State Privacy Law Update: Montana Genetic Information Privacy

Jordan Fischer
Constangy, Brooks, Smith & Prophete, LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Constangy, Brooks, Smith & Prophete, LLP

[co-author: Edwin Jones*]

This year has proven to be active in terms of state privacy legislation. In addition to Montana’s Consumer Data Privacy Act, the state has now passed a Genetic Information Privacy Act.

Montana defines “genetic data” as any data, regardless of format, concerning a consumer's genetic characteristics. Specifically, it includes the following:

  • Raw sequence data that result from sequencing all or a portion of a consumer's extracted DNA.
  • Genotypic and phenotypic information obtained from analyzing a consumer's raw sequence data.
  • Self-reported health information regarding a consumer's health conditions that the consumer provides to an entity that uses the information for scientific research or product development, and analyzes it in connection with the consumer's raw sequence data.

Effective October 1, controllers of genetic information will be required to do the following:

1. Obtain express consent in certain circumstances:

  • For the transfer or disclosure of the consumer’s genetic data;
  • For the use of genetic data.
  • For the entity’s retention of genetic data.

Informed express consent to the transfer or disclosure of the consumer’s genetic data to third parties is required

  • For research purposes.
  • For research conducted under the control of the entity for the purpose of publication or generalizable knowledge.

Express consent is required

  • For marketing based on the consumer’s genetic data.
  • For marketing by a third party to a consumer because the consumer ordered or purchased a genetic testing product or service.
  • For sale or other valuable consideration of the consumer’s genetic data.

2. Employ compliance measures to demonstrate their genetic information privacy practices.

Similar to the transparency trends in other state privacy laws, businesses that are processing genetic information are required to provide clear and complete information regarding the entity’s policies and procedures for the collection, use, or disclosure of genetic data. Additionally, businesses must provide a high-level privacy policy overview that includes basic, essential information about the entity’s collection, use, or disclosure of genetic data. They must also provide a prominent, publicly available privacy notice that includes, at a minimum, information about the entity’s data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data.

Finally, when obtaining initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer’s genetic data, the consent must

  • Clearly describe the entity’s use of the genetic data that the entity collects through the entity’s genetic testing product or service.
  • Specify the categories of individuals within the entity who have access to test results.
  • Specify how the entity may share the genetic data.

*Edwin Jones is a paralegal in the Cybersecurity practice group.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Constangy, Brooks, Smith & Prophete, LLP | Attorney Advertising

Written by:

Constangy, Brooks, Smith & Prophete, LLP
Constangy, Brooks, Smith & Prophete, LLP
Contact
more
less

Constangy, Brooks, Smith & Prophete, LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide