Skip to main content
Montana

Montana Student Data Privacy

Requires Signed Agreement
Does not require signed agreement

Montana limits targeted advertising, profiling, sale, and unauthorized disclosure by operators of K-12 online applications and requires security and deletion practices.

Montana Pupil Online Personal Information Protection Guide

Primary Law
Montana Pupil Online Personal Information Protection Act (limits targeted advertising, profiling, sale, and unauthorized disclosure by operators of K-12 online applications)

Citation
MCA 20-7-1323 through 20-7-1326 (notably 20-7-1325)

Official Text
https://archive.legmt.gov/bills/mca/title_0200/chapter_0070/part_0130/section_0250/0200-0070-0130-0250.html

Overview

Montana protects students who use K-12 online applications through the Montana Pupil Online Personal Information Protection Act. The law restricts operators from using student data for targeted advertising, building profiles outside of K-12 school purposes, selling student information, and disclosing protected information except in specific, limited situations. It also requires reasonable security practices and supports deletion of student data when requested by a school or district.

For districts, the practical focus is vendor behavior: confirm that a product's terms and technical design keep student information within the school-purpose context, with strong controls around sharing, security, and deletion.

Applicability and Scope

Montana's requirements apply to operators of K-12 online applications that are designed and marketed for K-12 school purposes and used primarily for those purposes.

District teams should treat the law as in-scope for:

  • Online instructional apps, learning platforms, tutoring tools, and assessment products used in K-12 settings
  • Services that receive student rosters, identifiers, communications, or student work
  • Vendors that integrate with district identity systems or store student content in the cloud

Prohibited Uses (Ads, Profiling, Sale)

Montana prohibits key secondary uses of student information. Operators may not:

  • Engage in targeted advertising within the K-12 online application, or elsewhere when targeting is based on information obtained through school use
  • Build a student profile except in furtherance of K-12 school purposes
  • Sell a pupil's information (subject to limited acquisition-related exceptions)

Disclosure Limits and Service Provider Controls

Montana limits disclosure of protected information. When disclosure is allowed for school purposes or to service providers, the law expects contractual controls that restrict downstream use and require reasonable security practices.

Security and Deletion Expectations

Operators must implement reasonable security procedures appropriate to the nature of protected information and safeguard it from unauthorized access, destruction, use, modification, or disclosure. Operators must also delete a pupil's protected information if the school or district requests deletion of data under the control of the school or district.

How Can EdPrivacy Help Montana Schools

Montana districts benefit from being able to document that tools are aligned with the operator restrictions in state law: no targeted advertising, school-purpose-only profiling, controlled disclosure, and security and deletion readiness. EdPrivacy helps districts centralize these reviews so approvals are consistent across many products.

The platform helps districts:

  • Identify which edtech tools collect or store protected pupil information
  • Organize vendor terms, privacy disclosures, and security documentation for quick comparison and renewal review
  • Record approval conditions tied to Montana requirements (no targeted ads, limited sharing, deletion workflow)
  • Flag vendor policy or feature changes so districts can re-check alignment over time

Summary

Montana districts should be prepared to:

  • Confirm vendors do not use pupil information for targeted advertising, sale, or non-school profiling
  • Use contracts and configuration to enforce purpose limitation and controlled disclosure
  • Verify reasonable security safeguards and district-requested deletion capability
  • Maintain repeatable documentation that supports ongoing vendor oversight

MCA 20-7-1325 supports a practical, vendor-focused compliance model built around prohibitions on advertising and secondary use plus enforceable security and deletion expectations.