Senate bill NO. 351

INTRODUCED BY D. Zolnikov

By Request of the ****

A BILL FOR AN ACT ENTITLED: "AN ACT REVISING LAWS RELATED TO BIOMETRIC PRIVACY; CREATING THE GENETIC INFORMATION PRIVACY ACT; REQUIRING an entity to provide consumer information regarding the collection, use, and disclosure of genetic data; providing for limitations and exclusions; providing for enforcement authority; and PROVIDING DEFINITIONS.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:

Section 1. Short title. [Sections 1 through 6] may be cited as the "Genetic Information Privacy Act".

Section 2. Definitions. As used in [sections 1 through 6], unless the context clearly indicates otherwise, the following definitions apply:

(1) "Biological sample" means any human material known to contain DNA, including tissue, blood, urine, or saliva.

(2) "Consumer" means an individual who is a resident of this state.

(3) "DNA" means deoxyribonucleic acid.

(4) "Entity" means a partnership, corporation, association, or public or private organization of any character that:

(a) offers consumer genetic testing products or services directly to a consumer; or

(b) collects, uses, or analyzes genetic data.

(5) "Express consent" means a consumer's affirmative response to a clear, meaningful, and prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose.

(6) (a) "Genetic data" means any data, regardless of format, concerning a consumer's genetic characteristics.

(b) The term includes but is not limited to:

(i) raw sequence data that result from sequencing all or a portion of a consumer's extracted DNA;

(ii) genotypic and phenotypic information obtained from analyzing a consumer's raw sequence data; and

(iii) self-reported health information regarding a consumer's health conditions that the consumer provides to an entity that the entity:

(A) uses for scientific research or product development; and

(B) analyzes in connection with the consumer's raw sequence data.

(7) "Genetic testing" means:

(a) a laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics of a consumer; or

(b) an interpretation of a consumer's genetic data.

(8) "Governmental agency" means an executive, legislative, or judicial agency, department, board, commission, authority, institution, or instrumentality of the federal government or of a state or of a county, municipality, or other political subdivision of a state.

(9) "Person" means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.

(10) "Processor" means a person that processes genetic data on behalf of an entity pursuant to a contract between the entity and the processor that prohibits the processor from retaining, using, or disclosing the genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract.

(11) "Third party" means a person other than the consumer, entity, or processor.

Section 3. Exceptions. (1) [Sections 1 through 6] do not apply to:

(a) protected health information that is collected by a covered entity or business associate as those terms are defined in 45 CFR, parts 160 and 164, if separate informed consent related to the collection, use, and dissemination of genetic data is obtained from the consumer, parent, guardian, or power of attorney, and the covered entity or business associate follows the policies under [sections 4(6)(a) through (6)(d)];

(b) an entity when it is engaged only in collecting, using, or analyzing genetic data or biological samples in the context of research as defined in 45 CFR 164.501 conducted with the express consent of an individual and in accordance with:

(i) the federal policy for the protection of human research subjects under 45 CFR, part 46, the good clinical practice guideline issued by the international council for harmonisation of technical requirements for pharmaceuticals for human use; or

(ii) the United States food and drug administration policy for the protection of human subjects under 21 CFR, parts 50 and 56; or

(2) Beginning June 1, 2025, any collection, storage, use, or dissemination of genetic data by a governmental agency must be performed in accordance with a specific state law or executed through a search warrant.

Section 4. Consumer genetic data -- privacy notice -- consent -- access -- deletion -- destruction. To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, an entity shall:

(1) provide clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data by making available to a consumer:

(a) a high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic data; and

(b) a prominent, publicly available privacy notice that includes, at a minimum, information about the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data;

(2) obtain initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer's genetic data that:

(a) clearly describes the entity's use of the genetic data that the entity collects through the entity's genetic testing product or service;

(b) specifies the categories of individuals within the entity that have access to test results; and

(3) if the entity engages in any of the following, obtain a consumer's:

(a) separate express consent for:

(i) the transfer or disclosure of the consumer's genetic data or biological sample to any third party other than the entity's processors, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed with the consumer's express consent;

(ii) the use of genetic data beyond the primary purpose of the entity's genetic testing product or service and inherent contextual uses; or

(iii) the entity's retention of any biological sample provided by the consumer following the entity's completion of the initial testing service requested by the consumer;

(b) informed express consent for transfer or disclosure of the consumer's genetic data to third party persons for:

(i) research purposes; or

(ii) research conducted under the control of the entity for the purpose of publication or generalizable knowledge; and

(i) marketing to a consumer based on the consumer's genetic data;

(ii) marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the entity with the first-party relationship to the consumer; or

(iii) sale or other valuable consideration of the consumer's genetic data.

(4) comply with the provisions of 44-6-104 requiring a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express consent;

(5) develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and

(6) provide a process for a consumer to:

(a) access the consumer's genetic data;

(b) delete the consumer's genetic data;

(d) request and obtain the destruction of the consumer's biological sample.

(7) Genetic data and biometric samples of Montana residents collected in the state may not be stored within the territorial boundaries of any country currently sanctioned in any way by the United States office of foreign asset control or designated as a foreign adversary under 15 CFR 7.4(a). Genetic data or biometric data of Montana residents collected in the state may only be transferred or stored outside the United States with the consent of the resident.

Section 5. Disclosure -- when prohibited -- when express consent required. (1) The disclosure of genetic data pursuant to [sections 1 through 6] must comply with all state and federal laws for the protection of privacy and security.

(2) Notwithstanding any other provisions in [section 4], an entity may not disclose a consumer's genetic data to any entity offering health insurance, life insurance, or long-term care insurance, or to any employer of the consumer without the consumer's express consent.

Section 6. Enforcement. (1) The attorney general has the sole authority to enforce [sections 1 through 6].

(2) The attorney general may initiate a civil enforcement action against a person for violation of [sections 1 through 6].

(3) In an action to enforce [sections 1 through 6], the attorney general may recover:

(a) actual damages to the consumer;

(b) costs;

(d) $2,500 for each violation of [section 4].

Section 7. Codification instruction. [Sections 1 through 6] are intended to be codified as an integral part of Title 30, and the provisions of Title 30 apply to [sections 1 through 6].