Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Montana: Genetic Information Privacy Act

Data privacy continues to dominate legislative discussions in the US, both at the federal and state levels. While many states are considering broader, more comprehensive laws, there are certain states that are passing privacy laws more focused on certain industries or data types. A good example of this trend is the recently passed Montana Genetic Information Privacy Act (GIPA). GIPA recognizes the inherent sensitivity of genetic data and significant privacy risks in the collection and processing of genetic data.  

Specifically, GIPA prohibits the disclosure of a consumer's genetic data to the consumer's employer and any entity offering health insurance, life insurance, or long-term care insurance without the consumer's express consent. It is important to note that consumers may revoke consent at any time. Further, GIPA requires entities that collect genetic data to implement and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure. Jordan L. Fischer, Partner at Constangy, Brooks, Smith & Prophete LLP, explores the key areas of GIPA and its initial response.  

Rost-9D / Essentials collection /

Key definitions 

GIPA applies to consumers, which are defined as any individual who is a resident of Montana. Any public or private organization that 'offers consumer genetic testing products or services directly to a consumer' or 'collects, uses, or analyzes genetic data' is subject to GIPA. Montana defines genetic data as any data, regardless of format, concerning a consumer's genetic characteristics, which includes:  

  • raw sequence data that result from sequencing all or a portion of a consumer's extracted DNA; 
  • genotypic and phenotypic information obtained from analyzing a consumer's raw sequence data; and 
  • self-reported health information regarding a consumer's health conditions that the consumer provides to an entity that uses the information for scientific research or product development, and analyzes the data in connection with the consumer's raw sequence data. 

Further, unlike approaches taken in other states that create a minimum data collected and/or processed threshold, GIPA does not include those applicability requirements. Presumably, if an entity processes one consumer's genetic data, it could trigger the requirements of GIPA.  

Key requirements of GIPA 

GIPA includes a number of prescriptive requirements for entities processing genetic data. These requirements range from notice and transparency regarding the collection and processing of genetic data to the creation of a comprehensive security program to protect genetic data. 

Notice and transparency 

Similar to the transparency trends in other state privacy laws, businesses that process genetic information are required to provide clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data. Specifically, GIPA requires entities to include basic, essential information about the entity's collection, use, or disclosure of genetic data in its privacy policy. Entities must also provide a prominent, publicly available privacy notice that includes, at a minimum, information about the entity's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices for genetic data. 

Express consent 

One of the most significant aspects of GIPA is the requirement to obtain either express consent or informed express consent in relation to a consumer's genetic data collection and processing. Express consent is defined as 'a consumer's affirmative response to a clear, meaningful, and prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose.' 

Under GIPA, an entity is required to obtain a consumer's initial express consent for the collection, use, or disclosure of the consumer's genetic data that provides the following information: 

  • clearly describes the entity's use of the genetic data that the entity collects through the entity's genetic testing product or service; 
  • specifies the categories of individuals within the entity that have access to test results; and 
  • specifies how the entity may share the genetic data. 

Additionally, entities must obtain a separate express consent from the consumer prior to disclosing a consumer's genetic data to a third party that is not a service provider or processor, or if the entity intends to use the genetic data beyond the initial purpose for which it was collected, or ongoing retention of the genetic data.  

Finally, GIPA lays out additional instances where either informed express consent or express consent are required from a consumer to process or transfer genetic data. The distinction between informed express consent and express consent is not clear and is likely to be further fleshed out as this law is put into practice. Entities conducting research that includes the transfer or disclosure of a consumer's genetic data to a third party (i.e., not a service provider or processor) must obtain informed express consent. Entities that are seeking to market to a consumer based on the consumer's genetic data, either directly or via a third party, must obtain express consent. And, finally, for the sale or 'other valuable consideration of the consumer's genetic data,' an entity must obtain express consent.  

Inherent in these requirements for express consent or informed express consent is that an entity must track, and be able to demonstrate, a consumer's consent to the use of genetic data. While simplistic in theory, the practical implementation of this requirement can often create technical and administrative challenges for operational teams.  

Consumer rights 

While not phrased as 'rights' per se, GIPA does require that entities provide for certain processes to a consumer, including the rights to:  

  • access the consumer's genetic data;  
  • delete the consumer's genetic data;  
  • revoke consent; and  
  • destroy the consumer's biological sample. 

GIPA enforcement 

GIPA follows the trends of most US privacy laws, vesting the authority to enforce GIPA with the Montana Attorney General. The Act expressly allows for the Montana Attorney General to recover actual damages as well as $2,500 for each violation of GIPA.  

Exceptions to the applicability of GIPA 

GIPA carves out certain types of data or entities from complying with its requirements. Protected health information collected by a covered entity or a business associate under the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) is exempt. Importantly, this exemption is for data rather than an entity exemption. As such, if HIPAA-covered entities collect genetic data for non-HIPAA related purposes, that data collection is subject to GIPA.  

Additionally, protected health information collected in the context under the good clinical practice guidelines or in accordance with the requirements of the Food and Drug Administration policy (i.e., the Common Rule) is also exempt from GIPA. Finally, GIPA does not apply to 'uses by a government agency.'  

Initial response to GIPA 

Most of the requirements of GIPA went into effect on October 1, 2023, and while GIPA is still new, industry is already responding with concerns. Particularly, biotech companies and pharmaceutical companies are concerned that GIPA requires entities to obtain new consent each time a consumer's genetic data is transferred to a new entity for research purposes.  

Even with this criticism, GIPA has generally been well received. The final Act made some significant changes to try to address early concerns raised by industry. For example, the original draft of GIPA required that all genetic data be stored within the US. This requirement was softened in the final version of GIPA to only restrict storage of genetic data in countries that are sanctioned by the US. 

Overall, GIPA is intended to create structure and guarantee consumer control over sensitive and personal data. This law comes at an interesting time, when both federal and state legislatures are increasingly focused on consumer health data which is more sensitive. Release of genetic data can be particularly detrimental to individuals. Companies that are collecting or processing genetic data should be aware of, and monitor, the implementation and enforcement of GIPA to understand transparency and data processing requirements of genetic data.    

Jordan L. Fischer Partner 
[email protected]  
Constangy, Brooks, Smith & Prophete LLP, Philadelphia