Montana Just Became the First State That Can Sue You for a Privacy Violation Without Warning

At 12:01 a.m. on April 1, 2026, something quiet but significant happened in Helena. The 60-day cure period under Montana's Consumer Data Privacy Act expired, and the state Attorney General's Office gained the authority to file enforcement actions against businesses for privacy violations without first giving them a warning letter.

For the previous 18 months, if Montana's AG discovered a company was out of compliance—missing privacy notices, ignoring opt-out signals, mishandling biometric data—the office had to send a notice, wait 60 days, and only sue if the business failed to fix the problem. That grace period is gone. Starting April 1, Montana can file directly, and the penalty starts at $7,500 per violation.

What Actually Changed

Montana's Consumer Data Privacy Act took effect October 1, 2024. Like most of the state privacy laws that followed California's CCPA, it included a two part enforcement timeline:

• A "cure period" during which the AG had to give notice and 60 days to fix issues
• An automatic sunset of that cure period 18 months after the law took effect

April 1, 2026 is exactly 18 months after October 1, 2024. The legislature baked that sunset directly into the statute—no additional action was required. On March 31, businesses had a safety net. On April 1, they did not.

This matters more than it sounds. Most state privacy violations are configuration errors or process gaps: a website that does not honor Global Privacy Control signals, a vendor contract missing required data processing terms, a privacy notice that fails to list a specific category. These are all fixable in 60 days. Under the old regime, most violations were not going to become lawsuits. Under the new regime, they can.

The Penalty Math Is Worse Than It Looks

The maximum fine under Montana's law is $7,500 per violation. That number alone does not sound existential. The phrasing that makes it existential is how "violation" gets counted.

Montana's statute lets the AG argue that each affected consumer counts as a separate violation. So a single systemic failure—say, ignoring Global Privacy Control signals from Montana residents for six months—multiplies by the number of Montana users hit by it. A mid sized e-commerce site with 50,000 Montana customers and a broken opt-out signal could theoretically face up to $375 million in exposure from a single configuration failure.

In practice, AG offices rarely push for the maximum. But they do use the ceiling as leverage. Connecticut's privacy enforcement report from February 2026 showed the AG's office pursuing settlements in the low millions using the same "per consumer" framing. Expect Montana to follow the same playbook.

Email Marketing and Tracking Pixels Are Exposed

Email marketing is one of the clearest high risk activities under Montana's expanded statute. The law treats targeted advertising and profiling as covered processing, and open tracking pixels, click redirect tracking, and cross device email identifiers all fall inside those definitions when they feed profiling models or ad systems.

Three specific practices are most exposed:

• Tracking pixels fired without consent for recipients who sent a universal opt-out signal. If a Montana resident has turned on Global Privacy Control on their browser and still opens a marketing email that pings your open tracking server, you are arguably processing their data for targeted advertising in violation of the statute.
• Profile building across devices using email hashes. Email based identity graphs that link browser behavior to email opens require consent under the sensitive data and profiling provisions.
• Failure to honor opt-out requests retroactively. France's CNIL already set a precedent on this, and Montana's framework is compatible with the same interpretation—once a user withdraws consent, the pixel in an email already sent must not fire on reopen.

Most email service providers default to firing tracking pixels on every open. Unless your ESP has been configured to respect per-recipient consent signals, your sent archive is a live enforcement target.

What Triggers Enforcement Now

Montana's Attorney General has exclusive enforcement authority—there is no private right of action, so consumers cannot sue directly. That concentrates the risk on whatever the AG office chooses to prioritize. Based on early signals from the office and patterns from other states, the likely targets are:

• Opt-out signals ignored. Since January 1, 2025, Montana has required businesses to recognize universal opt-out preference signals like Global Privacy Control. A recent Consumer Reports study found 86% of sites ignore these signals—which makes this the easiest category for regulators to document.
• Sensitive data without consent. Processing biometrics, precise geolocation, or children's data without prior affirmative consent is a violation. Companies using fingerprint login, in-app location tracking, or targeted advertising to minors are exposed.
• Missing Data Protection Impact Assessments. Any "high risk" processing activity requires a documented DPIA. Most mid sized companies do not maintain these for every new data use.
• Privacy notice gaps. The statute requires specific disclosures about data categories, processing purposes, and sale/sharing practices. Generic boilerplate privacy policies usually miss at least one required element.

The SB 297 Amendments Already Raised the Bar

Montana has not stood still since the original MCDPA passed. SB 297, signed by Governor Gianforte on May 8, 2025, and effective October 1, 2025, expanded the statute significantly:

• Biometric carve out. Controllers may not disclose biometric data in response to a consumer access request. This seems counterintuitive—isn't access a consumer right?—but the legislature judged that returning a raw biometric template created more risk than transparency benefit.
• Minors' protections. Services that know or willfully disregard that a user is under 18 must use "reasonable care to avoid a heightened risk of harm." Processing a minor's data for targeted advertising, sale, or automated profiling now requires explicit consent (or parental consent for under-13s).
• Expanded applicability. The thresholds were tightened so more mid sized businesses fall under the law.

The cumulative effect: by April 1, 2026, Montana now has one of the broadest state privacy regimes in the country, and for the first time it can enforce without a warning shot.

Who Is Actually Covered

Not every business with a website suddenly faces Montana exposure. The MCDPA applies to entities that:

• Control or process personal data of at least 50,000 Montana consumers in a calendar year, OR
• Control or process personal data of at least 25,000 Montana consumers AND derive more than 25% of gross revenue from personal data sales

Excluded: government entities, nonprofits, HIPAA-covered entities, financial institutions under Gramm-Leach-Bliley, and some federally regulated data categories.

The trap is that "consumer" is defined as Montana residents acting in a personal capacity—so the count includes anyone with a Montana billing address who buys from you online, not just people who live there full time. E-commerce platforms, SaaS tools with self-serve signup, and any consumer app with distributed users should assume they cross the 50,000 threshold unless they have evidence otherwise.

What Compliance Teams Should Do This Week

• Run the threshold math. If you have not already confirmed whether you cross the 50,000 Montana consumer threshold, do it now. Count unique users with Montana addresses or IPs over the past 12 months.
• Audit your Global Privacy Control handling. Test your site from a browser with GPC enabled. If opt-out signals are not honored for targeted advertising, tracking pixels, or sale of data, that is the exact category Montana is likely to target first.
• Review your privacy notice against MCDPA requirements. The statute is specific about what categories, purposes, and rights must be disclosed. Generic "we care about your privacy" language does not cut it.
• Inventory sensitive data processing. Any processing of biometrics, precise geolocation, children's data, racial/religious data, or inferences about any of the above must have documented consent or another lawful basis.
• Document DPIAs for high risk activities. If you do targeted advertising, behavioral profiling, or any processing that could reasonably harm a consumer, you need a DPIA on file before the AG asks for it.

The Bigger Picture: The "No Cure" Era Is Starting

Montana is not alone. Oregon's cure period sunsets in 2026. Texas DPDPA's cure period is already limited at the AG's discretion. Iowa, Connecticut, and several others have sunset clauses built into their statutes. Meanwhile, Alabama's newly signed privacy law keeps its cure period permanent, a choice Consumer Reports called a loophole. The era of state privacy laws functioning as "warn first, sue later" regulators is ending, one statutory sunset at a time.

For privacy officers, the implication is specific: compliance can no longer be budgeted as a response function. If your program is built around "we'll fix it when we get the notice," that model expires with the cure period. Pre-enforcement audits, signal testing, and DPIA documentation move from nice-to-have to the first line of defense.

For consumers in Montana, the change is simpler: the state AG can now act on your complaint without waiting for the company to decide whether to bother fixing the problem. That is a meaningful shift, even if it takes months of enforcement actions before its effect shows up in statistics.