What the MCDPA Covers and Why It Matters
Montana became the ninth US state to enact a comprehensive consumer data privacy law when Governor Gianforte signed SB 384 in May 2023. The Montana Consumer Data Privacy Act (MCDPA) took effect on 1 October 2024, and a major round of amendments under SB 297 follows on 1 October 2025.
The law grants Montana residents a set of rights over their personal data and places obligations on businesses that collect or process that data. Its structure resembles the Virginia CDPA more than the California CCPA, but Montana adds its own twist: a mandatory universal opt-out mechanism that went live on 1 January 2025.
For website owners outside Montana, the reach of the law may still apply. If your site targets Montana residents or processes personal data from a threshold number of Montana consumers, the MCDPA applies to you regardless of where your servers or headquarters sit.
Who Must Comply: Applicability Thresholds
The MCDPA uses a two-tier threshold. Until 30 September 2025, the original thresholds from SB 384 apply. From 1 October 2025, the SB 297 amendments lower those thresholds significantly.
| Criterion | Original (Oct 2024 - Sep 2025) | Amended (Oct 2025 onward) |
|---|---|---|
| Consumer data volume (general) | 50,000 or more consumers | 25,000 or more consumers |
| Consumer data volume (data sellers) | 25,000 or more consumers AND over 25% revenue from data sales | 15,000 or more consumers AND over 25% revenue from data sales |
| Targeting requirement | Conduct business in Montana or target Montana residents | Conduct business in Montana or deliver products/services intentionally targeted at Montana residents |
Montana has a small population of roughly 1.1 million. The lowered threshold of 25,000 consumers means that a site processing data from just over 2% of the state's population could fall within scope.
Certain entities are exempt. The MCDPA excludes state and local government bodies, higher education institutions, and entities governed by HIPAA. SB 297 removed the blanket exemption for financial institutions covered by the Gramm-Leach-Bliley Act but preserved exemptions for banks, credit unions, insurers, and insurance producers specifically.
Consumer Rights Under the MCDPA
Montana residents receive five core rights under the MCDPA. These mirror the rights found in several other US state privacy laws, though the details vary.
The rights are:
- Right to know - confirm whether a controller processes their personal data and access that data
- Right to correct - request corrections to inaccurate personal data
- Right to delete - request deletion of personal data the controller holds
- Right to portability - obtain a copy of their data in a portable, readily usable format
- Right to opt out - refuse the sale of personal data, targeted advertising, or profiling that produces legal or similarly significant effects
Controllers must respond to consumer requests within 45 days, with one 45-day extension permitted when reasonably necessary.
Universal Opt-Out Signals: The GPC Requirement
Since 1 January 2025, the MCDPA requires controllers to recognise universal opt-out signals such as the Global Privacy Control (GPC). This places Montana alongside Colorado and Connecticut in mandating browser-level opt-out mechanisms.
When a visitor arrives at your site with GPC enabled, your site must treat that signal as a valid opt-out request for both the sale of personal data and targeted advertising. The law specifies that the mechanism must be "consumer-friendly and easy to use" and must allow the controller to "accurately determine whether the consumer is a resident of the state."
From a technical standpoint, this means your cookie consent platform must detect the Sec-GPC HTTP header or the navigator.globalPrivacyControl JavaScript property and suppress non-essential tracking accordingly. If your site uses analytics cookies like _ga or advertising pixels such as _fbp, those must not fire for visitors who have GPC enabled - unless you can verify the visitor is not a Montana resident.
Sensitive Data and Consent
The MCDPA treats certain categories of personal data as sensitive and requires explicit opt-in consent before processing them. Sensitive data includes:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data used to identify an individual
- Personal data of a known child
- Precise geolocation data (within 1,750 feet)
This opt-in requirement is stricter than the opt-out model used for general personal data. If your website collects precise geolocation through location-based services, or processes health-related browsing data, you need a clear affirmative consent mechanism before that processing begins.
Data Protection Assessments
For processing activities created or generated after 1 January 2025, controllers must conduct data protection assessments. These assessments apply to targeted advertising, the sale of personal data, profiling that presents a reasonably foreseeable risk of harm, and the processing of sensitive data.
The assessment must weigh the benefits of the processing activity against the potential risks to consumer rights. This is similar to the data protection impact assessment (DPIA) required under GDPR Article 35, though the MCDPA version is enforced through the Montana Attorney General rather than a supervisory authority.
Privacy Notice and Disclosure Requirements
Controllers must publish a clear, accessible privacy notice. Under SB 297, that notice must include an explanation of consumer rights under the MCDPA and the date the notice was last updated. The notice should also disclose:
- The categories of personal data processed
- The purposes for processing
- How consumers can exercise their rights
- The categories of personal data shared with third parties
- The categories of those third parties
A generic privacy policy that only references GDPR or CCPA will not satisfy the MCDPA. The notice must specifically address Montana consumer rights.
Enforcement, Penalties, and the Cure Period
The Montana Attorney General has exclusive enforcement authority. There is no private right of action, meaning individual consumers cannot sue businesses for MCDPA violations.
Under the original law, the Attorney General must provide a 60-day cure period before taking enforcement action. This cure period was set to expire on 1 April 2026. SB 297 accelerates that timeline: from 1 October 2025, the cure period is eliminated entirely. After that date, the Attorney General can pursue enforcement action immediately upon discovering a violation.
Penalties can reach up to $7,500 per violation, with each affected consumer potentially counted as a separate violation. For a site processing data from 25,000 Montana consumers, non-compliance could theoretically expose a business to substantial financial risk. As of early 2026, the Attorney General has not publicly announced any enforcement actions under the MCDPA, but the elimination of the cure period signals a shift toward more active enforcement. Other states like Texas have already shown that attorney general-led enforcement can move quickly once cure periods lapse.
SB 297 Amendments: Protections for Minors
SB 297 introduces heightened protections for minors. Any controller that offers an online service, product, or feature to someone the controller actually knows or wilfully disregards is a minor must use "reasonable care" to avoid a heightened risk of harm.
This obligation applies regardless of whether the controller meets the general applicability thresholds. A small website that knowingly serves minors in Montana must still comply with the minor-protection provisions even if it processes data from fewer than 25,000 consumers.
If your site collects age data or can reasonably infer that visitors are under 18, consider whether your cookie and tracking practices create risks that would trigger this requirement. Targeted advertising directed at known minors is a clear area of concern.
Practical Compliance Checklist for Website Owners
Bringing your website into compliance with the MCDPA involves several concrete steps. Many overlap with requirements from other US state privacy laws, so a unified approach saves effort.
- Determine whether your site meets the applicability thresholds for Montana consumers
- Implement GPC signal detection in your consent management setup
- Update your privacy notice to reference MCDPA rights and include the date of last revision
- Classify your cookies and tracking technologies - separate essential from non-essential, and identify any that process sensitive data
- Ensure your opt-out mechanism covers data sales, targeted advertising, and certain profiling activities
- Conduct data protection assessments for targeted advertising and any sensitive data processing
- Review and update data processing agreements with vendors who handle Montana consumer data
- Build a response process for consumer rights requests within the 45-day deadline
Frequently Asked Questions
Does the Montana Consumer Data Privacy Act apply to businesses outside Montana?
Yes. The MCDPA applies to any business that conducts business in Montana or delivers products or services intentionally targeted at Montana residents, provided the business meets the applicable consumer data thresholds.
What is the universal opt-out signal requirement under the MCDPA?
Since 1 January 2025, controllers must recognise universal opt-out mechanisms such as Global Privacy Control (GPC). When a Montana consumer sends an opt-out signal through their browser, the controller must treat it as a valid request to opt out of data sales and targeted advertising.
Does Montana require opt-in consent for all cookies?
No. The MCDPA uses an opt-out model for general personal data. Opt-in consent is only required for sensitive data categories such as precise geolocation, biometric data, and health information.
What are the penalties for violating the MCDPA?
The Montana Attorney General can impose penalties of up to $7,500 per violation. Each affected consumer may count as a separate violation, which can result in significant cumulative fines.
Is there still a cure period for MCDPA violations?
Under the original law, a 60-day cure period applied. SB 297 eliminates the cure period from 1 October 2025, allowing the Attorney General to take enforcement action immediately.
How does the MCDPA compare to the CCPA?
The MCDPA follows the Virginia CDPA model rather than the CCPA. It has lower applicability thresholds, no private right of action, and a narrower definition of "sale" that does not include monetary consideration alone. The MCDPA does, like the CCPA, require recognition of universal opt-out signals.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets or whether you meet the MCDPA's thresholds, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
