Privacy & Information Security Law Blog

On April 15, 2025, the Montana legislature passed SB 297, which amends the Montana Consumer Data Privacy Act (the “MTCDPA”). The bill now awaits signature by the Montana governor.

Key provisions of SB 297 include:

• Applicability and Exemptions:
  • SB 297 lowers the processing thresholds triggering application of the law. With the exception of the law’s minor privacy provisions (see below), SB 297 amends the MTCDPA to apply to entities that either: (1) control or process the personal data of 25,000 Montana consumers (down from 50,000) (except for personal data processed solely to complete a transaction); or (2) control or process the personal data of at least 15,000 Montana consumers (down from 25,000) and derive more than 25% of gross revenue from the sale of personal data.
  • With respect to the personal data of minors (under the age of 18), SB 297 specifies that the MTCDPA’s minor privacy provisions apply to any entity that either “conduct[s] business” in Montana or “deliver[s] commercial products or services that are intentionally targeted to” Montana residents.
  • SB297 also revises the scope of entities exempt from the law’s application, including by narrowing the exemption for non-profit organizations and introducing a new exemption for insurers.
• Transparency: SB 297 enhances transparency requirements by bringing the MTCDPA’s privacy notice requirements more in line with other state comprehensive privacy laws. SB 297 adds privacy notice content requirements, including a requirement to explain the rights afforded under the MTCDPA and to provide a “last updated date” each time a privacy notice is updated. SB 297 also requires that the notice be made available in each language in which the controller provides or carries out activities related to its relevant products or services. Additionally, SB 297 requires an entity’s privacy notice to be posted online through a conspicuous hyperlink using the word “privacy” on the controller’s website homepage or application store/download page, among other requirements.
• Minor Privacy Protections: SB 297 introduces stricter requirements for processing the personal data of minors. Specifically, it adds new definitions related to processing student data and a new definition of “adult,” which is defined as an individual who is 18 or older. It also imposes new requirements to conduct data protection assessments for processing activities that impose a heightened risk of harm to minors.
• Individual Rights: Similar to other comprehensive state privacy laws, SB 297 requires controllers to provide individuals with a clear and conspicuous method outside of the entity’s privacy notice to opt out of the sale of personal data or the use of personal data for targeted advertising. In addition, SB 297 limits the types of personal data that must be provided by the controller in response to an access request. For example, controllers are not required to disclose Social Security numbers, government-issued IDs or driver’s license numbers or financial account numbers, among other items.
• Enforcement: SB 297 removes the MTCDPA’s guaranteed 60-day cure period in the event of an alleged violation and grants the Montana AG the power to issue a request for a data protection assessment conducted by the controller as part of a civil investigative demand. Furthermore, SB 297 introduces civil penalties of up to $7,500 for each violation.