Libbie Canter, Lindsey Tonsager, Jayne Ponder, Tian Kisch, Jessica Ke, Sierra Stubbs, and Bryan Ramirez of Covington and Burling write:
On April 15, 2025, the Montana legislature unanimously passed Montana SB 297, a bill that would amend the Montana Consumer Data Privacy Act (“MTCDPA”) with provisions expanding online data protections for minors, narrowing the exemptions under the Gramm-Leach-Bliley Act, and removing a controller’s right to cure, among others. We outline some key provisions below.
- Applicability: SB 297 would lower the processing thresholds for the law to apply, and notably, would make sections related to minors applicable to any entity that conducts business in the state or delivers commercial products and services intentionally targeted to Montana residents, regardless of how much data that entity processes.
- Exempted Entities: SB 297 would amend several current exemptions in the MTCDPA, including exemptions for financial institutions and non-profit entities. SB 297 would create a new exception for insurers, insurance providers, and third-party administrators of self-insurance and affiliates or subsidiaries.
- Consumer Rights: SB 297 would require a clear and conspicuous mechanism outside of the privacy notice to exercise an opt-out of sale or targeted advertising request, which the text states may include a “your opt-out rights” or “your privacy rights” link. The proposed text also amends the profiling opt-out right by striking the “solely” modifier for automated decisions, similar to the approach under Virginia’s comprehensive privacy law. Additionally, SB 297 amends the access right to limit certain types of personal data from being provided in response to an access request, such as SSN or account passwords.
Read more about the key provisions at Inside Privacy.