30-23-104. Consumer genetic or neurotechnology data -- privacy notice -- consent -- access -- deletion -- destruction, MCA
  1. MCA Contents
  2. TITLE 30
  3. CHAPTER 23
  4. Part 1
  5. 30-23-104 Consumer genetic or neurotechnology data -- privacy notice -- consent -- access -- deletion -- destruction

Montana Code Annotated 2025

TITLE 30. TRADE AND COMMERCE

CHAPTER 23. GENETIC INFORMATION PRIVACY

Part 1. Genetic Information Privacy Act

Consumer Genetic Or Neurotechnology Data -- Privacy Notice -- Consent -- Access -- Deletion -- Destruction

30-23-104. Consumer genetic or neurotechnology data -- privacy notice -- consent -- access -- deletion -- destruction. To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic or neurotechnology data, an entity shall:

(1) provide clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic or neurotechnology data by making available to a consumer:

(a) a high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic or neurotechnology data; and

(b) a prominent, publicly available privacy notice that includes, at a minimum, information about the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic or neurotechnology data;

(2) obtain initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer's genetic or neurotechnology data that:

(a) clearly describes the entity's use of the genetic or neurotechnology data that the entity collects through the entity's genetic testing product or service;

(b) specifies the categories of individuals within the entity that have access to test results; and

(c) specifies how the entity may share the genetic or neurotechnology data;

(3) if the entity engages in any of the following, obtain a consumer's:

(a) separate express consent for:

(i) the transfer or disclosure of the consumer's genetic or neurotechnology data or biological sample to any third party other than the entity's processors, including the name of the third party to which the consumer's genetic or neurotechnology data or biological sample will be transferred or disclosed with the consumer's express consent;

(ii) the use of genetic or neurotechnology data beyond the primary purpose of the entity's genetic testing product or service and inherent contextual uses; or

(iii) the entity's retention of any biological sample provided by the consumer following the entity's completion of the initial testing service requested by the consumer;

(b) informed express consent for transfer or disclosure of the consumer's genetic or neurotechnology data to third party persons for:

(i) research purposes; or

(ii) research conducted under the control of the entity for the purpose of publication or generalizable knowledge; and

(c) express consent for:

(i) marketing to a consumer based on the consumer's genetic or neurotechnology data;

(ii) marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the entity with the first-party relationship to the consumer; or

(iii) sale or other valuable consideration of the consumer's genetic or neurotechnology data.

(4) comply with the provisions of 44-6-104 requiring a valid legal process for disclosing genetic or neurotechnology data to law enforcement or any other government agency without a consumer's express consent;

(5) develop, implement, and maintain a comprehensive security program to protect a consumer's genetic or neurotechnology data against unauthorized access, use, or disclosure; and

(6) provide a process for a consumer to:

(a) access the consumer's genetic or neurotechnology data;

(b) delete the consumer's genetic or neurotechnology data;

(c) revoke any consent provided by the consumer; and

(d) request and obtain the destruction of the consumer's biological sample.

(7) The requirements of subsections (6)(a) through (6)(d) must be waived if:

(a) the entity obtains express and informed written consent from a consumer, parent, guardian, or power of attorney for participation in a clinical research trial, including the collection and use of any genetic or neurotechnology data, which at a minimum must:

(i) be in accordance with the good clinical practice guideline issued by the international council for harmonisation of technical requirements for pharmaceuticals for human use;

(ii) be obtained no sooner than 14 days from the initial biological sample collection if the biological sample is collected for a primary purpose unrelated to clinical research;

(iii) be obtained separately from any other items of consent;

(iv) be in writing on a form with text that is easily readable with size 12-point font or larger;

(v) include the entity's biological sample and data retention, sharing, and use policies;

(vi) include notice that after consent is given, there is no right to access, inspect, or require the destruction of any genetic or neural biological sample or neurotechnology data; and

(vii) include notice that after consent is given, whole genome sequencing of the individual's biological sample could occur and is permitted without further notice to the individual;

(b) the genetic or neural biological sample and data is utilized for clinical research purposes only.

(8) The requirements of subsection (6)(d) must be temporarily waived if:

(a) a laboratory is governed under 42 CFR 493.1105;

(b) the laboratory retains the biological sample for no more than 2 years or the shortest time allowed under law, whichever is less;

(c) the laboratory does not share, test, or conduct additional analysis or research on the biological sample while the sample is being held under the retention requirements set forth in 42 CFR 493.1105 prior to the requested destruction of the sample; and

(d) when a clinical laboratory is certified by the centers for medicare and medicaid services, when the retention of a patient's biological sample does not exceed the time needed for compliance with any quality standard or regulation issued pursuant to section 263(a) of the Public Health Service Act, 42 U.S.C. 263(a).

(9) The requirements of subsection (7) supersede all exceptions to, and waivers of, informed consent in the federal policy for the protection of human subjects under 45 CFR, part 46.

(10) Genetic or neurotechnology data and biometric samples of Montana residents collected in the state may not be stored within the territorial boundaries of any country currently sanctioned in any way by the United States office of foreign asset control or designated as a foreign adversary under 15 CFR 7.4(a). Genetic or neurotechnology data or biometric data of Montana residents collected in the state may only be transferred or stored outside the United States with the consent of the resident.

History: En. Sec. 4, Ch. 768, L. 2023; amd. Sec. 4, Ch. 345, L. 2025.