Montana Amends Consumer Data Privacy Act To Broaden Applicability And Enhance Protections For Minors

Montana's amendments also remove the cure period for alleged violations beginning in October, provide prescriptive methods through which businesses have to provide consumers with targeted advertising opt out rights, and increase the disclosures necessary in privacy notices.

On May 8^th, Montana's Governor signed new amendments to Montana's Consumer Data Privacy Act that expand its applicability by decreasing the threshold triggers and narrowing existing exemptions and removing the existing 60-day cure period that businesses were previously granted for alleged violations. The cure period sunsets on October 1, 2025.

Notably, the amendments add new requirements for businesses that handle personal data about consumers under the age of 18. Importantly, the amendments remove all applicability thresholds with respect to the law's provisions protecting those under the age of 18, meaning that the Montana Consumer Privacy Act's requirements regarding minors apply immediately when a business conducts business in Montana or otherwise provides products or services in Montana.

The amendments also introduce new requirements with respect to privacy notice transparency and disclosure obligations. For example, businesses subject to the Montana Consumer Data Privacy Act will now need to ensure their privacy notices (1) include a last updated date; (2) are provided in each language in which the business provides products or services; (3) are accessible and usable by individuals with disabilities; (4) provide a process through which consumers are notified via "all reasonable electronic measures" of material changes to the privacy notice.

The recent amendment comes on the heels of other state regulators stepping up enforcement activities. State legislatures and regulators are quickly shifting from passing these laws to enforcing and refining them. Check out Benesch's recent article on recent data protection law enforcement trends in the U.S. here.

With 14 U.S. state data protection laws in effect, six more coming into effect this year or in 2026, and almost a dozen more currently under consideration in state legislatures, it is critical for businesses to stay on top of the shifting U.S. data protection law environment. See below for more details on the latest developments with respect to Montana's amendments to its Consumer Data Privacy Act.

Expanded Applicability; Narrower Exceptions

The amendments lower the Montana Consumer Data Privacy Act's applicability thresholds such that the law now applies to any entity doing business in Montana that meets one of the following thresholds:

• Controls or processes the personal data of at least 25,000 Montana consumers annually (previously set to 50,000)
• Controls or processes the personal data of at least 15,000 Montana consumers annually (previously set to 25,000) and derives over 25% of its gross annual revenue from the sale of personal data.

The lower thresholds increase the potential applicability of the Montana Consumer Data Privacy Act, but still not to the levels of consumer data protection laws like those in Nebraska or Texas, whose laws have no threshold triggers and broadly apply.

The amendments also narrow exceptions to the Montana Consumer Data Privacy Act. Under the original Montana Consumer Data Privacy Act, financial institutions and entities regulated under the federal Gramm-Leach-Bliley Act—protecting non-public consumer information collected and processed related to financial services—were broadly exempt. However, the amendments narrow the former entity-level exemption into a data-level exemption such that the entities are not broadly exempt. Under the amended Montana Consumer Data Privacy Act, just the personal data that falls into a category of information protected under the Gramm-Leach-Bliley Act is exempt from the Montana Consumer Data Privacy Act's requirements.

Additionally, the amendments narrow the original, broad non-profit exemption to only apply to non-profit organizations established to detect and prevent insurance fraud. The Montana Consumer Data Privacy Act will now apply to most non-profits doing business in Montana.

The biggest shift under the Montana Consumer Data Privacy Act is the new requirements applicable to the processing of personal data about consumers under the age of 18. Importantly, these new requirements apply regardless of whether a business falls within the general Montana Consumer Data Privacy Act thresholds noted above.

Data Protection for Minors

The amendments to the Montana Consumer Data Privacy Act create two new important definitions: (1) Adult; and (2) Minor.

"Adult" is considered any individual who is 18 years or older, while "Minor" is defined as a consumer under the age of 18. It's important to note that the Montana Consumer Data Privacy Act still includes a definition for "Child" set to any individual under 13 years of age. Personal data about a child is still considered sensitive personal data, requiring verifiable parental or guardian consent before processing.

Under the new amendments, businesses are required to use "reasonable care" to avoid a heightened risk of harm to minors where the business offers online services, products or features to consumers that it knows or reasonably should know are minors. "Heightened risk of harm" is defined as processing personal data in a manner that presents a reasonably foreseeable risk that the following could occur:

• Unfair or deceptive treatment of or an unlawful disparate impact on a minor;
• Financial, physical, or reputational injury to a minor;
• Unauthorized disclosure of a minor's personal data pursuant to a security breach; or
• Physical or other intrusion on the seclusion or solitude or private affairs or concerns of a minor (if it would be considered offensive by a reasonable person).

Further, there are new consent requirements applicable to processing the personal data of Minors.

Businesses must obtain the minor's prior consent (or verifiable parental consent for those under the age of 13) in order to (1) process a minor's personal data for purposes of targeted advertising purposes, selling, or automated profiling in furtherance of legal or similarly significant effects; (2) collect a minor's precise geolocation information beyond what is reasonably necessary; (3) process or retain a minor's personal data for longer than is necessary to provide the applicable online services, product or feature; or (4) use a system design to significantly increase, sustain or extent a minor's use of the applicable online services, products or features.

Data Subject Rights and Opt Outs

The amendments also include clarification as to how businesses should respond to data access requests under the Montana Consumer Data Privacy Act. Per the amendments, a business is not required to disclose—and is now prohibited from disclosing—the following information to consumers pursuant to data access requests:

• Social Security numbers
• Driver's license number or other government-issued identification numbers
• Financial account numbers
• Health insurance account numbers or medical identification numbers
• Account passwords, security questions, or answers; or
• Biometric data

Separately, the amendments require businesses to provide consumers with mechanisms to opt out of selling their personal data or engaging in targeted advertising activities more clearly and transparently.

Businesses subject to the Montana Consumer Data Privacy Act are now required to—outside of and separate from the website privacy notice (e.g., as a separate link in the footer of a business's website)—clearly and conspicuously provide consumers with opt out mechanisms. Examples provided in the amendments include clearly labeled "Your Opt-Out Rights" or "Your Privacy Rights" links that take consumers to a webpage where they can exercise their opt out rights.

The amendments bring the Montana Consumer Data Privacy Act up to speed with similar laws in other states that require similar opt out mechanisms. Regulators have been focused on compliance with opt out rights, especially in California, Connecticut, and Oregon. See our past coverage on enforcement trends here for more information.

Sunsetting Cure Period

Originally, the Montana Consumer Data Privacy Act included a 60-day cure period allowing businesses 60 days to address and fix alleged violations after receiving notice from the Montana Attorney General's Office. This amendment removes the 60-day cure period beginning on October 1, 2025, allowing the Montana Attorney General to file suit for alleged violations immediately.

There is still no private right of action under the Montana Consumer Data Privacy Act, and fines remain at a maximum of $7,500 per violation.

Takeaways

With scrutiny and focus from regulators increasing under the broad swath of U.S. state data protection laws, businesses need to review what laws apply to their data collection and processing activities to ensure their privacy and security practices comply. Amendments similar to those recently signed into effect in Montana are likely to continue as regulators and state legislatures increase their focus on expanding their data protection laws and focusing particularly on sensitive data collection, such as that related to those under the age of 18.