2023 Montana Legislature

Additional Bill Links       PDF version

(Primary Sponsor)_____________ bill NO. _____________

INTRODUCED BY _________________________________________________

By Request of the ****

 

A BILL FOR AN ACT ENTITLED: "AN ACT revising laws related to biometric privacy; creating the genetic information privacy act; requiring a company to provide consumer information regarding the collection, use, and disclosure of genetic data; providing for limitations and exclusions; providing for enforcement authority; and PROVIDING DEFINITIONS."

 

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:

 

NEW SECTION. Section 1.Short title. [Sections 1 through 6] may be cited as the "Genetic Information Privacy Act".

 

NEW SECTION. Section 2.Definitions. As used in [sections 1 through 6], unless the context clearly indicates otherwise, the following definitions apply:

(1)        "Biological sample" means any human material knows to contain DNA, including tissue, blood, urine, or saliva.

(2)        (a) "Company" means an entity that:

(i)         offers consumer genetic testing products or services directly to a consumer; or

(ii)        collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing product or service and was provided to the company by a consumer.

(b)        The term does not include an entity when it is engaged only in collecting, using, or analyzing genetic data or biological samples in the context of research as defined in 45 CFR 164.501 conducted in accordance with the federal policy for the protection of human research subjects under 45 CFR, part 46, the good clinical practice guideline issued by the international council for harmonisation of technical requirements for pharmaceuticals for human use, or the United States food and drug administration policy for the protection of human subjects under 21 CFR, parts 50 and 56.

(3)        "Consumer" means an individual who is a resident of this state.

(4)        "Deidentified data" means data that:

(a)        cannot be reasonably linked to an identifiable individual; and

(b)        is possessed by a company that:

(i)         takes administrative and technical measures to ensure that the data cannot be associated with a particular consumer;

(ii)        makes a public commitment to maintain and use data in deidentified form and to not attempt to reidentify data; and

(iii)       enters a legally enforceable contractual obligation that prohibits a recipient of the data from attempting to reidentify the data.

(5)        "DNA" means deoxyribonucleic acid.

(6)        "Express consent" means a consumer's affirmative response to a clear, meaningful, and prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose.

(7)        (a) "Genetic data" means any data, regardless of format, concerning a consumer's genetic characteristics.

(b)        The term includes but is not limited to:

(i)         raw sequence data that result from sequencing all or a portion of a consumer's extracted DNA;

(ii)        genotypic and phenotypic information obtained from analyzing a consumer's raw sequence data; and

(iii)       self-reported health information regarding a consumer's health conditions that the consumer provides to a company that the company:

(A)       uses for scientific research or product development; and

(B)       analyzes in connection with the consumer's raw sequence data.

(c)        The term does not include deidentified data.

(8)        "Genetic testing" means:

(a)        a laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics of a consumer; or

(b)        an interpretation of a consumer's genetic data.

(9)        "Person" means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.

 

NEW SECTION. Section 3.Limitations. [Sections 1 through 6] do not apply to protected health information that is collected by a covered entity or business associate as those terms are defined in 45 CFR, parts 160 and 164.

 

NEW SECTION. Section 4.Consumer genetic data -- privacy notice -- consent -- access -- deletion -- destruction. To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, a company shall:

(1)        provide clear and complete information regarding the company's policies and procedures for the collection, use, or disclosure of genetic data by making available to a consumer:

(a)        a high-level privacy policy overview that includes basic, essential information about the company's collection, use, or disclosure of genetic data; and

(b)        a prominent, publicly available privacy notice that includes, at a minimum, information about the company's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices;

(2)        obtain a consumer's initial express consent for the collection, use, or disclosure of the consumer's genetic data that:

(a)        clearly describes the company's use of the genetic data that the company collects through the company's genetic testing product or service;

(b)        specifies who has access to test results; and

(c)        specifies how the company may share the genetic data;

(3)        if the company engages in any of the following, obtain a consumer's:

(a)        separate express consent for:

(i)         the transfer or disclosure of the consumer's genetic data to any person other than the company's vendors and service providers;

(ii)        the use of genetic data beyond the primary purpose of the company's genetic testing product or service and inherent contextual uses; or

(iii)       the company's retention of any biological sample provided by the consumer following the company's completion of the initial testing service requested by the consumer;

(b)        informed consent in accordance with the federal policy for the protection of human research subjects under 45 CFR, part 46, for transfer or disclosure of the consumer's genetic data to third party persons for:

(i)         research purposes; or

(ii)        research conducted under the control of the company for the purpose of publication or generalizable knowledge; and

(c)        express consent for:

(i)         marketing to a consumer based on the consumer's genetic data; or

(ii)        marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the company with the first-party relationship to the customer.

(4)        comply with the provisions of 44-6-104 requiring a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent;

(5)        develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and

(6)        provide a process for a consumer to:

(a)        access the consumer's genetic data;

(b)        delete the consumer's genetic data; and

(c)        request and obtain the destruction of the consumer's biological sample.

 

NEW SECTION. Section 5.Disclosure -- when prohibited -- when written consent required. (1) The disclosure of genetic data pursuant to [sections 1 through 6] must comply with all state and federal laws for the protection of privacy and security.

(2)        [Sections 1 through 6] may not apply to protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the:

(a)        United States department of health and human services, 45 CFR, parts 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996; and

(b)        federal Health Information Technology for Economic and Clinical Health Act of 2009.

(3)        Notwithstanding any other provisions in [section 4], a company may not disclose a consumer's genetic data to any entity offering health insurance, life insurance, or long-term care insurance, or to any employer of the consumer without the consumer's written consent.

 

NEW SECTION. Section 6.Enforcement. (1) The attorney general may enforce [sections 1 through 6].

(2)        The attorney general may initiate a civil enforcement action against a person for violation of [sections 1 through 6].

(3)        In an action to enforce [sections 1 through 6], the attorney general may recover:

(a)        actual damages to the consumer;

(b)        costs;

(c)        reasonable attorney fees; and

(d)        $2,500 for each violation of [section 4].

 

NEW SECTION. Section 7.Codification instruction. [Sections 1 through 6] are intended to be codified as an integral part of Title 30, and the provisions of Title 30 apply to [sections 1 through 6].

 

Latest Version of LC 1085 (LC1085)
Processed for the Web on January 29, 2023 (1:54PM)

New language in a bill appears underlined, deleted material appears stricken.

Sponsor names are handwritten on introduced bills, hence do not appear on the bill until it is reprinted.

See the status of this bill for the bill's primary sponsor.

  Status of this Bill | 2023 Legislature | Leg. Branch Home
Authorized print version of this bill (PDFformat)
[ NEW SEARCH ]

Prepared by Montana Legislative Services
(406) 444-3064