Montana MCDPA

Montana Consumer Data Privacy Act

Flag of US
Montana, United StatesOpt-outState
Back to Regulations Guide

Key Facts

Effective Date
October 1, 2024
Enacted
May 19, 2023
Enforcing Authority
Montana Attorney General
Consent Model
Opt-out
Fulfillment Time
45 days
Applies To
Entities in MT or targeting MT residents: 25,000+ consumers OR 15,000+ consumers and 25%+ revenue from selling PI (lowest thresholds among US states)

Overview

Montana's MCDPA has the lowest applicability thresholds among US state privacy laws following SB 297 amendments. The October 2025 amendments eliminated the cure period, mandated GPC signal honoring, and introduced a unique duty of reasonable care for minors under 18.

What This Means for Your Website

  • GPC signals must be honored from October 2025
  • Opt-in consent is required for sensitive data
  • A unique duty of "reasonable care" applies when processing data of minors under 18
  • Sale of data from 13-17 year olds is prohibited, as is targeted advertising
  • The cure period was eliminated in October 2025
  • Applicability thresholds are the lowest among US states (25,000/15,000 consumers)

Key Requirements

The Montana AG enforces the MCDPA with penalties up to $7,500 per violation. Consumer requests must be fulfilled within 45 days. The duty of reasonable care for minors requires controllers to implement mitigation plans for identified risks. SB 297 significantly expanded coverage and protections.

How ConsentStack Handles This

ConsentStack detects Montana visitors, honors GPC signals, and applies enhanced protections for minors including blocking sale and targeted advertising for under-18 visitors.

Penalties

Up to $7,500 per violation (no statutory cap).

Maximum Fine
USD7,500 per violation

Key Requirements

  • Honor GPC/universal opt-out signals from October 2025
  • Opt-in consent for sensitive data
  • Duty of reasonable care for minors under 18 — unique
  • Data protection assessments for services with heightened harm risk
  • Consumer rights: access, correct, delete, portability, opt-out

Notable Provisions

  • Lowest applicability thresholds (25,000/15,000) among US states
  • Cure period eliminated October 2025
  • Unique duty of reasonable care for minors
  • Sale of 13-17 data prohibited

US State Specifics

Private Right of Action
No
Global Opt-out Required
Yes
Sensitive Data Opt-in
Yes
Children Provisions
Under 18: duty of reasonable care (unique). 13-17: sale/advertising prohibited.

Other North America Regulations

CPRACalifornia, United States
The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.
PIPEDACanada (Federal)
Canada's federal private-sector privacy law based on 10 fair information principles. Requires express consent for sensitive data and implied consent for less sensitive data. OPC guidance addresses cookies and online behavioral advertising. The CPPA replacement bill died January 2025; a new bill is expected.
Quebec Law 25Quebec, Canada
The most GDPR-like privacy law in the Americas. Requires explicit, granular consent per purpose before deploying ANY tracking technology. Implied consent is explicitly prohibited for cookies and tracking. Features extraterritorial scope, mandatory PIAs, and GDPR-level penalties (4% worldwide turnover). The strictest cookie consent requirements in North America.
TDPSATexas, United States
The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.
CPAColorado, United States
Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.
MODPAMaryland, United States
The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Frequently Asked Questions

What makes Montana's privacy law unique?

Montana has the lowest applicability thresholds among US states (25,000/15,000 consumers) and a unique duty of reasonable care for minors under 18.

Does Montana require honoring GPC signals?

Yes, from October 2025. ConsentStack automatically detects and honors GPC signals for Montana visitors.

How does Montana protect minors' data?

Sale and targeted advertising are prohibited for 13-17 year olds. A unique duty of reasonable care applies to all minors under 18.

Stay compliant with Montana MCDPA

ConsentStack helps you implement Opt-out consent for Montana, United States automatically.

Get started