TL;DR
Montana doesn't have a sweeping state AI law as of 2026, but several federal and sector rules apply to AI the same way they apply to any cloud system. This guide walks through the ones that actually matter for Montana businesses.
Nothing here is legal advice. For specific situations, talk to a Montana-licensed attorney — we work with a few we can refer you to.
Not a general one. As of 2026, Montana has not passed a comprehensive AI regulation comparable to Colorado's AI Act or the EU AI Act. There have been narrower bills (deepfake disclosure, government use of AI) and an executive emphasis on responsible adoption, but no broad obligation specific to private-sector AI.
That means the rules that apply to your AI use are mostly the rules that already apply to your data — federal (HIPAA, GLBA, FERPA, FTC Act), sector-specific (SEC, FINRA, state bar), and the Montana Consumer Data Privacy Act for businesses that meet its thresholds.
Effective October 2024, the MCDPA applies to businesses that (a) process personal data of 50,000+ Montana consumers, or (b) process personal data of 25,000+ consumers AND derive 25%+ of gross revenue from selling personal data.
If you're covered, you owe consumers notice, opt-out rights for targeted advertising / sale / certain profiling, and data subject access/correction/deletion rights. AI tools that read or transform customer records count — you need to inventory which ones and update your privacy policy.
Most small Montana businesses don't hit the thresholds. Mid-market firms, MSPs, and any business with a meaningful Montana e-commerce footprint should assume they do.
HIPAA applies to covered entities (clinics, hospitals, payers) AND to business associates that handle Protected Health Information on their behalf. If any AI tool touches PHI — patient names, dates, diagnoses, notes — that tool's provider needs to sign a Business Associate Agreement (BAA) with you.
OpenAI, Microsoft (Copilot for Microsoft 365 / Azure OpenAI), Anthropic, and Google all offer BAAs on their enterprise/business tiers. Consumer tiers (free ChatGPT, free Claude, free Gemini) do NOT qualify. Using them for PHI is a HIPAA violation, full stop.
Practical rule for Montana clinics: enterprise-tier seats only, BAA on file, audit trail enabled, and a written policy that pasting PHI into anything else is a terminable offense.
The Gramm-Leach-Bliley Act applies to financial institutions, which is a broader category than most realize — CPAs, RIAs, mortgage brokers, insurance agents, and tax preparers can all qualify. The FTC Safeguards Rule (updated 2023) sets specific security requirements.
For AI, this means: encryption in transit and at rest, access controls, vendor due diligence, an incident response plan, and a written information security program. Most enterprise AI tiers meet the technical bar — you have to do the documentation.
Montana has seven federally recognized tribes — Blackfeet, Confederated Salish & Kootenai, Crow, Fort Belknap, Fort Peck, Northern Cheyenne, and Little Shell. Data about or generated by tribal members or tribal enterprises sits in a different legal frame from non-tribal data.
If your business serves tribal enterprises, runs programs on a reservation, or processes data tied to enrollment, healthcare, or cultural information, talk to tribal counsel about where AI fits. Sovereignty-conscious AI deployment is a real engineering choice, not a marketing line — it affects which providers you can use, where data is stored, and who has access.
FERPA applies to educational institutions and their vendors. AI tools that process student records — grades, attendance, IEPs, discipline notes — need standard FERPA-compliant data handling: directory-information rules, parental consent where required, and contractual flow-downs.
Watch for: federal action on AI training data and copyright; possible Montana legislation on deepfakes and government AI; FTC enforcement under the existing Section 5 unfair/deceptive practices authority; and continued expansion of state privacy laws that capture AI-driven profiling.
Practical posture: pick an enterprise-tier stack that already meets the strictest rule you're subject to, document the data path, train the team annually, and revisit the policy every 6 months.
Yes — but only the enterprise tier with a Business Associate Agreement on file, configured for HIPAA, with audit logging on. Free ChatGPT cannot legally process PHI. We set up Copilot for Microsoft 365 and ChatGPT Enterprise this way for several Montana clinics.
Probably not if you're under the 25,000-consumer threshold and don't sell personal data. Most main-street Montana businesses are below the line. Mid-market firms, anyone running a real e-commerce operation, and any data broker should assume they're covered and get a privacy review.
Letting staff paste customer or patient information into free consumer AI tools. It happens within 90 days at almost every business that doesn't write a one-page AI policy on day one. The fix is cheap: enterprise seats, a written policy, and one training session.
Last updated April 12, 2026 · Written by Aaron Whitfield, Montana AI Consulting.
Ready to act on this?