The Montana Consumer Data Privacy Act (MTCDPA) is a comprehensive privacy law that took effect October 1, 2024, granting residents rights over their personal data and imposing obligations on data controllers and processors.
To check MTCDPA compliance, ensure your business does the following:
Update privacy policy:
Updating privacy policies.
Implement consent management:
Implement cookie consent banners and opt-out flows to obtain clear, affirmative consent
Data subject handling:
Establishing processes for handling data subject requests.
Data security:
Ensuring data security measures are in place.
Review and disclose data and cookie practices:
Disclose data handling practices, including collection, storage and sharing of cookie types, purposes, etc.
Applies to entities that either:
Control or process personal data of ≥ 50,000 Montana residents, or
Control/process data of ≥ 25,000 residents and earn >25% revenue from its sale.
Also applies when offering products/services targeting Montana residents via location or intent.
Exemptions include government bodies, nonprofits, highered, financial institutions under GLBA, HIPAAcovered entities, and more.
Montana residents enjoy the:
Consumers can access and confirm processing of personal data
Consumers can request to correct inaccuracies
Consumers can request that their personal data be deleted
Consumers have a right to port/download/transmit their information in a usable format
Consumers can opt out of the sale of personal data, targeted advertising, and profiling that produces legal/significant effect
Businesses must comply within 45 days (with a possible 45day extension) and allow appeals within 60 days.
Businesses must:
Obtain explicit consent before setting non-essential cookies or processing sensitive data.
Disclose cookie categories, thirdparties, and data purposes in privacy notices.
Provide a clear cookie preferences interface and honor universal optout signals.
Enforced exclusively by the Montana Attorney General, who issues a 60day cure notice before pursuing enforcement, MTCDPA can have penalties for non-compliance. After April 1, 2026, noncompliance that is not remedied may lead to enforcement actions or legal proceedings.
The Montana Attorney General can seek civil penalties of up to 7,500 USD per violation.
MTCDPA Montana compliance requires adherence both to specific actions as well as best practices for data privacy management, including:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Review third parties:
Review third-party data-sharing practices
MYCDPA Montana applies to entities doing business in Montana or targeting its residents, meeting the data volume or revenue thresholds described above.
Personal data is any data that identifies or reasonably relates to an identified or identifiable individual.
Sensitive data includes race/ethnicity, health, precise geolocation, genetic/biometric info, religious beliefs, sexual orientation, immigration status, and data from minors.
The Montana Attorney General has exclusive enforcement authority.
Exemptions include government bodies, nonprofits, highereducation institutions, GLBAregulated financial institutions, HIPAA-covered entities/business associates, and similar entities.
Refer to the full legislative text (MCA Title 30, Chapter 14, Part 28) and official guidance from the Montana AG’s office.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
