Montana Consumer Data Privacy Act (MTDPA)

Montana Consumer Data Privacy Act (MTDPA)

Overview

The Montana Consumer Data Privacy Act (MTDPA), codified as MCA §30-14-2801 through §30-14-2817, was signed into law on May 19, 2023 (SB 384), and became effective October 1, 2024. Montana is notable for having the lowest consumer count threshold of any comprehensive state privacy law at 50,000 consumers, making it applicable to smaller organizations operating in or targeting Montana residents.

Applicability (§30-14-2803)

The MTDPA applies to persons that conduct business in Montana or produce products or services targeted to Montana residents AND during a calendar year:

1. Control or process personal data of at least 50,000 Montana consumers (excluding data processed solely for payment transactions); OR
2. Control or process personal data of at least 25,000 Montana consumers AND derive more than 25% of gross revenue from the sale of personal data.

Lowest threshold: The 50,000 consumer threshold is the lowest among comprehensive state privacy laws (most states use 100,000).

Exemptions (§30-14-2803(3)):

• State and local government entities
• GLBA-covered financial institutions (entity-level)
• HIPAA covered entities and business associates (entity-level)
• Nonprofit organizations
• Institutions of higher education
• Air carriers

Liberty Commerce Inc. Assessment: Liberty Commerce Inc. processes personal data of approximately 28,000 Montana consumers. It does not meet either threshold but maintains compliance as part of its multi-state program.

Consumer Rights (§30-14-2808)

Five Consumer Rights

1. Right to Access (§30-14-2808(1)(a)): Confirm processing and access personal data
2. Right to Correct (§30-14-2808(1)(b)): Correct inaccuracies
3. Right to Delete (§30-14-2808(1)(c)): Delete personal data
4. Right to Portability (§30-14-2808(1)(d)): Obtain data in portable, readily usable format
5. Right to Opt Out (§30-14-2808(1)(e)):
   • Targeted advertising
   • Sale of personal data
   • Profiling in furtherance of decisions producing legal or similarly significant effects

Response Requirements (§30-14-2810)

• Respond within 45 days
• Extension: up to 15 additional days (total 60 days) with notice — shorter extension than most states
• At least one free response per 12 months per right
• Appeal: controller must respond within 60 days

Sensitive Data (§30-14-2801(19))

Categories

1. Racial or ethnic origin
2. Religious beliefs
3. Mental or physical health condition or diagnosis
4. Sexual orientation
5. Citizenship or immigration status
6. Genetic or biometric data for identification
7. Personal data of a known child
8. Precise geolocation data

Consent Requirement

Processing sensitive data requires opt-in consent before processing. Consent must be freely given, specific, informed, and unambiguous.

Universal Opt-Out Recognition (§30-14-2808(3))

The MTDPA requires controllers to recognize universal opt-out mechanisms:

• Must process universal opt-out signals as valid requests to opt out of targeted advertising and sale
• Must not require additional verification for opt-out signals
• Must apply at browser/device level for unauthenticated consumers
• Must apply at account level for authenticated consumers
• GPC is recognized as a compliant mechanism

Effective date: October 1, 2025 (one year after MTDPA effective date)

Controller Obligations (§30-14-2806)

1. Purpose limitation: Adequate, relevant, and reasonably necessary
2. Data minimization: Not excessive in relation to purposes
3. Data security: Appropriate technical and organizational measures
4. Non-discrimination: No processing in violation of antidiscrimination laws
5. Sensitive data consent: Opt-in before processing
6. Privacy notice: Clear and reasonably accessible

Privacy Notice Requirements

• Categories of personal data processed
• Purposes for processing
• Consumer rights and exercise instructions
• Categories shared with third parties
• Categories of third parties
• Contact information

Data Protection Assessments (§30-14-2812)

Required for:

• Targeted advertising
• Sale of personal data
• Profiling with significant effects
• Sensitive data processing
• Any processing presenting heightened risk

Enforcement (§30-14-2816)

Attorney General Authority

• Exclusive enforcement — no private right of action
• May investigate and bring action under Montana Consumer Protection Act (§30-14-103)

60-Day Cure Period (§30-14-2816(2))

• AG must provide written notice of alleged violation
• Controller has 60 days to cure
• If cured: AG may not bring action
• No sunset provision — cure period is permanent

Penalties

• Civil penalties per Montana Consumer Protection Act
• Injunctive relief
• Attorney fees and costs

Comparison: Threshold Analysis

Key Regulatory References

• MCA §30-14-2801 through §30-14-2817 (MTDPA)
• MCA §30-14-103 et seq. (Montana Consumer Protection Act — enforcement)
• Montana AG Consumer Protection Division guidance