In a year already marked by numerous state privacy developments, Montana has distinguished itself with bold legislative strides. The Montana Consumer Data Privacy Act (MCDPA), originally passed in 2023, has now been amended with even broader protections, signaling the state’s growing commitment to consumer privacy. These changes, signed into law by Governor Greg Gianforte on April 18, 2025, will take effect on October 1, 2025, and introduce sweeping updates that align Montana with leading privacy frameworks while also embedding unique elements that go a step further. 

Below, we break down the key aspects of Montana’s privacy law amendments, what they mean for businesses, and how they reflect a national patchwork of data protection regulation that continues to evolve. 

From Baseline to Bold: Montana’s Evolution in Privacy Law 

When the MCDPA was first enacted in 2023, it followed in the footsteps of other comprehensive privacy laws such as those in Virginia and Colorado. However, the recent amendments adopted through Senate Bill 52 make significant changes that shift Montana toward a more proactive and consumer-centric model. 

Key changes include: 

• Expansion of the definition of sensitive data 
• Stricter requirements around consent and dark patterns 
• Enhanced rights for consumers, particularly minors 
• New obligations around data minimization and secondary use 

These revisions bring Montana closer to the regulatory approaches of the California Consumer Privacy Act (CCPA) and the European Union’s GDPR in both substance and spirit. 

Expanded Definition of Sensitive Data 

One of the most notable changes in the revised MCDPA is the broadened definition of “sensitive data.” Previously, sensitive data included common categories such as racial or ethnic origin, religious beliefs, health data, and biometric information. The amendments now encompass: 

• Status as transgender or non-binary 
• Citizenship and immigration status 
• Financial data, including account numbers in combination with security codes 
• Precise geolocation, defined as data within a 1,750-foot radius 

This expanded scope not only recognizes the nuanced dimensions of identity but also reflects a growing trend of including socio-political and economic attributes within the protective umbrella of data privacy legislation. 

Affirmative Consent and Dark Patterns 

The amendments significantly strengthen the rules around consumer consent. Now, controllers must obtain clear, affirmative consent before processing sensitive data, and they are explicitly prohibited from using dark patterns to manipulate or mislead users into giving consent. 

Dark patterns are deceptive interface designs that trick users into actions they might not otherwise take, such as: 

• Making it difficult to opt out of data collection 
• Using confusing language or misleading visuals to push users toward accepting tracking 
• Hiding privacy options in hard-to-find settings 

Montana’s stance on dark patterns echoes recent enforcement trends from the Federal Trade Commission (FTC) and sets a high bar for transparent and ethical user interfaces. 

Children’s and Teens’ Data: New Protections for Minors 

The MCDPA amendments also prioritize protecting younger consumers. Specifically, they include heightened protections for the data of children and teens aged 13 to 15, a group often overlooked by privacy legislation. 

Key provisions include: 

• Controllers must obtain affirmative consent before processing personal data for targeted advertising or sales involving minors aged 13–15.
• If a controller knows that a consumer is under 13, they must comply with the federal Children’s Online Privacy Protection Act (COPPA) and obtain verifiable parental consent. 

This age-focused approach follows in the footsteps of laws in Connecticut and California, highlighting the increasing national concern over the digital privacy of minors. 

Data Minimization and Purpose Limitation 

Montana’s revised law adopts a strong stance on limiting data use. It introduces principles of data minimization, which require that: 

• Personal data collected must be adequate, relevant, and reasonably necessary for the disclosed purposes. 
• Controllers cannot process data for purposes that are not reasonably necessary or compatible with the original purpose without new consent. 

This provision reflects a move toward purpose-based processing limitations that are core to the GDPR, going beyond the mere notice-and-choice framework common in earlier state laws. 

Alignment and Divergence: Montana in the National Privacy Landscape 

While Montana’s amendments bring it closer to laws in California, Colorado, and Connecticut, they also introduce unique elements that set the state apart. The law avoids a one-size-fits-all approach, instead favoring tailored safeguards for specific data categories and consumer groups. 

Compared to other states: 

• Montana’s protections for teens are more specific than many state counterparts. 
• The definition of sensitive data is among the most comprehensive. 
• The requirement for affirmative consent across a wider range of processing activities is relatively rare outside California. 

Businesses that already comply with other state laws will find some familiar obligations, but the unique features of Montana’s amendments mean that a one-to-one compliance model won’t suffice. 

What Businesses Should Do to Prepare 

Organizations subject to the MCDPA should begin preparing now for the October 1, 2025 effective date. Key action items include: 

• Review data collection practices, especially regarding minors and sensitive data 
• Update consent mechanisms to eliminate dark patterns and capture affirmative consent 
• Revise privacy policies to reflect new data minimization and purpose limitation obligations 
• Train internal teams on the revised requirements and how to handle consumer rights requests 

Early compliance efforts will not only reduce regulatory risk but also enhance consumer trust which is an increasingly valuable asset in today’s privacy-conscious market. 

Montana’s Message Is Clear—Privacy Matters 

Montana’s expanded Consumer Data Privacy Act sends a strong signal: privacy is no longer a luxury or regional concern. It’s a core expectation that state governments are willing to legislate robustly. By enhancing consumer rights, setting high standards for consent, and protecting vulnerable populations like minors, Montana has positioned itself as a leader in the evolving U.S. privacy landscape. 

As the national conversation around a federal privacy law continues to stall, state laws like Montana’s will increasingly shape the operational and ethical standards for data governance. The “Big Sky” state is showing that when it comes to privacy, it’s ready to think big and act boldly.