Montana implemented the Montana Consumer Data Privacy Act (MCDPA) on October 1, 2024. The law regulates businesses that produce products or services targeting Montana residents to help consumers gain more control and privacy over personal data. There has been a fairly short period to adjust to the 2024 version of the law, but businesses should not just set it and forget it – new revisions have already been made that will go into effect later this year.
On May 8, 2025, Governor Greg Gianforte signed Senate Bill 297 (SB 297) into law, revising the existing privacy act. The 2025 revisions will take effect on October 1, 2025. Below is an overview of the amendments to the law that employers operating in Montana or dealing with consumer data in the state need to know.
Most revisions to Montana’s data privacy focus on tightening regulations and lowering thresholds for applicable businesses.
The law applies to any person conducting business in Montana or producing products or services for Montana residents who:
The revisions add privacy protections for consumers under 18 (“minors”). Notably, privacy restrictions apply regardless of whether a company falls under the thresholds listed above. Controllers who comply with statutory requirements relating to the new privacy protections for minors and other necessary laws and guidelines will be presumed to be acting with reasonable care.
The revision act also clarifies that businesses are not required to implement an age verification system to determine if consumers are minors; businesses that choose to “conduct commercially reasonable age estimation to determine which consumers are minors” will not be held liable if mistaken.
Businesses are prohibited from disclosing certain types of highly sensitive information, such as:
The amendment also sets itself apart from the previous version with expanded opt-out rights. Businesses are required to allow consumers to opt out of “automated decisions” that produce legal or similarly significant effects, rather than “solely automated decisions.”
Businesses selling data to third parties or processing data for targeted advertising are required to provide access to a "clear and conspicuous" method outside the privacy notice for the consumer to opt out of the sale or processing of their data. The bill mentions this method could include, but is not limited to, including an internet hyperlink that is clearly labeled "your opt-out rights" or "your privacy rights" that directly prompts the opt-out request or links to a web page where the consumer can make the opt-out request.
The act expands the Attorney General's investigatory powers and authorizes the Attorney General to “use the duties and powers provided by Title 30, chapter 14, parts 1 and 2.” Revisions to the enforcement process also effectively remove the cure period and establish a consumer complaint mechanism.
To read more about changes to MCDPA in depth, take a closer look at the official amendment here.
From updates to New York’s data breach notification law to Virginia’s additional restrictions on consumer health data, data privacy seems to be the central theme of new rules and amendments that regulate business practices in 2025.
Data privacy regulations are finally filling the gap to address technology's impact on consumer privacy. While this is a necessary step to keep consumers safe, businesses across all states need to stay informed. Verified Credentials will try to provide updates as consumer laws, privacy, and reporting evolve.
This content is for informational purposes only and shall not constitute legal opinion or advice. Consult your legal counsel to ensure compliance.