Montana strengthens Consumer Data Privacy Act: Expanded scope, enhanced obligations, and increased protection for minors
Montana has passed Senate Bill 297 (SB 297), making amendments to the Montana Consumer Data Privacy Act (MCDPA) that will take effect from 1 October 2025.
SB 297 makes Montana’s privacy law tougher in several ways, bringing it closer in line with other comprehensive privacy laws. These reforms will bring more businesses under the MCDPA’s scope, impose new obligations, and create harsher potential sanctions for violations.
Broader applicability
SB 297 reduces thresholds for compliance, widening the range of businesses subject to MCDPA:
From 1 October 2025, entities must comply if they operate in Montana or intentionally target Montana residents with products or services, and:
- Process personal data of 25,000 or more Montana residents (previously 50,000), or
- Process data of at least 15,000 residents and earn over 25% gross revenue from data sales (down from 25,000 residents).
Protections relating specifically to minors apply regardless of data volume to any business operating or targeting commercial products/services to Montana residents.
Additionally, entities covered by the Gramm-Leach-Bliley Act (GLBA) now only remain exempt when processing data specifically under GLBA-regulated activities. Non-profit exemptions have also been restricted primarily to those addressing insurance fraud prevention.
Duty of care for minors
SB 297 introduces a specific “duty of reasonable care” targeting controllers that knowingly – or through wilful neglect – serve minors with online products or services. Controllers must proactively mitigate risks of harm, including unfair practices, injuries, or privacy intrusions.
The law mandates “data protection assessments” for activities that pose heightened risks specifically to minors, mirroring frameworks seen in other jurisdictions.
Controllers must secure consent (including verifiable parental consent for children under 13) before:
- Selling minors’ personal data, targeting minors with personalized ads, or conducting specific profiling.
- Using features designed to prolong or intensify minors’ online interactions.
- Collecting precise geolocation data unless it is essential for providing services.
While no explicit requirement exists for services to implement strict age verification, a safe harbor exists for controllers using commercially reasonable age-estimation practices to protect against liability arising from genuine errors.
Expanded consumer rights and transparency
SB 297 expands consumers’ rights to opt out of profiling used in “automated decisions producing legal or similarly significant effects,” replacing the previous narrower “solely automated” standard.
Consumers must also be offered a clear method to opt out of targeted advertising and data sales independently of the privacy notice.
Privacy notices must:
- Clearly outline consumer rights under the MCDPA.
- Indicate the latest update date.
- Be prominently accessible via a “privacy” link on websites/apps.
- Be available in all languages in which the service operates.
- Be accessible to individuals with disabilities.
Stronger enforcement measures
SB 297 enhances enforcement powers. While it does not establish a private right of action, it permits the Attorney General to seek penalties of up to $7,500 per violation. The previous 60-day “notice and cure” grace period for violators has also been removed, enabling immediate enforcement actions.
Montana levels up privacy standards
SB297’s updates align Montana’s privacy framework more closely with national trends, positioning the state among those with the most robust data protection standards in the US.
Businesses serving customers in the state should ensure they understand any new obligations arising out of these amendments.
