Montana Enacts Genetic Privacy Law | Practical Law

Montana Enacts Genetic Privacy Law | Practical Law

Montana has enacted the Genetic Information Privacy Act, which requires entities to obtain consent to collect, process, and disclose genetic data, implement security measures, and support consumer access, deletion, and biological sample destruction requests.

Montana Enacts Genetic Privacy Law

Practical Law Legal Update w-039-7549 (Approx. 4 pages)

Montana Enacts Genetic Privacy Law

by Practical Law Data Privacy & Cybersecurity
Published on 09 Jun 2023Montana
Montana has enacted the Genetic Information Privacy Act, which requires entities to obtain consent to collect, process, and disclose genetic data, implement security measures, and support consumer access, deletion, and biological sample destruction requests.
On June 7, 2023, Montana Governor Greg Gianforte signed SB 351, the Genetic Information Privacy Act. The law protects data concerning a consumer's genetic characteristics, including:
  • Raw sequence data from sequencing all or part of a consumer's extracted DNA.
  • Genotypic and phenotypic information from analyzing a consumer's raw sequence data.
  • Self-reported health conditions information:
    • used for scientific research or product development; and
    • analyzed in connection with the consumer's raw sequence data.
SB 351 applies to partnerships, corporations, associations, or any public or private organization that either:
  • Offers consumer genetic testing products or services directly to Montana residents.
  • Collects, uses, or analyzes genetic data.
The law excludes:
  • Protected health information collected by a covered entity or business associate as defined under the HIPAA regulations.
  • Entities when they are engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined under the HIPAA Privacy Rule.
  • Use by governmental agencies.
Beginning June 1, 2025, governmental agencies must only collect, use, store, or disseminate genetic data pursuant to state law or through a valid search warrant.
Under SB 351, regulated entities must:
  • Make publicly available:
    • a privacy policy overview that includes basic, essential information about their collection, use, or disclosure of genetic data; and
    • a prominent privacy notice that includes information about their collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices.
  • Obtain initial express consent from consumers, or their parent, guardian, or representative, before collecting, using or disclosing their genetic data, after clearly describing:
    • how the entity uses the data it collects through its genetic testing product or service;
    • who has access to the test results; and
    • how the entity may share the data.
  • Obtain separate express consent for:
    • transferring or disclosing consumers' genetic data to third parties, except to their processors;
    • using genetic data beyond their genetic testing products' or services' primary purpose; or
    • retaining a consumer's biological sample following the completion of the initial consumer-requested testing service.
  • Obtain informed express consent to transfer or disclose consumers' genetic data to third parties for:
    • research purposes; or
    • research conducted under the entity's control for publication or general knowledge.
  • Obtain express consent for:
    • selling consumers' genetic data;
    • marketing to a consumer based on their genetic data;
    • marketing by a third party to a consumer based on the consumer's ordering or purchasing of a genetic testing product or service, which does not include providing customized content or offers to consumers with whom they have a first-party relationship; or
    • disclosing consumers' genetic data to entities that offer health insurance, life insurance, or long-term care insurance, a consumer's employer, law enforcement entities, and governmental agencies.
  • Create a process for consumers to:
    • access their data;
    • delete their genetic data;
    • revoke any consent they provided; and
    • destroy their biological sample.
  • Develop, implement, and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure.
  • Comply with certain rules requiring a valid legal process for disclosing genetic data to law enforcement or any other governmental agency without express consumer consent.
  • Not transfer or store genetic data collected in Montana outside of the US without consumer consent. Regulated entities are also prohibited from storing genetic data in any country currently sanctioned by the US Office of Foreign Assets Control or designated as a foreign adversary pursuant to 15 CFR § 7.4(a).
The Attorney General may investigate potential violations and seek recovery of actual consumer damages and civil penalties up to $2,500 for each violation, plus fees and costs. The law takes effect October 1, 2023 and does not include a private right of action.