Montana’s governor signed Senate Bill 297 to overhaul key portions of the state’s Consumer Data Privacy Act and bring new protections for minors. The changes bring lower thresholds, updated exemptions, expanded notice requirements, new (to Montana) obligations for minors’ data, and more. Oh, and the bill removes the right to cure a few months ahead of schedule.

Effective Date 

The changes take effect October 1, 2025.

Applicability

Reduces processing thresholds to 25,000 consumers (from 50,000) and only 15,000 consumers (from 25,000) if the company makes more than 25% of its revenue from selling personal data. And the bill introduces a completely new (and lower) standard for determining whether the enhanced protection for minors applies—more on that below.

Exemptions

Eliminates the Gramm–Leach–Bliley Act (GLBA)-entity exemption (but keeps the data exemption) while adding exemptions for banks, insurers, insurance producers, and others in the similar vein. The law also limits the nonprofit exemption to nonprofits that detect/prevent fraud in connection with insurance. 

Access Requests

Prohibits sharing certain sensitive details (e.g., social security numbers) in response to an access request. But, like California, the bill requires informing the consumer that such data was collected.

Opt-Outs

Adds requirement to provide a “clear and conspicuous method outside the privacy notice” for opting out of sales or targeted advertising, such as including a “Your Privacy Rights” link in the footer.

Profiling

Expands the right to opt out of profiling by subjecting profiling in furtherance of automated decisions to the right, not just “solely” automated decisions.

Privacy Notice

Adds more requirements that track changes Minnesota introduced to the “standard” notice legislation. For example, a. company must explain the consumer’s rights, state when the notice was last updated, provide the notice in languages in which the company provides a product/service, ensure the notice is reasonably accessible to people with disabilities, and notify consumers of material changes.

Right to Cure

Eliminates the right to cure, which was set to expire in April 2026. But, when discussing the availability of penalties (section 12), the bill suggests a 30-day cure period exists. [My guess: the 30-day language was inadvertently left in from an earlier draft.]

Civil Penalties

Adds a maximum civil penalty of up to $7,500 per violation while empowering the attorney general to seek injunctions, attorney’s fees, and reasonable expenses.

Minors

Creates a range of new restrictions and obligations for companies that offer an online product, service, or feature to consumers they know (or willfully disregard) are minors. These provisions, which largely track recent amendments in Colorado and Connecticut, include:

• Safeguards. Provide “readily accessible and easy-to-use safeguards” to limit the ability of an adult to send unsolicited communications to a minor.
• Engagement. Refrain from using system design to “significantly increase, sustain, or extend” the minor’s engagement with the service, product, or feature—unless the minor (or their parent) consents.
• Reasonable Care. Use reasonable care to avoid a heightened risk of harm caused by a company’s activities. [But there is a rebuttable presumption that a company used such care if it complies with the other provisions concerning minors.]
• Data Protection Assessments. Conduct a data protection assessment for the online product, service, or feature if it poses a “heightened risk of harm to minors” and implement a plan to mitigate or eliminate such risk. These requirements only apply to processing activities beginning on or after October 1, 2025.
• Processing Restrictions. Obtain consent from the minor—or, for people under 13, their parent—prior to (1) selling their data, using it for targeted advertising, or engaging in certain profiling; (2) processing their data for any purpose that is neither disclosed at the time of collection nor “reasonably necessary for and compatible with” such purpose; (3) retaining the data for longer than is reasonably necessary to provide the product, service, or feature; or (4) collecting their precise geolocation, except under narrow circumstances.

The above provisions on minors apply only if a company “conducts business” in Montana or “deliver[s] commercial products or services” that are “intentionally targeted” at Montana residents, even if the company doesn't meet the general thresholds for the Montana's Consumer Data Privacy Act.