Overview
The Montana Consumer Data Privacy Act (MTCDPA) is a comprehensive data privacy law designed to give Montana residents greater control over their personal data. Signed into law on May 19, 2023, it took effect on October 1, 2024, making Montana one of the latest states to implement broad consumer privacy protections.
MTCDPA is similar to privacy laws in Virginia (CDPA), Connecticut (CTDPA), and Colorado (CPA) but has stronger consumer rights provisions, including opt-in consent for sensitive data and clear opt-out mechanisms for targeted advertising.
Who Must Comply?
The MTCDPA applies to businesses operating in Montana or targeting Montana residents that meet one of the following criteria:
β Process personal data of at least 50,000 Montana consumers annually (excluding data collected for payment transactions)
β Process personal data of at least 25,000 Montana consumers and derive more than 25% of gross revenue from selling personal data
Exemptions:
The law does not apply to:
π« Government agencies
π« Nonprofits
π« Financial institutions subject to GLBA
π« HIPAA-covered entities (hospitals, insurers, healthcare providers)
π« Higher education institutions
Key Consumer Rights Under MTCDPA
β Right to Access β Consumers can request a copy of their personal data.
β Right to Correct β Consumers can request corrections to inaccurate personal data.
β Right to Delete β Consumers can request the deletion of personal data.
β Right to Data Portability β Consumers can receive their data in a portable format.
β Right to Opt-Out β Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Profiling that affects legal or financial decisions
Business Compliance Requirements
β Explicit Opt-In for Sensitive Data β Businesses must obtain consumer consent before processing:
π Racial/ethnic origin
π Religious beliefs
π Biometric data
π Health conditions
π Childrenβs data
β Universal Opt-Out Signals (Effective January 1, 2025) β Businesses must recognize Global Privacy Control (GPC) and other automated opt-out signals.
β Privacy Notices & Data Transparency β Companies must provide clear, detailed privacy policies explaining data collection practices.
β Data Protection & Security β Businesses must implement reasonable safeguards to protect consumer data.
β Data Processing Assessments (DPA) β Organizations must conduct risk assessments for:
π Targeted advertising
π Data sales
π Automated decision-making
Real-World Enforcement Cases
The Montana Attorney General is responsible for enforcing MTCDPA. Violations can result in fines of up to $7,500 per violation.
Since MTCDPA enforcement began in October 2024, major enforcement actions are expected in 2025, likely targeting data brokers, ad tech firms, and businesses using AI-driven profiling.
π Comparison with Other State Privacy Laws
The Montana MTCDPA shares similarities with Coloradoβs CPA and Connecticutβs CTDPA, but differs in key areas:
β
Smaller Business Scope β Only businesses processing 50,000+ consumers’ data are covered.
β
Stronger Opt-Out Requirements β Businesses must honor universal opt-out signals by 2025.
β
No Private Right of Action β Consumers cannot sue companies directly for violations.
Future of MTCDPA Regulation
π Tighter enforcement on AI-based profiling in 2025
π Increased penalties for non-compliance
π Potential expansion of opt-in consent requirements for targeted ads
Montanaβs MTCDPA is a model for future U.S. state privacy laws, with a focus on consumer control, opt-out mechanisms, and enhanced transparency.
