In May 2025, Montana enacted Senate Bill 163 (SB 163), amending that state’s Genetic Information Privacy Act (MGIPA) to include protections for neurotechnology data—namely, data collected from the activity of the central or peripheral nervous system.
Naa Kai Koppoe and Alison Watkins of Perkins Coie write:
This amendment reflects a growing nationwide recognition of the sensitivity of neural data and positions Montana, alongside California and Colorado, at the forefront of its regulation. For companies that operate in this evolving space, the law introduces new compliance obligations, particularly around consent, notice, and research uses. The law will become effective on October 1, 2025.
SB 163 Overview
The MGIPA applies to entities that offer consumer genetic testing products or services directly to a consumer or collect, use, or analyze genetic data. The law protects genetic data, and SB 163 broadens the scope to include “neurotechnology data” in many of its existing provisions, such as requiring entities that handle this data to obtain consent and to provide additional notice and data subject rights to consumers.
Montana’s legislative findings closely track those found in Colorado’s amendment to its privacy law. Both states express concerns that each human brain is unique, so neural data is specific to the individual from whom it is collected and contains sensitive information that may link the data to an identified or identifiable individual. Both states found that while neural data may be used in medical settings that are regulated under health privacy laws, like Health Insurance Portability and Accountability Act (HIPAA), there is a gap in regulation for products used outside the medical setting, which are considered consumer products.
“Neurotechnology” is defined as devices that can record, interpret, or alter an individual’s central or peripheral nervous system response to its internal or external environment and includes “mental augmentation,” which is defined as “improving human cognition and behavior through direct recording or manipulation of neural activity by neurotechnology.” “Neurotechnology data” is defined as data captured by a neurotechnology—and specifically data that is generated by measuring the activity of an individual’s central or peripheral nervous system—or data associated with “neural activity.” Excluded from neurotechnology data is “nonneural information,” meaning information about the downstream effects of neural activity, like eye dilation, motor activity, or breathing rate.
Read more at JDSupra.