30-23-104. Consumer genetic data -- privacy notice -- consent -- access -- deletion -- destruction. To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, an entity shall:
(1) provide clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data by making available to a consumer:
(a) a high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic data; and
(b) a prominent, publicly available privacy notice that includes, at a minimum, information about the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data;
(2) obtain initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer's genetic data that:
(a) clearly describes the entity's use of the genetic data that the entity collects through the entity's genetic testing product or service;
(b) specifies the categories of individuals within the entity that have access to test results; and
(c) specifies how the entity may share the genetic data;
(3) if the entity engages in any of the following, obtain a consumer's:
(a) separate express consent for:
(i) the transfer or disclosure of the consumer's genetic data or biological sample to any third party other than the entity's processors, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed with the consumer's express consent;
(ii) the use of genetic data beyond the primary purpose of the entity's genetic testing product or service and inherent contextual uses; or
(iii) the entity's retention of any biological sample provided by the consumer following the entity's completion of the initial testing service requested by the consumer;
(b) informed express consent for transfer or disclosure of the consumer's genetic data to third party persons for:
(i) research purposes; or
(ii) research conducted under the control of the entity for the purpose of publication or generalizable knowledge; and
(c) express consent for:
(i) marketing to a consumer based on the consumer's genetic data;
(ii) marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on the websites or through the applications or services provided by the entity with the first-party relationship to the consumer; or
(iii) sale or other valuable consideration of the consumer's genetic data.
(4) comply with the provisions of 44-6-104 requiring a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express consent;
(5) develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and
(6) provide a process for a consumer to:
(a) access the consumer's genetic data;
(b) delete the consumer's genetic data;
(c) revoke any consent provided by the consumer; and
(d) request and obtain the destruction of the consumer's biological sample.
(7) Genetic data and biometric samples of Montana residents collected in the state may not be stored within the territorial boundaries of any country currently sanctioned in any way by the United States office of foreign asset control or designated as a foreign adversary under 15 CFR 7.4(a). Genetic data or biometric data of Montana residents collected in the state may only be transferred or stored outside the United States with the consent of the resident.