- 2025
69th Legislature 2025 SB 163
- 1 - Authorized Print Version – SB 163
ENROLLED BILL
AN ACT REVISING THE GENETIC INFORMATION PRIVACY ACT; INCLUDING NEUROTECHNOLOGY
DATA IN THE SCOPE OF THE GENETIC INFORMATION PRIVACY ACT; ADDING LEGISLATIVE FINDINGS
AND PURPOSE TO THE ACT; REVISING PROVISIONS RELATING TO EXCEPTIONS; ADDING
PROTECTIONS FOR THE PRIVACY OF NEUROTECHNOLOGY DATA; REVISING PROVISIONS RELATING
TO PRIVACY NOTICES; PROVIDING A DEFINITION; AND AMENDING SECTIONS 30-23-101, 30-23-102,
30-23-103, 30-23-104, 30-23-105, AND 44-6-104, MCA.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MONTANA:
Section 1. Section 30-23-101, MCA, is amended to read:
"30-23-101. (1) This part may be
cited as the "Genetic Information Privacy Act".
(2) The legislature finds and declares that:
(a) (i) the people of Montana regard their privacy as a fundamental right and an essential element
of individual freedom; and
(ii) Article II, section 10, of the Montana constitution protects individuals' privacy, and fundamental
privacy rights have long been, and continue to be, integral to protecting Montanans;
(b) ongoing advances in technology have produced exponential growth in the volume and variety
of personal data being generated, collected, stored, and analyzed, and these advances present both great
promise and potential risks;
(c) technology that collects data about the user's bodily and mental functions is transforming the
volume and sensitivity of personal data collected from individuals and stored by companies;
(d) neurotechnologies, including devices capable of recording, interpreting, and altering the
response of an individual's central or peripheral nervous system to its internal or external environment, raise - 2025
69th Legislature 2025 SB 163
- 2 - Authorized Print Version – SB 163
ENROLLED BILL
particularly pressing privacy concerns given their ability to monitor, decode, and manipulate brain activity;
(e) data concerning the activity of the human brain and wider nervous systems, or
"neurotechnology data", is extremely sensitive and can reveal intimate information about individuals, including
information about health, mental states, emotions, and cognitive functioning;
(f) each human brain is unique, meaning that neural data is specific to the individual from whom it
is collected. Because neurotechnology data contains distinctive information about the structure and functioning
of individual brains and nervous systems, it contains sensitive information that may link the data to an identified
or identifiable individual.
(g) the collection of neurotechnology data involves the involuntary disclosure of information. Even
if individuals consent to the collection and processing of their data for narrow use, they are unlikely to be fully
aware of the content or quality of information they are sharing.
(h) neurotechnology users cannot decide what specific neurotechnology information they would
like to disclose, and they are unlikely to understand the extent to which their neurotechnology data can be
decoded, currently or in the future. Neurotechnologies can collect and process information about an individual
that the individual did not even know existed.
(i) neurotechnologies that are deployed in medical settings or otherwise utilize the surgical
implantation of invasive devices are typically regulated as medical tools that produce health information. Both
invasive and noninvasive wearable neurotechnologies used in medical settings are also regulated by health
data privacy laws. However, when noninvasive neurotechnologies are used outside of medical settings, they
are generally considered consumer products and operate without regulation or data protection standards."
Section 2. Section 30-23-102, MCA, is amended to read:
"30-23-102. As used in this part, unless the context clearly indicates otherwise, the
following definitions apply:
(1) "Biological sample" means any human material known to contain DNA, including tissue, blood,
urine, or saliva.
(2) "Consumer" means an individual who is a resident of this state.
(3) "DNA" means deoxyribonucleic acid. - 2025
69th Legislature 2025 SB 163
- 3 - Authorized Print Version – SB 163
ENROLLED BILL
(4) "Entity" means a partnership, corporation, association, or public or private organization of any
character that:
(a) offers consumer genetic testing products or services directly to a consumer; or
(b) collects, uses, or analyzes genetic data.
(5) "Express consent" means a consumer's affirmative response to a clear, meaningful, and
prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose.
(6) (a) "Genetic data" means any data, regardless of format, concerning a consumer's genetic
characteristics.
(b) The term includes but is not limited to:
(i) raw sequence data that result from sequencing all or a portion of a consumer's extracted DNA;
(ii) genotypic and phenotypic information obtained from analyzing a consumer's raw sequence
data; and
(iii) self-reported health information regarding a consumer's health conditions that the consumer
provides to an entity that the entity:
(A) uses for scientific research or product development; and
(B) analyzes in connection with the consumer's raw sequence data.
(7) "Genetic testing" means:
(a) a laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or
gene products to determine the presence of genetic characteristics of a consumer; or
(b) an interpretation of a consumer's genetic data.
(8) "Governmental agency" means an executive, legislative, or judicial agency, department, board,
commission, authority, institution, or instrumentality of the federal government or of a state or of a county,
municipality, or other political subdivision of a state.
(9) "Neurotechnology" means devices capable of recording, interpreting, or altering the response
of an individual’s central or peripheral nervous system to its internal or external environment and includes
mental augmentation, which means improving human cognition and behavior through direct recording or
manipulation of neural activity by neurotechnology.
(10) (a) "Neurotechnology data" means information that is captured by neurotechnologies, is - 2025
69th Legislature 2025 SB 163
- 4 - Authorized Print Version – SB 163
ENROLLED BILL
generated by measuring the activity of an individual's central or peripheral nervous systems, or is data
associated with neural activity, which means the activity of neurons or glial cells in the central or peripheral
nervous system, and that is not nonneural information.
(b) The term does not include nonneural information, which means information about the
downstream physical effects of neural activity, including by not limited to pupil dilation, motor activity, and
breathing rate.
(9)(11) "Person" means an individual, partnership, corporation, association, business, business trust,
or legal representative of an organization.
(10)(12)"Processor" means a person that processes genetic data on behalf of an entity pursuant to a
contract between the entity and the processor that prohibits the processor from retaining, using, or disclosing
the genetic data, or any information regarding the identity of the consumer, including whether that consumer
has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of
performing the services specified in the contract.
(11)(13)"Third party" means a person other than the consumer, entity, or processor."
Section 3. Section 30-23-103, MCA, is amended to read:
"30-23-103. (1) This part does not apply to:
(a) protected health information that is collected by a covered entity or business associate as
those terms are defined in 45 CFR, parts 160 and 164, if separate informed consent related to the collection,
use, and dissemination of genetic or neurotechnology data is obtained from the consumer, parent, guardian, or
power of attorney, and the covered entity or business associate follows the policies under 30-23-104(6)(a)
through (6)(d);
(b) an entity when it is engaged only in collecting, using, or analyzing genetic data or biological
samples in the context of scientific or clinical research as defined in 45 CFR 164.501 conducted with the
express consent of an individual and in accordance with:
(i) the federal policy for the protection of human research subjects under 45 CFR, part 46, the
good clinical practice guideline issued by the international council for harmonisation of technical requirements
for pharmaceuticals for human use; or - 2025
69th Legislature 2025 SB 163
- 5 - Authorized Print Version – SB 163
ENROLLED BILL
(ii) the United States food and drug administration policy for the protection of human subjects
under 21 CFR, parts 50 and 56; or
(c) uses by a governmental agency. ; or
(d) deidentified genetic data obtained from a third party to the extent that the data is used to
conduct internal, medical, or scientific research. Data must be considered deidentified if:
(i) it cannot be reasonably linked to an identifiable individual; and
(ii) the entity:
(A) takes administrative and technical measures to ensure the data cannot be associated with a
particular consumer;
(B) maintains and uses data in deidentified form and does not attempt to reidentify data; and
(C) enters a legally enforceable contractual obligation that prohibits a recipient of the data from
attempting to reidentify the data.
(2) Beginning June 1, 2025, any Any collection, storage, use, or dissemination of genetic or
neurotechnology data by a governmental agency must be performed in accordance with a specific state law or
executed through a search warrant or investigative subpoena issued pursuant to 46-4-301."
Section 4. Section 30-23-104, MCA, is amended to read:
"30-23-104.
deletion -- destruction. To safeguard the privacy, confidentiality, security, and integrity of a consumer's
genetic or neurotechnology data, an entity shall:
(1) provide clear and complete information regarding the entity's policies and procedures for the
collection, use, or disclosure of genetic or neurotechnology data by making available to a consumer:
(a) a high-level privacy policy overview that includes basic, essential information about the entity's
collection, use, or disclosure of genetic or neurotechnology data; and
(b) a prominent, publicly available privacy notice that includes, at a minimum, information about the
entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices
for genetic or neurotechnology data;
(2) obtain initial express consent from a consumer, parent, guardian, or power of attorney for the - 2025
69th Legislature 2025 SB 163
- 6 - Authorized Print Version – SB 163
ENROLLED BILL
collection, use, or disclosure of the consumer's genetic or neurotechnology data that:
(a) clearly describes the entity's use of the genetic or neurotechnology data that the entity collects
through the entity's genetic testing product or service;
(b) specifies the categories of individuals within the entity that have access to test results; and
(c) specifies how the entity may share the genetic or neurotechnology data;
(3) if the entity engages in any of the following, obtain a consumer's:
(a) separate express consent for:
(i) the transfer or disclosure of the consumer's genetic or neurotechnology data or biological
sample to any third party other than the entity's processors, including the name of the third party to which the
consumer's genetic or neurotechnology data or biological sample will be transferred or disclosed with the
consumer's express consent;
(ii) the use of genetic or neurotechnology data beyond the primary purpose of the entity's genetic
testing product or service and inherent contextual uses; or
(iii) the entity's retention of any biological sample provided by the consumer following the entity's
completion of the initial testing service requested by the consumer;
(b) informed express consent for transfer or disclosure of the consumer's genetic or
neurotechnology data to third party persons for:
(i) research purposes; or
(ii) research conducted under the control of the entity for the purpose of publication or
generalizable knowledge; and
(c) express consent for:
(i) marketing to a consumer based on the consumer's genetic or neurotechnology data;
(ii) marketing by a third-party person to a consumer based on the consumer having ordered or
purchased a genetic testing product or service. Marketing does not include the provision of customized content
or offers on the websites or through the applications or services provided by the entity with the first-party
relationship to the consumer; or
(iii) sale or other valuable consideration of the consumer's genetic or neurotechnology data.
(4) comply with the provisions of 44-6-104 requiring a valid legal process for disclosing genetic or - 2025
69th Legislature 2025 SB 163
- 7 - Authorized Print Version – SB 163
ENROLLED BILL
neurotechnology data to law enforcement or any other government agency without a consumer's express
consent;
(5) develop, implement, and maintain a comprehensive security program to protect a consumer's
genetic or neurotechnology data against unauthorized access, use, or disclosure; and
(6) provide a process for a consumer to:
(a) access the consumer's genetic or neurotechnology data;
(b) delete the consumer's genetic or neurotechnology data;
(c) revoke any consent provided by the consumer; and
(d) request and obtain the destruction of the consumer's biological sample.
(7) The requirements of subsections (6)(a) through (6)(d) must be waived if:
(a) the entity obtains express and informed written consent from a consumer, parent, guardian, or
power of attorney for participation in a clinical research trial, including the collection and use of any genetic or
neurotechnology data, which at a minimum must:
(i) be in accordance with the good clinical practice guideline issued by the international council for
harmonisation of technical requirements for pharmaceuticals for human use;
(ii) be obtained no sooner than 14 days from the initial biological sample collection if the biological
sample is collected for a primary purpose unrelated to clinical research;
(iii) be obtained separately from any other items of consent;
(iv) be in writing on a form with text that is easily readable with size 12-point font or larger;
(v) include the entity's biological sample and data retention, sharing, and use policies;
(vi) include notice that after consent is given, there is no right to access, inspect, or require the
destruction of any genetic or neural biological sample or neurotechnology data; and
(vii) include notice that after consent is given, whole genome sequencing of the individual's
biological sample could occur and is permitted without further notice to the individual;
(b) the genetic or neural biological sample and data is utilized for clinical research purposes only.
(8) The requirements of subsection (6)(d) must be temporarily waived if:
(a) a laboratory is governed under 42 CFR 493.1105;
(b) the laboratory retains the biological sample for no more than 2 years or the shortest time - 2025
69th Legislature 2025 SB 163
- 8 - Authorized Print Version – SB 163
ENROLLED BILL
allowed under law, whichever is less;
(c) the laboratory does not share, test, or conduct additional analysis or research on the biological
sample while the sample is being held under the retention requirements set forth in 42 CFR 493.1105 prior to
the requested destruction of the sample; and
(d) when a clinical laboratory is certified by the centers for medicare and medicaid services, when
the retention of a patient's biological sample does not exceed the time needed for compliance with any quality
standard or regulation issued pursuant to section 263(a) of the Public Health Service Act, 42 U.S.C. 263(a).
(9) The requirements of subsection (7) supersede all exceptions to, and waivers of, informed
consent in the federal policy for the protection of human subjects under 45 CFR, part 46.
(7)(10) Genetic or neurotechnology data and biometric samples of Montana residents collected in the
state may not be stored within the territorial boundaries of any country currently sanctioned in any way by the
United States office of foreign asset control or designated as a foreign adversary under 15 CFR 7.4(a). Genetic
or neurotechnology data or biometric data of Montana residents collected in the state may only be transferred
or stored outside the United States with the consent of the resident."
Section 5. Section 30-23-105, MCA, is amended to read:
"30-23-105. (1) The disclosure
of genetic or neurotechnology data pursuant to this part must comply with all state and federal laws for the
protection of privacy and security.
(2) Notwithstanding any other provisions in 30-23-104, an entity may not disclose a consumer's
genetic or neurotechnology data to any entity offering health insurance, life insurance, or long-term care
insurance, or to any employer of the consumer without the consumer's express consent."
Section 6. Section 44-6-104, MCA, is amended to read:
"44-6-104.
neurotechnology searches -- warrant required.
neurotechnology search results from a consumer DNA or neurotechnology database:
(a) without a search warrant or investigative subpoena issued by a court on a finding of probable - 2025
69th Legislature 2025 SB 163
- 9 - Authorized Print Version – SB 163
ENROLLED BILL
cause; or
(b) unless the consumer whose information is sought previously waived the consumer's right to
privacy in the information.
(2) A government entity may not obtain familial DNA or neurotechnology data search results or
search results from partial matching from the DNA or neurotechnology identification index or a consumer DNA
or neurotechnology database without a search warrant or investigative subpoena issued by a court on a finding
of probable cause.
(3) For the purposes of this section, the following definitions apply:
(a) "Consumer DNA database" means a database maintained by a private entity that provides
direct-to-consumer genetic testing services.
(b) "DNA identification index" has the same meaning provided in 44-6-101.
(c) "Familial DNA search" means a search performed of a government or consumer DNA database
using specialized software to detect and statistically rank a list of potential candidates in the DNA database who
may be a close biological relative to the unknown individual contributing the evidence DNA profile. The
specialized software search may be combined with lineage testing to help confirm or refute biological
relatedness.
(d) "Lineage testing" means additional genetic testing used to help confirm or refute biological
relatedness between the known individual in a DNA database and the unknown individual contributing the
evidence DNA profile. Examples of additional genetic testing include but are not limited to:
(i) Y-STR analysis to examine STR patterns specific to the Y-chromosome used to determine
paternally derived relatedness among DNA profiles;
(ii) mtDNA analysis to examine cell mitochondria used to determine maternally derived
relatedness; or
(iii) single nucleotide polymorphism genotyping to generate results related to a person's ancestry
and genetic predisposition to health-related topics.
(e) "Neurotechnology data" has the same meaning as provided in 30-23-102.
(e)(f) "Partial matching" means a moderate stringency search of a DNA database using routine
search parameters that results in one or more partial matches between single-source and nondegraded DNA - 2025
69th Legislature 2025 SB 163
- 10 - Authorized Print Version – SB 163
ENROLLED BILL
profiles that share at least one allele at each locus, indicating a potential familial relationship between the
known individual in the DNA database and the unknown individual contributing the evidence DNA profile.
(4) A government entity that legally obtains DNA or neurotechnology data search results, as set
forth in this section, or genetic or neurotechnology data, as set forth in Title 30, chapter 23, part 1, may use the
results during criminal investigations and judicial proceedings subject to applicable rules of criminal procedure
and evidence."
- END - I hereby certify that the within bill,
SB 163, originated in the Senate.
___________________________________________
Secretary of the Senate
___________________________________________
President of the Senate
Signed this _______________________________day
of____________________________________, 2025.
___________________________________________
Speaker of the House
Signed this _______________________________day
of____________________________________, 2025. SENATE BILL NO. 163
INTRODUCED BY D. ZOLNIKOV
AN ACT REVISING THE GENETIC INFORMATION PRIVACY ACT; INCLUDING NEUROTECHNOLOGY DATA
IN THE SCOPE OF THE GENETIC INFORMATION PRIVACY ACT; ADDING LEGISLATIVE FINDINGS AND
PURPOSE TO THE ACT; REVISING PROVISIONS RELATING TO EXCEPTIONS; ADDING PROTECTIONS
FOR THE PRIVACY OF NEUROTECHNOLOGY DATA; REVISING PROVISIONS RELATING TO PRIVACY
NOTICES; PROVIDING A DEFINITION; AND AMENDING SECTIONS 30-23-101, 30-23-102, 30-23-103, 30-23-
104, 30-23-105, AND 44-6-104, MCA.