Montana MTCDPA AI Compliance 2026: The Cure Period Already Expired
Montana's Consumer Data Privacy Act took effect October 1, 2024 with a 60-day right to cure built in — but unlike New Jersey's cure right, which is tied to a fixed number of months after the law's own effective date, Montana's sunset on a hard calendar date: April 1, 2026. That date has already passed. AI companies operating in Montana no longer have a statutory grace period before facing enforcement.
Does MTCDPA Apply to Your AI Product?
MTCDPA applies to controllers that conduct business in Montana or produce products or services targeted at Montana residents and that, during a calendar year, control or process the personal data of at least 50,000 consumers, or control or process the data of at least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
That 50,000-consumer floor is unusually low. Virginia, Colorado, and Kentucky all set the primary threshold at 100,000 consumers. An AI SaaS product with a modest but active Montana user base — a mid-market tool with a few hundred paying accounts and their associated end users, for instance — can clear MTCDPA's threshold well before it would trigger obligations in most other states.
Why the Sunset Date Matters Now
Montana structured its cure right differently from most peer states. Rather than tying the sunset to a fixed number of months after the law's own effective date — the approach New Jersey took, with an 18-month window from its January 15, 2025 effective date — Montana wrote a specific calendar date directly into the statute: April 1, 2026.
That means every AI company operating in Montana had roughly 18 months of runway to build compliance infrastructure while still benefiting from a formal right to fix violations before facing enforcement. That runway is gone. Any compliance gap identified by the Montana Attorney General from April 1, 2026 forward can proceed straight to an enforcement action, with no statutory obligation to offer a warning or a chance to remediate first.
Consumer Rights and AI Profiling
Profiling opt-out
Consumers can opt out of profiling in furtherance of decisions that produce legal or similarly significant effects — credit, employment, housing, healthcare, insurance, and education outcomes.
Targeted advertising opt-out
Consumers can opt out of personal data being used for targeted advertising.
Sale of data opt-out
Consumers can opt out of the sale of their personal data to third parties, including data-licensing arrangements with AI model developers.
Data Protection Assessments
Processing that presents a heightened risk of harm — including certain profiling — requires a documented data protection assessment before the processing begins, and the AG can request it during an inquiry.
MTCDPA Compliance Checklist for AI Companies
- ☐Track Montana consumer counts against the 50,000-consumer threshold — it is lower than most peer states, so reassess more frequently as your user base grows
- ☐Separately check the 25,000-consumer alternate trigger tied to the 25%-of-revenue data-sale test
- ☐Document your threshold determination and refresh it at least quarterly
- ☐Build opt-out flows for profiling, targeted advertising, and data sale
- ☐Document which AI-driven decisions fall into the legal-or-significant-effect category
- ☐Make sure your privacy notice discloses the categories of personal data processed and shared
- ☐Complete a data protection assessment before deploying profiling that carries a foreseeable risk of unfair treatment
- ☐Retain assessments in case the Attorney General requests them during an inquiry
- ☐Update assessments when the underlying AI model or its training data materially changes
- ☐Do not assume a cure notice will be offered for any new violation — the April 1, 2026 sunset has already passed
- ☐Resolve any known gaps in opt-out flows or assessments immediately rather than waiting for a warning
- ☐Retain records supporting your scope and threshold determinations in case of an AG inquiry
See where your AI product is exposed
RatedWithAI helps SaaS and platform teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.
Scan Your Product for Free →Frequently Asked Questions
How does Montana's cure sunset compare to New Jersey's or Delaware's?
New Jersey's cure right sunset 18 months after its own January 15, 2025 effective date — July 15, 2026. Delaware's sunset on a fixed calendar date, December 31, 2025, that was also unrelated to its own effective date. Montana's is similarly a fixed calendar date — April 1, 2026 — set directly by the legislature rather than calculated from the law's October 1, 2024 effective date. All three are now expired, but each state reached that point on a different structural basis.
Does the 25% revenue threshold in MTCDPA's alternate trigger include data-sharing discounts?
MTCDPA's alternate threshold is based on deriving more than 25% of gross revenue from the sale of personal data, a narrower test than some peer states that also count non-cash benefits like discounts. Businesses should still document how any data-sharing arrangement is compensated and confirm whether it falls within the statutory definition of a 'sale.'
Does MTCDPA apply to AI models trained before the law took effect?
MTCDPA regulates ongoing processing and disclosure of personal data, not the historical training event itself. If a covered business continues to process, use, or profile with data collected from Montana consumers after the law's October 1, 2024 effective date, that processing is in scope regardless of when the underlying model was originally trained.