****
68th Legislature 2023 SB 351.1
1 SENATE BILL NO. 351
2 INTRODUCED BY D. ZOLNIKOV
3
4 A BILL FOR AN ACT ENTITLED: “AN ACT REVISING LAWS RELATED TO BIOMETRIC PRIVACY;
5 CREATING THE GENETIC INFORMATION PRIVACY ACT; REQUIRING A COMPANY TO PROVIDE
6 CONSUMER INFORMATION REGARDING THE COLLECTION, USE, AND DISCLOSURE OF GENETIC
7 DATA; PROVIDING FOR LIMITATIONS AND EXCLUSIONS; PROVIDING FOR ENFORCEMENT
8 AUTHORITY; AND PROVIDING DEFINITIONS.”
9
10 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
11
12 NEW SECTION. Section 1. Short title. [Sections 1 through 6] may be cited as the "Genetic
13 Information Privacy Act".
14
15 NEW SECTION. Section 2. Definitions. As used in [sections 1 through 6], unless the context clearly
16 indicates otherwise, the following definitions apply:
17 (1) "Biological sample" means any human material knows to contain DNA, including tissue, blood,
18 urine, or saliva.
19 (2) (a) "Company" means an entity that:
20 (i) offers consumer genetic testing products or services directly to a consumer; or
21 (ii) collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing
22 product or service and was provided to the company by a consumer.
23 (b) The term does not include an entity when it is engaged only in collecting, using, or analyzing
24 genetic data or biological samples in the context of research as defined in 45 CFR 164.501 conducted in
25 accordance with the federal policy for the protection of human research subjects under 45 CFR, part 46, the
26 good clinical practice guideline issued by the international council for harmonisation of technical requirements
27 for pharmaceuticals for human use, or the United States food and drug administration policy for the protection
28 of human subjects under 21 CFR, parts 50 and 56.
-1- Authorized Print Version – SB 351
****
68th Legislature 2023 SB 351.1
1 (3) "Consumer" means an individual who is a resident of this state.
2 (4) "Deidentified data" means data that:
3 (a) cannot be reasonably linked to an identifiable individual; and
4 (b) is possessed by a company that:
5 (i) takes administrative and technical measures to ensure that the data cannot be associated with
6 a particular consumer;
7 (ii) makes a public commitment to maintain and use data in deidentified form and to not attempt to
8 reidentify data; and
9 (iii) enters a legally enforceable contractual obligation that prohibits a recipient of the data from
10 attempting to reidentify the data.
11 (5) "DNA" means deoxyribonucleic acid.
12 (6) "Express consent" means a consumer's affirmative response to a clear, meaningful, and
13 prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose.
14 (7) (a) "Genetic data" means any data, regardless of format, concerning a consumer's genetic
15 characteristics.
16 (b) The term includes but is not limited to:
17 (i) raw sequence data that result from sequencing all or a portion of a consumer's extracted DNA;
18 (ii) genotypic and phenotypic information obtained from analyzing a consumer's raw sequence
19 data; and
20 (iii) self-reported health information regarding a consumer's health conditions that the consumer
21 provides to a company that the company:
22 (A) uses for scientific research or product development; and
23 (B) analyzes in connection with the consumer's raw sequence data.
24 (c) The term does not include deidentified data.
25 (8) "Genetic testing" means:
26 (a) a laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or
27 gene products to determine the presence of genetic characteristics of a consumer; or
28 (b) an interpretation of a consumer's genetic data.
-2- Authorized Print Version – SB 351
****
68th Legislature 2023 SB 351.1
1 (9) "Person" means an individual, partnership, corporation, association, business, business trust,
2 or legal representative of an organization.
3
4 NEW SECTION. Section 3. Limitations. [Sections 1 through 6] do not apply to protected health
5 information that is collected by a covered entity or business associate as those terms are defined in 45 CFR,
6 parts 160 and 164.
7
8 NEW SECTION. Section 4. Consumer genetic data -- privacy notice -- consent -- access --
9 deletion -- destruction. To safeguard the privacy, confidentiality, security, and integrity of a consumer's
10 genetic data, a company shall:
11 (1) provide clear and complete information regarding the company's policies and procedures for
12 the collection, use, or disclosure of genetic data by making available to a consumer:
13 (a) a high-level privacy policy overview that includes basic, essential information about the
14 company's collection, use, or disclosure of genetic data; and
15 (b) a prominent, publicly available privacy notice that includes, at a minimum, information about the
16 company's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion
17 practices;
18 (2) obtain a consumer's initial express consent for the collection, use, or disclosure of the
19 consumer's genetic data that:
20 (a) clearly describes the company's use of the genetic data that the company collects through the
21 company's genetic testing product or service;
22 (b) specifies who has access to test results; and
23 (c) specifies how the company may share the genetic data;
24 (3) if the company engages in any of the following, obtain a consumer's:
25 (a) separate express consent for:
26 (i) the transfer or disclosure of the consumer's genetic data to any person other than the
27 company's vendors and service providers;
28 (ii) the use of genetic data beyond the primary purpose of the company's genetic testing product or
-3- Authorized Print Version – SB 351
****
68th Legislature 2023 SB 351.1
1 service and inherent contextual uses; or
2 (iii) the company's retention of any biological sample provided by the consumer following the
3 company's completion of the initial testing service requested by the consumer;
4 (b) informed consent in accordance with the federal policy for the protection of human research
5 subjects under 45 CFR, part 46, for transfer or disclosure of the consumer's genetic data to third party persons
6 for:
7 (i) research purposes; or
8 (ii) research conducted under the control of the company for the purpose of publication or
9 generalizable knowledge; and
10 (c) express consent for:
11 (i) marketing to a consumer based on the consumer's genetic data; or
12 (ii) marketing by a third-party person to a consumer based on the consumer having ordered or
13 purchased a genetic testing product or service. Marketing does not include the provision of customized content
14 or offers on the websites or through the applications or services provided by the company with the first-party
15 relationship to the customer.
16 (4) comply with the provisions of 44-6-104 requiring a valid legal process for disclosing genetic
17 data to law enforcement or any other government agency without a consumer's express written consent;
18 (5) develop, implement, and maintain a comprehensive security program to protect a consumer's
19 genetic data against unauthorized access, use, or disclosure; and
20 (6) provide a process for a consumer to:
21 (a) access the consumer's genetic data;
22 (b) delete the consumer's genetic data; and
23 (c) request and obtain the destruction of the consumer's biological sample.
24
25 NEW SECTION. Section 5. Disclosure -- when prohibited -- when written consent required. (1)
26 The disclosure of genetic data pursuant to [sections 1 through 6] must comply with all state and federal laws for
27 the protection of privacy and security.
28 (2) [Sections 1 through 6] may not apply to protected health information that is collected by a
-4- Authorized Print Version – SB 351
****
68th Legislature 2023 SB 351.1
1 covered entity or business associate governed by the privacy, security, and breach notification rules issued by
2 the:
3 (a) United States department of health and human services, 45 CFR, parts 160 and 164,
4 established pursuant to the federal Health Insurance Portability and Accountability Act of 1996; and
5 (b) federal Health Information Technology for Economic and Clinical Health Act of 2009.
6 (3) Notwithstanding any other provisions in [section 4], a company may not disclose a consumer's
7 genetic data to any entity offering health insurance, life insurance, or long-term care insurance, or to any
8 employer of the consumer without the consumer's written consent.
9
10 NEW SECTION. Section 6. Enforcement. (1) The attorney general may enforce [sections 1 through
11 6].
12 (2) The attorney general may initiate a civil enforcement action against a person for violation of
13 [sections 1 through 6].
14 (3) In an action to enforce [sections 1 through 6], the attorney general may recover:
15 (a) actual damages to the consumer;
16 (b) costs;
17 (c) reasonable attorney fees; and
18 (d) $2,500 for each violation of [section 4].
19
20 NEW SECTION. Section 7. Codification instruction. [Sections 1 through 6] are intended to be
21 codified as an integral part of Title 30, and the provisions of Title 30 apply to [sections 1 through 6].
22 - END -
-5- Authorized Print Version – SB 351