Montana defines “genetic data” as any data, regardless of format, concerning a consumer's genetic characteristics. Specifically, it includes the following:

• Raw sequence data that result from sequencing all or a portion of a consumer's extracted DNA.
• Genotypic and phenotypic information obtained from analyzing a consumer's raw sequence data.
• Self-reported health information regarding a consumer's health conditions that the consumer provides to an entity that uses the information for scientific research or product development, and analyzes it in connection with the consumer's raw sequence data.

Effective October 1, controllers of genetic information will be required to do the following:

1. Obtain express consent in certain circumstances:

• For the transfer or disclosure of the consumer’s genetic data;
• For the use of genetic data.
• For the entity’s retention of genetic data.

Informed express consent to the transfer or disclosure of the consumer’s genetic data to third parties is required

• For research purposes.
• For research conducted under the control of the entity for the purpose of publication or generalizable knowledge.

Express consent is required

• For marketing based on the consumer’s genetic data.
• For marketing by a third party to a consumer because the consumer ordered or purchased a genetic testing product or service.
• For sale or other valuable consideration of the consumer’s genetic data.

2. Employ compliance measures to demonstrate their genetic information privacy practices.

Similar to the transparency trends in other state privacy laws, businesses that are processing genetic information are required to provide clear and complete information regarding the entity’s policies and procedures for the collection, use, or disclosure of genetic data. Additionally, businesses must provide a high-level privacy policy overview that includes basic, essential information about the entity’s collection, use, or disclosure of genetic data. They must also provide a prominent, publicly available privacy notice that includes, at a minimum, information about the entity’s data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data.

Finally, when obtaining initial express consent from a consumer, parent, guardian, or power of attorney for the collection, use, or disclosure of the consumer’s genetic data, the consent must

• Clearly describe the entity’s use of the genetic data that the entity collects through the entity’s genetic testing product or service.
• Specify the categories of individuals within the entity who have access to test results.
• Specify how the entity may share the genetic data.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving regulatory requirements. If you would like additional information on how to prepare your organization, please contact us at cyber@constangy.com.

*Edwin Jones is a paralegal in the Cybersecurity practice group.