Data privacy is a major concern for consumers everywhere, and state legislatures are listening. In line with this, Montana lawmakers recently passed a bill that significantly amends the state’s existing privacy law, the Montana Consumer Data Privacy Act (MCDPA). The changes are aimed at tightening privacy regulation all around, and pay particular attention to children’s privacy.

The amendments of Montana SB 297 are set to take effect on October 1, 2025.

Here is a brief overview of these changes and what they could mean for businesses.

Broader Scope

One of the most straightforward changes in SB 297 is a major reduction in the numerical thresholds for deciding when the MCDPA applies to a business.

As with most other U.S. privacy laws, the MCDPA applies to businesses that (1) do business in the state (or target state residents with their products/services) and (2) handle the personal data of a minimum number of state residents.  Here are the new thresholds, as amended by SB 297:

1. Control or process the personal data of at least 25,000 Montana residents in a year (formerly 50,000); OR
2. Control or process the personal data of at least 15,000 Montana residents in a year (formerly 25,000) AND derive at least 25% of gross annual revenue from the sale of personal data.

The MCDPA’s thresholds were already lower than most states, due to Montana’s lower overall population; now they are low enough to pull in many more small businesses. For example, an ecommerce website that gets just over 2,000 unique visitors per month from Montana will likely have to comply with the MCDPA.

Cure Period Sunsets Ahead of Schedule

The MCDPA contains a provision granting businesses a mandatory 60-day period to cure any alleged violations. The provision was set to expire on April 1, 2026.

Apparently lawmakers felt that businesses have already had enough time to get up to speed with the MCDPA’s requirements, because SB 297 eliminates the cure period as of its effective date (October 1, 2025).

Narrower Exemptions

Related to the increase in scope as described above, SB 297 also significantly alters the MCDPA’s exemptions.

• Nonprofits - The Montana law formerly had a broad exemption for nonprofits. The new amendment drastically limits this exemption to only nonprofits that are established to detect and prevent insurance fraud. This means that the MCDPA can now apply to all other nonprofits (that meet the numerical thresholds).
• Financial Institutions - The MCDPA used to exempt all entities subject to the Gramm-Leach-Bliley Act (GLBA); the new rule does away with the entity-level exemption and only exempts personal data covered by the GLBA. However, this is tempered by a new exemption for state and federally charted banks.
• Insurers - A new exemption carves out insurance providers from the MCDPA.

Privacy Rights

The new bill makes some small but meaningful tweaks to rules regarding consumer privacy rights and how businesses should be handling them.

• Opt-Out Links - Businesses must provide a clear and conspicuous method outside of their privacy policy for consumers to opt out of targeted advertising, the sale of their personal data, and profiling. This doesn’t necessarily have to be a hyperlink, but the bill does specify that a link titled “Your privacy choices” or “Your opt-out rights” would suffice. Seeing as this language ties in with requirements from California and Colorado, most businesses will probably want to go this route.
• Restrictions on Data Access - More a welcome clarification than a new rule, SB 297 states that certain categories of personal data should not be provided in response to a Request to Access. Instead, businesses should only provide enough info to let the consumer know that the business has collected the data. These categories are:
  
  • Social security numbers
  • Government-issued ID numbers
  • Financial account numbers
  • Health insurance account numbers or medical ID numbers
  • Account passwords or security questions
  • Biometric data
• Expanded Profiling Opt-Outs - The definition for profiling that triggers opt-out rights has been modified, to remove the word "solely" here: “Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.” This appears aimed at closing a loophole where minimal involvement by a human being would negate the consumer’s opt-out right.

Privacy Notices

SB 297 introduces a few new requirements for privacy notices. They reflect rules already found in other state laws, such as CalOPPA, so they should not present major challenges to most businesses.

Here are the new rules for privacy notices in Montana:

• Must include the date the privacy notice was last updated.
• Must provide a way to notify consumers of material changes to the privacy notice.
• Must include an explanation of consumers’ privacy rights.
• Must be available in all languages in which the business carries out its activities.
• Must be accessible to persons with disabilities.
• Must be posted online via a hyperlink using the word “privacy” on the business’s homepage. For mobile apps, the privacy policy must be available on the download page and accessible via the settings menu.

Children’s Data

The biggest changes in SB 297 concern data privacy for children. The bill introduces substantial new rules and complexity for businesses that handle the personal information of consumers under the age of 18. 

Different Ages, Different Rules

As with most state privacy laws, the MCDPA defines “child” as anyone under 13 years of age; the personal data of known children is considered sensitive data, and any processing of that data requires prior consent by a parent or guardian.

Then there are consumers who are at least 13, but under the age of 16. If a business has actual knowledge or willfully disregards that a consumer falls within this age range, they must get the consumer’s consent before selling their personal data or using it for targeted advertising.

Finally, there is a new category, “minors,” which means anyone under the age of 18. There are a number of new rules about how businesses should avoid a “heightened risk of harm” to minors (more on that below).

Heightened Risk of Harm to Minors

Note: These rules apply to ALL businesses that offer their products or services, regardless of whether they meet the numerical thresholds described above.

Any business that “offers an online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid a heightened risk of harm to minors.”

Processing presents a heightened risk of harm to minors if there is a reasonably foreseeable risk that it could cause:

1. Unfair or deceptive treatment of or an unlawful disparate impact on a minor; 
2. Financial, physical, or reputational injury to a minor; 
3. Unauthorized disclosure of the personal data of a minor as a result of a security breach; OR
4. Physical or other intrusion on the solitude or seclusion or the private affairs or concerns of a minor if the intrusion would be considered offensive to a reasonable person.

There is a rebuttable presumption that a business has used reasonable care to avoid a heightened risk of harm to minors if it gets prior consent before doing any of the following: 

• Using a minor’s data for:
  
  • Targeted advertising
  • The sale of personal data
  • Profiling in furtherance of decisions that produce legal or similarly significant effects
• Using minors’ personal data for purposes beyond those that were disclosed at the time of collection or that are reasonably necessary for and compatible with those disclosed purposes.
• Using minors’ personal data for longer than is reasonably necessary to provide the online service, product, or feature.
• Using a system design feature to significantly increase, sustain, or extend a minor's use of the online service, product, or feature.
• Collecting minors’ precise geolocation, unless:
  
  • It is reasonably necessary;
  • It is only retained as long as necessary to provide the service, product or feature; AND
  • The business provides a signal to the minor that it is collecting their precise geolocation and that signal is active for the entire duration of the collection.

‍

Comprehensive Privacy Compliance with TrueVault

The list of states with data-privacy laws is growing steadily, and the states that already have laws on the books are making changes to them on a regular basis. Staying up-to-date on all the rules is becoming a full-time job, and one that many businesses aren’t prepared to handle on their own.

TrueVault helps businesses of all sizes get privacy-compliant quickly, even if they don’t have in-house expertise. Through a combination of guided workflows and automated tools, you can create your company’s data map, publish privacy notices, and be ready to receive privacy requests, all in as little as a few hours.

Contact our team to learn more.

‍