The Montana Consumer Data Privacy Act took effect on October 1 2024, making it one of the newer US state privacy laws. The law notably does not cap monetary penalties, giving the Montana Attorney General significant enforcement discretion.
How MCDPA Enforcement Works
The Montana Attorney General has exclusive enforcement authority under the MCDPA. Consumers cannot bring private lawsuits for violations.
Businesses receive a 60-day cure period to address alleged violations before enforcement proceeds. This cure period expires on April 1 2026, after which the Attorney General can pursue penalties immediately.
No penalty caps. Unlike most state privacy laws, the MCDPA does not specify maximum fines per violation. This gives the Attorney General discretion to impose higher penalties than would be possible in states like Colorado, which caps total penalties at $500,000.
Enforcement Status
As of January 2026, the Montana Attorney General has not publicly announced enforcement actions resulting in fines under the MCDPA. The law has been in effect for approximately 15 months, with the 60-day cure period still active.
The absence of public enforcement actions is typical for state privacy laws during their initial period, particularly when cure periods allow violations to be resolved before formal proceedings.
Enforcement Considerations
Several factors make the MCDPA enforcement environment notable:
Lower thresholds. Montana’s thresholds are among the lowest of any state, particularly after the October 2025 amendments reduced them to 25,000 consumers (or 15,000 for data sellers). More businesses are covered, which could mean more enforcement opportunities.
Uncapped penalties. The lack of a penalty cap means the Attorney General could impose significantly larger fines than other states. A violation affecting thousands of consumers could result in multi-million dollar exposure.
Longer cure period. The 60-day cure period (compared to 30 days in many states) gives businesses more time to address issues, but this also delays the start of penalty-driven enforcement until April 2026.
Expected Focus Areas
Based on the MCDPA’s requirements and patterns in other states, businesses should anticipate scrutiny in these areas:
Universal opt-out mechanisms. Since January 2025, businesses must honor signals like Global Privacy Control. This is an easily verifiable requirement that could be checked at scale.
Sensitive data consent. Processing sensitive data without consent is a clear violation. Montana’s definition includes health data, precise geolocation, and biometric identifiers.
Data minimization. The MCDPA requires data collection to be limited to what is reasonably necessary for disclosed purposes. Over-collection is a potential enforcement target.
Lowered thresholds. Businesses that previously did not meet Montana’s thresholds should reassess under the October 2025 changes. Processing data of 25,000 Montana consumers now triggers full compliance obligations.
What This Means for Your Organization
Montana’s combination of low thresholds and uncapped penalties creates meaningful enforcement risk. While no public fines have been announced yet, this does not indicate lenient enforcement.
Businesses should:
- Confirm whether they meet the lowered October 2025 thresholds
- Implement Global Privacy Control support
- Document consent mechanisms for all sensitive data processing
- Review data collection practices against the minimization requirement
- Prepare for the cure period expiration in April 2026
The uncapped penalty structure makes proactive compliance particularly important. A violation that might result in a capped fine in Colorado or Virginia could potentially lead to much larger exposure in Montana.
