Montana
💡 Last Updated October 2025. Written with contributions from both human authors and LLMs. If you find incorrect or outdated information let us know at support@optery.com.
Montana's MTCDPA gives you the right to opt out of data brokers.
What the MCDPA does for you
Under Montana's Consumer Data Privacy Act (MCDPA), you have the right to know what personal data businesses collect about you, access and correct it, ask for it to be deleted, and download a portable copy. You can also opt out of your data being sold, used for targeted advertising, or used in automated decisions that significantly affect you. These rights apply to Montana residents dealing with covered businesses.
Your rights under the MCDPA
Right to Know
You have the right to confirm whether a business is processing your personal data and to access that data. The business must respond within 45 days, with a possible 45-day extension.
Exceptions: Does not apply if confirming or providing access would require the controller to reveal a trade secret; Does not apply to pseudonymous data when identifying information is kept separately with effective technical controls; Free responses required only once per 12-month period; fees may apply for manifestly unfounded, excessive, or repetitive requests.
Source: SB 384, Section 5(1)(a)
Right to Delete
You have the right to ask a business to delete the personal data it holds about you. The business must comply or, if it obtained your data from another source, it may instead keep a minimal record of the deletion request to ensure your data stays deleted.
Exceptions: Does not apply if the business cannot reasonably associate the request with the personal data; Does not apply to data the controller is required to retain by law; Does not apply to pseudonymous data when identifying information is kept separately with effective technical controls; Does not apply to data needed to complete a transaction or fulfill a contract you requested.
Source: SB 384, Section 5(1)(c)
Right to Correct
You have the right to ask a business to correct inaccurate personal data it holds about you, taking into account the nature of the data and the purposes for which it is processed.
Exceptions: Does not apply to pseudonymous data when identifying information is kept separately with effective technical controls.
Source: SB 384, Section 5(1)(b)
Right to Opt Out of Sales
You have the right to opt out of a business selling your personal data to third parties for money or other valuable consideration. Businesses must provide a clear link on their website to let you exercise this right.
Exceptions: Does not apply to disclosures to processors acting on the controller's behalf; Does not apply to disclosures to third parties to provide a product or service you requested; Does not apply to disclosures to affiliates of the controller; Does not apply to disclosures the consumer directed or where consumer intentionally used the controller to interact with a third party; Does not apply to data transfer as part of a merger, acquisition, or bankruptcy transaction.
Source: SB 384, Section 5(1)(e)(ii)
Right to Opt Out of Processing
You have the right to opt out of your personal data being processed for targeted advertising — where ads are selected based on your activity across different websites and apps over time.
Exceptions: Does not apply to ads based on your activity within a single controller's own websites or apps; Does not apply to ads based on your current search query or current page visit; Does not apply to ads shown in response to your direct request for information.
Source: SB 384, Section 5(1)(e)(i)
Right to Opt Out of Automated Decisions
You have the right to opt out of your personal data being used in solely automated profiling that produces legal or similarly significant effects — such as decisions about loans, housing, insurance, employment, education, health care, or other major life areas.
Exceptions: Only applies to solely automated decisions with legal or similarly significant effects; Does not restrict human-reviewed decisions.
Source: SB 384, Section 5(1)(e)(iii)
Right to Data Portability
You have the right to obtain a copy of the personal data you previously provided to a business, in a portable and, where technically feasible, readily usable format so you can transfer it to another company.
Exceptions: Only applies to data previously provided by the consumer to the controller; Only applies when processing is carried out by automated means; Does not require the controller to reveal a trade secret; Free responses required only once per 12-month period.
Source: SB 384, Section 5(1)(d)
Right to Non-Discrimination
A business cannot discriminate against you for exercising your privacy rights. This means they cannot deny you goods or services, charge you different prices, or give you a lower quality of service just because you exercised a right under this law.
Exceptions: A controller may offer different prices or levels of service in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, or club card program; A controller may offer different prices if the consumer has opted out and the difference is related to the value of the consumer's data.
Source: SB 384, Section 7(2)(e)
Right to Limit Sensitive Data
Businesses must obtain your consent before processing your sensitive personal data — which includes information about your race or ethnicity, religion, health, sex life, sexual orientation, immigration status, genetic or biometric data, precise location, or data about children.
Exceptions: Controllers complying with COPPA's verifiable parental consent requirements are deemed compliant for children's data; Sensitive data processed in compliance with applicable federal health laws may be exempt.
Source: SB 384, Section 7(2)(b)
How to exercise your rights
- See which data brokers have your information. Optery scans 200+ brokers to show you what’s exposed. Start a free scan →
- Submit a MCDPA deletion or opt-out request. Covered businesses have 45 days to respond (SB 384, Section 5(4)), with up to 45 additional days if they invoke the extension provision.
- Let Optery automate the whole process. We submit opt-out and deletion requests on your behalf, track compliance, and resubmit whenever brokers re-add your data. Sign up free →
Authorized agents
The MCDPA mentions authorized agents only in the context of opt-out requests (Mont. Code Ann. § 30-14-2401 et seq.). Data brokers may choose to — but are not required to — honor deletion requests submitted by an authorized agent. In practice, many brokers do accept agent-submitted deletion requests. Optery handles both types on your behalf where permitted.
Enforcement and penalties
The MCDPA is enforced by Montana Attorney General. The Montana Attorney General has exclusive authority to enforce this law. Before filing a lawsuit, the AG must send the business a written notice of the violation. The business then has 60 days to fix the problem. If it does and provides a written statement promising compliance, no action will be taken. If the business fails to correct the violation within that 60-day window, the AG may bring an enforcement action. The statute does not specify a maximum penalty amount per violation. There is no private right of action — individual consumers cannot sue directly under this law.
Who does the MCDPA apply to?
The MCDPA applies to businesses that operate in Montana or target products/services to Montana residents, and either (1) control or process the personal data of at least 50,000 consumers per year (not counting data processed solely to complete a payment), or (2) control or process the personal data of at least 25,000 consumers and earn more than 25% of their gross revenue from selling personal data. Government agencies, nonprofits, universities, and certain regulated financial and health-care entities are exempt.
Frequently asked questions
Which businesses does Montana's privacy law cover?
The MCDPA applies to businesses that conduct business in Montana or target Montana residents and either process the personal data of at least 50,000 consumers per year, or process the data of at least 25,000 consumers and earn more than 25% of their gross revenue from selling personal data (SB 384, Section 3). Government agencies, nonprofits, colleges and universities, and companies covered by certain federal laws like HIPAA and Gramm-Leach-Bliley are exempt (SB 384, Section 4).
How long does a business have to respond to my privacy rights request?
A business must respond to your request within 45 days of receiving it (SB 384, Section 5(4)(a)). The business can extend that deadline by an additional 45 days if your request is complex or if you have made multiple requests, but it must notify you of the extension within the original 45-day period and explain why.
Can I use a third party or service like Optery to opt out on my behalf?
Yes — Montana's law expressly allows you to designate an authorized agent to submit opt-out requests on your behalf for targeted advertising, data sales, and automated profiling decisions (SB 384, Section 5(3)(a) and Section 6). The business must honor such requests if it can verify your identity and the agent's authority with commercially reasonable effort. Note that authorized agents are only explicitly permitted for opt-out requests, not for access, correction, deletion, or portability requests.
What happens if a business violates the law?
The Montana Attorney General has exclusive authority to enforce the MCDPA (SB 384, Section 12(1)). Before taking action, the AG must notify the business of the violation and give it 60 days to fix the problem. If the business corrects the violation and provides a written commitment to comply, no enforcement action will be taken. There is no private right of action, meaning individual consumers cannot sue businesses directly under this law (SB 384, Section 12(3)).
What is 'sensitive data' and does it get extra protection?
Sensitive data includes information about your race or ethnicity, religion, mental or physical health, sex life, sexual orientation, citizenship or immigration status, genetic data, biometric data used to identify you, your precise location (within about 1,750 feet), and personal data collected from children (SB 384, Section 2(24)). Businesses must obtain your explicit consent before processing sensitive data — they cannot process it based on buried terms of service or inaction on your part (SB 384, Section 7(2)(b)).