On October 1, 2023, the Act revising Laws related to Biometric Privacy; creating the Genetic Information Privacy Act entered into effect, following its signing, on June 7, 2023, by the Governor of Montana.

Definitions

In particular, the Act defines genetic data as any data, regardless of format, concerning a consumer's genetic characteristics, including but not limited to:

• raw sequence data that result from sequencing all or a portion of a consumer's extracted DNA;
• genotypic and phenotypic information obtained from analyzing a consumer's raw sequence data; and
• self-reported health information regarding a consumer's health conditions that the consumer provides to an entity which:
  • uses it for scientific research or product development; and
  • analyzes it in connection with the consumer's raw sequence data.

Likewise, the Act defines genetic testing as:

• a laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics of a consumer; or
• an interpretation of a consumer's genetic data.

Scope

The Act clarifies that it does not apply to, among other things:

• protected health information collected by a covered entity or business associate;
• an entity engaged only in collecting, using, or analyzing genetic data or biological samples in the context of research conducted with the express consent of an individual and in accordance with:
  • the federal policy for the protection of human research subjects; or
  • the US Food and Drug Administration policy for the protection of human subjects; or
• uses by a governmental agency.

Obligations

In particular, the Act requires an entity to:

• provide a clear publicly available privacy notice to consumers that details the entity's policies and procedures for the collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices for genetic data;
• obtain initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of a consumer's genetic data that:
  • describes the entity's use of the genetic data;
  • specifies the categories of individuals within the entity that have access to test results; and
  • specifies how the entity may share the genetic data; and
• obtain a consumer's separate express consent for, among other things:
  • the transfer or disclosure of the consumer's genetic data or biological sample to any third party other than the entity's processors, including the name of the third party;
  • the use of genetic data beyond the primary purpose of the entity's genetic testing product or service and inherent contextual uses;
  • the entity's retention of any biological sample provided by the consumer following the entity's completion of the initial testing service requested by the consumer;
  • marketing to a consumer based on the consumer's genetic data; or
  • sale of the consumer's genetic data.

Moreover, under the Act, entities are obligated to implement and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure. Notably the Act requires entities to provide consumers with a process to:

• access or delete their genetic data;
• revoke any consent provided by the consumer; and
• request and obtain the destruction of the consumer's biological sample.

You can read the Act here and track its progress here.