacy provisions regarding minors apply to any entity that either conducts business in Montana or delivers commercial products or services that are intentionally targeted to Montana residents, regardless of data volume.

Exemption Changes

The former entity-level Gramm-Leach-Bliley Act (GLBA) exemption is now narrowed to a data-level carve-out, which aligns the MCDPA with the GLBA exemptions in Oregon and Minnesota. The existing nonprofit exemption now only applies to organizations established to detect and prevent insurance fraud, meaning most Montana nonprofits will need to comply with the entire statute. Additionally, SB 297 introduces new entity-level exemptions for insurers, insurance producers, third-party administrators of self-insurance, and related affiliates engaged principally in financial activities.

New and Expanded Duties Owed to Minors

SB 297 adopts a Colorado/Connecticut-style duty of reasonable care when an online service, product, or feature is offered to a user the controller actually knows or willfully disregards is a minor (an individual under the age of 18):

  • Controllers must avoid creating a "heightened risk of harm to minors," a defined term that captures unfair treatment, disparate impact, financial/physical injury, unauthorized disclosure following a breach, or offensive intrusions on solitude.
  • Unless the controller obtains the minor's consent (or verifiable parental consent for children under 13), it may not: (1) process the minor's data for targeted advertising, sale, or certain automated profiling; (2) use system design features to significantly increase, sustain, or extend use; or (3) collect precise geolocation data beyond what is reasonably necessary.
  • Controllers must conduct and retain impact assessments for any online service, product, or feature that presents a heightened risk of harm to minors.
  • Nothing in SB 297 requires a controller to implement age verification, age-gating, or any other affirmative collection of a user's age, but controllers that implement a commercially reasonable age estimation system are not liable for erroneous age estimation.

Consumer Rights: Narrowed Access, Broader Opt Out

Similar to state privacy laws in other states, SB 297 requires controllers to provide consumers with a clear and conspicuous method outside of the entity's privacy notice to opt out of the sale of personal data or the use of personal data for targeted advertising, which may include a "your opt-out rights" or "your privacy rights" link. Additionally, in response to an access request, controllers are not required to provide highly sensitive data (e.g., Social Security numbers, driver's license numbers, financial account numbers, passwords, health plan IDs, biometric identifiers, and account passwords). Consumers also must now be permitted to opt out of any profiling in furtherance of "automated decisions" that produce legal or similarly significant effects, where previously they could only opt out of "solely automated decisions."

Transparency: More Prescriptive Privacy Notices

SB 297 requires controllers to revamp their privacy notices to include the following:

  • A plain-language explanation of all MCDPA consumer rights.
  • The date the notice was last updated.
  • Posting via a conspicuous "Privacy" hyperlink on the website homepage and on app store/download pages, plus placement within app settings.
  • Availability in every language in which the controller offers the relevant product or service.
  • Formats that are reasonably accessible to individuals with disabilities.

Additionally, controllers are required to take "all reasonable electronic measures" to notify affected consumers of material changes to privacy notices or practices with respect to any personal data already collected, and to provide a "reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data."

Enforcement Changes

The guaranteed 60-day cure period created by the MCDPA will be eliminated beginning October 1, 2025. Instead, the Attorney General may sue immediately to enforce the provisions of the MCDPA. There is no private right of action, as enforcement remains exclusively with the Attorney General. Further, SB 297 introduced civil penalties of up to $7,500 for each violation, with no statutory cap.

Key Takeaways

  • Companies that fell below the 50,000-consumer threshold may now be covered by the MCDPA.
  • Products reasonably expected to attract teens or children require immediate design and consent review, as Montana will scrutinize features that encourage extended use or enable unsolicited messaging.
  • Companies should ensure the provision of a conspicuous opt-out link, multilingual availability, and Americans with Disabilities Act-friendly formats.
  • The loss of the cure period and the Attorney General's new authority suggest more aggressive oversight moving into 2026 and beyond.

The changes implemented by SB 297 will go into effect on October 1, 2025. Our team will continue to monitor the MCDPA and its amendments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Alexandria Wood Davenport
Alexandria Wood Davenport
Photo of Samantha Ross Liskey
Samantha Ross Liskey
Photo of Roy Wyman
Roy Wyman
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More