Who does the MTCDPA apply to?

The MTCDPA applies to organizations that conduct business in Montana or target Montana residents with goods or services, and that meet one of the following thresholds: Control or process personal data of at least 25,000 Montana residents in a calendar year, or Derive at least 25 percent of gross revenue from the sale of personal data and control or process the personal data of at least 15,000 Montana residents.

What rights do Montana residents have under the MTCDPA?

Montana residents’ rights under the MTCDPA: Right to access: Consumers can request confirmation of whether a controller processes their personal data and obtain access to that information, subject to certain exceptions. Right to correction: Consumers can request that a controller correct inaccurate personal data or update outdated information they previously provided. Right to delete: Consumers can request deletion of personal data a controller holds about them or collected from them, with some exceptions. Right to data portability: Consumers can obtain a copy of personal data they previously provided to the controller in a readily usable format, subject to certain exceptions. Right to non-discrimination: Controllers may not unlawfully discriminate against consumers, including when they exercise their privacy rights. Right to opt out: Consumers can opt out of the sale of personal data, targeted advertising, or profiling used to make solely automated decisions that produce legal or similarly significant effects concerning them.

Manage privacy requirements of the Montana Consumer Data Privacy Act (MTCDPA)

Montana’s privacy law requires covered businesses to give people clear notice, real choice, and reliable ways to opt out without compromising website performance.

With the Usercentrics Consent Management Platform (CMP), you can display a fully customizable cookie banner, support opt-outs for targeted advertising and data sales, and collect opt-in consent for sensitive data — while keeping analytics and advertising working based on real user preferences.

Start free Contact Sales

What is the MTCDPA?

The Montana Consumer Data Privacy Act (MTCDPA) is a comprehensive privacy law that took effect on October 24, 2024. It gives Montana residents more control over how their personal data is collected and used, and it sets clear obligations for covered businesses.

Like most U.S. state privacy laws, the MTCDPA uses an opt-out approach for targeted advertising and data sales, but requires opt-in consent for sensitive data. It also adds stronger protections for children and teens.

Common MTCDPA questions and answers

MTCDPA at a glance

Key Takeaways

The Montana Consumer Data Privacy Act (MTCDPA) took effect October 24, 2024
Applies to: Businesses doing business in Montana or targeting Montana residents, and meet data-processing (at least 25,000 residents) or revenue (25% of gross revenue and process data of at least 15,000 residents) thresholds
Montana residents have rights of access, correction, deletion, portability, non-discrimination, and opt-out for certain data uses
Must support an opt-out preference signal for data sale or targeted ads
Enforcement: Montana Attorney General
Cure period: 60 days, sunsets April 1, 2026

REQUIREMENTS

What does the MTCDPA require from businesses?

To meet MTCDPA requirements, businesses required to comply must provide a clear, up-to-date privacy notice explaining how personal data is collected, used, shared, or sold. They must offer an easy-to-use opt-out mechanism, such as a cookie banner, for the sale of personal data, targeted advertising, and certain profiling.

Businesses must also obtain affirmative opt-in consent before processing sensitive personal data and meet additional protection requirements for minors. They are expected to respond to consumer rights requests, maintain reasonable security safeguards, and document data protection assessments for higher-risk processing.

RISKS

What are the risks of ignoring the MTCDPA?

Failing to meet Montana Consumer Data Privacy Act (MTCDPA) requirements can lead to enforcement action by the Montana Attorney General. The 60-day cure period sunsets on
April 1, 2026, so businesses no longer have extra time to address issues after notification.

Beyond legal exposure, gaps in consent handling, opt-out mechanisms, or required notices can disrupt analytics and advertising workflows, create additional manual work for teams, and weaken customer trust. As more U.S. state privacy laws and updates take effect, inconsistent privacy controls can also lead to costly rework — and increase reputational risk.

How a cookie banner helps your website perform

Reliable tracking you can trust

Analytics and ads behave predictably based on real user choices. A well-configured cookie banner helps prevent broken tracking, data gaps, and last-minute fixes — your insights stay dependable.

Less work, fewer surprises

Automatic cookie scanning and updates can keep your banner accurate as your site and legal requirements change. Less manual upkeep, fewer headaches, and more time for your team to focus on growth.

A better first impression

A clear, customized cookie banner keeps your visitors informed and gives them clear choices. The result: less friction, more trust, and mitigated legal risk from the start.

Protect revenue as privacy rules change

A flexible cookie banner and consent management platform helps you adapt as privacy expectations and state laws evolve — and as your company grows. You stay in control of tracking and monetization without scrambling to rework setups or risking interruptions.

“Honestly, it was click, click, click, done.”

Kathryn Fletcher

— Web Application Development Manager, Gilson

Read full review

Prepare your websites and apps for Montana privacy rules

Provide website visitors and app users with clear notice and meaningful choice — while keeping analytics and ads running smoothly. Start your free Usercentrics trial today. Manage legal and operational risk as privacy expectations and rules change.

start free

Your questions answered

Talk to our privacy experts

Usercentrics helps businesses operating in Montana provide visitors with clear notice and meaningful choice — without disrupting website or app performance, analytics, or advertising. Whether you’re preparing for MTCDPA requirements or managing multiple U.S. and global privacy laws, our team can help you protect your business and implement the right setup for your website.

Maintain reliable tracking and marketing performance as privacy rules evolve
Automate setup and updates to reduce ongoing maintenance
Address legal and operational risk with a single, scalable platform

Contact sales

Contact chat bubble at the bottom right corner of a chat illustration

Learn more

May 29, 2025

Montana Consumer Data Privacy Act (MTCDPA) Checklist

Our MTCDPA compliance checklist will help you achieve and maintain privacy compliance. Build user trust and achieve high opt-in rates.

Article

Feb 7, 2025

U.S. data privacy laws by state: rights and requirements

In 2025 more US state privacy laws will come into effect than in any previous year, though federal legislation remains stalled. We compare what US state-level data privacy laws mean for consumers and businesses.

Article

Feb 10, 2026

What companies need to know about Global Privacy Control and GPC compliance requirements

The Global Privacy Control (GPC) is an initiative to give individuals control over their personal data online and standardize signaling of consent preferences. It offers a universal opt-out signal for data privacy preferences and can automate opt-in or out of the use, sale, or sharing of users’ data.

Frequently asked questions

The MTCDPA applies to organizations that conduct business in Montana or target Montana residents with goods or services, and that meet one of the following thresholds:

Control or process personal data of at least 25,000 Montana residents in a calendar year, or
Derive at least 25 percent of gross revenue from the sale of personal data and control or process the personal data of at least 15,000 Montana residents.

Montana residents’ rights under the MTCDPA:

Right to access: Consumers can request confirmation of whether a controller processes their personal data and obtain access to that information, subject to certain exceptions.
Right to correction: Consumers can request that a controller correct inaccurate personal data or update outdated information they previously provided.
Right to delete: Consumers can request deletion of personal data a controller holds about them or collected from them, with some exceptions.
Right to data portability: Consumers can obtain a copy of personal data they previously provided to the controller in a readily usable format, subject to certain exceptions.
Right to non-discrimination: Controllers may not unlawfully discriminate against consumers, including when they exercise their privacy rights.
Right to opt out: Consumers can opt out of the sale of personal data, targeted advertising, or profiling used to make solely automated decisions that produce legal or similarly significant effects concerning them.

The MTCDPA generally follows an opt-out model, but requires opt-in consent before processing sensitive personal data (including data belonging to children). It also requires that consent be freely given, specific, informed, and unambiguous, and includes rules designed to prevent consent being obtained through dark patterns.

Controllers must respond to verified consumer requests within 45 days, with a possible 45-day extension when reasonably necessary. If a request is denied, consumers must be able to appeal and the controller must respond to appeals within 60 days.

Businesses must allow consumers to opt out of targeted advertising and the sale of personal data through an opt-out preference signal — such as the Global Privacy Control (GPC) — sent with the consumer’s consent. This requirement has been in effect since January 1, 2025. Learn more about Global Privacy Control and Universal Opt-Out Mechanisms.