Alert

Montana Amends Consumer Data Privacy Act, Removes Financial Institution Exemption

May 21, 2025

On May 8, 2025, the governor of Montana signed into law SB 297, which amends the Montana Consumer Data Privacy Act (MCDPA). The amendments become effective on October 1, 2025.

Among other things, SB 297:

• amends the scope and applicability of the MCDPA,
• substantially narrows a heavily relied upon financial institution exemption,
• revises the enforcement process, and
• adds responsibilities for data controllers.

Covered financial institutions that maintain personal data regarding Montana residents should evaluate their compliance with the MDCPA in advance of the effective date.

Scope and Applicability

SB 297 revises the MCDPA to lower the data processing threshold for Montana consumers that triggers the applicability of the law. Under the SB 297 amendments, the MCDPA now applies to any person conducting business in Montana or producing products or services targeted to Montana residents who: (1) controls or processes the personal data of at least 25,000 consumers (previously 50,000); or (2) controls or processes the personal data of at least 15,000 consumers (previously 25,000) and derives more than 25% of gross revenue from the sale of personal data.

Financial Institution Exemption

Perhaps most notably, SB 297 removes the broad entity-level exemption from the MCDPA for financial institutions or affiliates of financial institutions governed by the Gramm-Leach-Bliley Act (GLBA), and replaces it with a narrower exemption that only is available to depository institutions and their affiliates.

Prior to SB 297, the MCDPA included a wholesale exemption from the law for a “financial institution or an affiliate of a financial institution governed by” the GLBA. SB 297 has removed this exemption, making most GLBA-covered financial institutions subject to the MDCPA. While the law still has a data-level exemption for “personal data collected, processed, sold, or disclosed in accordance with” the GLBA, the data-level exemption requires financial institutions that will now be within the scope of the MDCPA to categorize their consumer data to determine which data may be exempt from the MCDPA.

By removing the entity-level GLBA financial institution exemption, Montana now joins the minority group of other states (i.e., California, Minnesota, Oregon) that do not have the typical entity-level GLBA financial institution exemption from their state data privacy law. As a result, non-depository GLBA financial institutions now subject to the MDCPA should evaluate whether they meet the MDCPA coverage thresholds and whether they maintain covered data. If they do, they are now required to provide consumers with the various rights the MCDPA mandates (e.g., right to access data, correct inaccuracies, delete personal data, obtain a copy of data, opt-out of certain processing), and to comply with the numerous duties imposed on controllers of personal data.

Note that while the recent MCDPA amendment removed the exemption for GLBA financial institutions, it also added an entity-level exemption for state or federally chartered banks or credit unions and their affiliates and subsidiaries. As a result, it appears that the intent of the amendment was only to bring non-depository GLBA financial institutions (e.g., online lenders, auto-finance companies) under the scope of the MCDPA.

Other Changes to the Law

Among other things, SB 297 provides additional required content that controllers must include in the MCDPA-required online consumer privacy notice, including an explanation of consumer rights and indication of when the policy was last updated. Controllers must also now notify consumers of material changes to the privacy notice.

SB 297 also revises the opt-out requirement if the controller sells personal data to third parties or processed data for targeted advertising. Controllers must now provide a conspicuous opt-out method in the privacy notice and another opt-out method outside of the privacy notice.

In addition, SB 297 amended some aspects of enforcement process under the MCDPA. Under prior law, the MCDPA required the Montana Attorney General to issue a notice of a violation allow 60 days for violations to be cured before initiating an enforcement action. SB 297 now removes the prior notice and cure period and simply provides that the attorney general may issue a civil investigative demand if there is reasonable cause to believe that a person has violated the MCDPA.

Preparing for Compliance

Businesses providing a consumer product or service to Montana consumers should review SB 297 to determine the compliance changes that may be required. An entity already subject to the law should review the changes to existing law, including the new privacy policy and opt-out requirements, to ensure the entity’s compliance procedures are up to date. Moreover, any financial institutions that previously relied on the entity-level exemption should review the entire law, including the pre-existing consumer rights and data controller obligations, to ensure they are ready for the October 1, 2025, effective date.

Reprinted with permission from the American Bar Association’s Business Law Today May 2025, Month-In-Brief: Business & Regulated Industries.