On May 8, 2025, Montana Governor Greg Gianforte signed Senate Bill 297 (SB 297) into law, significantly revising the existing Montana Consumer Data Privacy Act (MCDPA).
These amendments generally mirror requirements in other states, including creating additional protections for minors, broadening transparency requirements, and removing the cure period. Montana also expanded the applicability of the MCDPA to more entities, and updated consumers' rights and protections with respect to sensitive data and use of data for automated decision-making. Notably, with the passage of SB 297, Montana now has the lowest applicability threshold for businesses that control or process personal data, meaning that the MCDPA may now cover more businesses.
Below, we summarize these changes to help businesses prepare ahead of the law's effective date on October 1, 2025—a year after the MCDPA's initial effective date.
New Protections for Minors
Duty of Care to Avoid a "Heightened Risk of Harm"
The most significant change is that Montana now joins Colorado and Connecticut in imposing a requirement for controllers to exercise a duty of "reasonable care" to avoid a "heightened risk of harm" when offering an online service, product, or feature to a user the controller "actually knows or willfully disregardsis a minor" (under 18). "Heightened risk of harm to minors" is defined as processing minors' personal data in a way that presents a reasonably foreseeable risk that could cause
(a) unfair or deceptive treatment of, or unlawful disparate impact on, a minor;
(b) financial, physical, or reputational injury;
(c) unauthorized disclosure of personal data as a result of a security breach (as described in Montana's data breach statute); or
(d) intrusion upon the solitude or seclusion or private affairs or concerns of a minor, whether physical or otherwise, that would be offensive to a reasonable person.
Controllers are afforded a rebuttable presumption that they exercised reasonable care if they complied with the statute's requirements.
New Consent Requirements
SB 297 introduces additional restrictions for processing minors' data and provides that unless the controller obtains the minor's consent (or verifiable parental consent for children under 13), it may not
(1) process the minor's data for targeted advertising, sale, or certain automated profiling;
(2) process the minor's data for purposes other than the purpose for which it was collected or a reasonably necessary and compatible purpose, or longer than is necessary to provide the service;
(3) use system design features to significantly increase, sustain, or extend use; or
(4) collect precise geolocation data beyond what is reasonably necessary, or retain that data for longer than necessary to provide the service.
Controllers are also prohibited from using consent mechanisms designed to impair user autonomy and offering messaging tools to minors without providing safeguards that limit the ability for adults to send unsolicited messages (with exemptions for email and text messaging) and must provide a persistent signal to minors that their precise geolocation is being collected. If a controller complies with the requirements described above, it is entitled to a rebuttable presumption that it has used reasonable care in an enforcement action brought by the attorney general.
Data Protection Assessments
The MCDPA already required controllers to conduct a data protection assessment before offering services to consumers when there is a heightened risk of harm, but SB 297 now provides that controllers conduct such assessments specifically for minors and implement a plan to mitigate or eliminate the heightened risk should any exist. These data protection assessments must include information on the online service's purpose, the categories of personal data processed, the purpose of processing such data, and, of course, the heightened risk of harm to minors that is a reasonably foreseeable result of offering the online service. Controllers should update these assessments as necessary to account for material changes and retain them for either three years after the processing operations cease or the date the controller ceases offering the online service (whichever is longer). Fortunately, these requirements are nearly identical to those in Colorado and Connecticut, where the legislature has also enacted similar heightened protections for minors.
Age Verification
As courts continue to litigate the constitutionality of age verification, like the challenges to the California Age-Appropriate Design Code or Arkansas' Social Media Safety Act, SB 297 clarifies that nothing in the law requires controllers or processors to affirmatively collect the age of consumers, such as through age verification or age-gating. SB 297 also provides that if a controller chooses to conduct commercially reasonable age estimation to determine which consumers are minors, the controller is not liable for erroneous age estimation, which may incentivize businesses to continue their voluntary age verification processes.
Expanded Applicability of the MCDPA
Montana made several changes to expand who is subject to the requirements of the MCDPA. The practical effect of this is that businesses that considered themselves exempt must now revisit their assessment to determine whether any data they process falls outside of this exemption.
Small Businesses
Montana already had a generally low numerical applicability threshold compared to other states, but SB 297 further reduces this threshold. The MCDPA now applies to businesses that either process the personal data of 25,000 consumers (from 50,000) or 15,000 consumers (from 25,000) if the company makes more than 25% of its revenue from selling personal data. Notably, Sections 9-11 of SB 297 (the changes to minors, as discussed above) apply to businesses regardless of whether they meet the general applicability threshold for controlling or processing the personal data of certain residents or deriving revenue from data sales.
Nonprofits
When U.S. states first began enacting comprehensive privacy laws, nonprofits were generally exempt, either explicitly or by being excluded from the definition of "business." Increasingly, however, state privacy laws are either omitting exemptions for nonprofit organizations or only exempting them with qualifications, as Montana has done. Specifically, SB 297 significantly narrows the MCDPA's nonprofit exemption to apply only to nonprofits that are "established to detect and prevent fraudulent acts in connection with insurance."
Financial Institutions
SB 297 also revises exemptions for financial entities and affiliates by removing the entity-level exemption for financial institutions and affiliates governed by the Gramm-Leach-Bliley Act (GLBA). Instead, the law now generally only exempts data covered under the GLBA (rather than all data-processing activities taken by a GLBA-covered entity) with a new entity-level exemption only for certain chartered banks and credit unions, as well as insurers and self-insurers.
Enhanced Privacy Notice Requirements
SB 297 expands controllers' notice obligations to more closely align the MCDPA privacy notice requirements with the more robust requirements in other state consumer privacy laws. For example, privacy notices must now include the last update date and an explanation of consumer rights under the MCDPA but, fortunately, are not required to have a Montana-specific section as long as the privacy notice contains all the required information. In addition, controllers that sell personal data or process personal data for targeted advertising must now "clearly and conspicuously" disclose such activities in their privacy notice and also provide a "clear and conspicuous" opt-out method for consumers outside of the privacy notice.
Additionally, privacy notices must be made available in every language in which the controller offers products or services subject to the notice, accessible to individuals with disabilities, and posted online via a "conspicuous" hyperlink using the word "privacy" on the controller's website home page or a mobile device's application store or download page. For controllers without websites, the notice must be made available to consumers through other regular communication channels, such as mail. Controllers are now also obligated to notify affected consumers of any material changes to their privacy notice or practices, using all "reasonable electronic measures," and to provide a "reasonable opportunity" for consumers to withdraw consent for any materially different use of their personal data under the changed policy.
Consumer Rights
Automated Processing Versus "Solely" Automated Processing
Before SB 297, consumers had the right to opt out of the processing of their data for purposes of profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. SB 297 broadened this right by removing "solely," so businesses must now allow consumers to opt out of profiling for automated decisions, even if those decisions are not entirely automated.
Prohibition Against the Disclosure of Sensitive Information
SB 297 provides that businesses may not disclose sensitive data, such as social security numbers or biometric data, that could trigger Montana's breach notification law. This change likely responds to concerns that privacy laws could be interpreted to require disclosure of sensitive data, thereby creating security concerns antithetical to the law's purpose. However, businesses must still inform consumers whether such data was collected.
Expanded Enforcement Authority for the Attorney General
Under SB 297, the attorney general's enforcement power is significantly broadened. The attorney general may now issue civil investigative demands pursuant to Montana's Consumer Protection Act and require controllers to submit data protection assessments relevant to investigations. Most notably, SB 297 removes the MCDPA's 60-day cure period for alleged violations, enabling the attorney general to initiate enforcement actions without delay.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
