Jennifer Lynch of EFF writes:
Over the last 10+ years, Montana has, with little fanfare or national attention, steadily pushed to protect its residents’ privacy interests through sensible laws that recognize the unique threats posed by new technologies. Now Montana has passed one of the nation’s most protective consumer genetic privacy laws—the Genetic Information Privacy Act. Could this law and the state’s bipartisan approach become a model for the rest of the country?
2013 is a good starting point for this story. That year, Montana passed a law requiring police to get a warrant before they could obtain location information generated by electronic devices. At the time, there were no state or federal laws that explicitly protected this data. And the police were already getting and using location data in thousands of criminal cases across the country every year.
Montana’s straightforward law went into effect two and a half years before California’s landmark privacy law, CalECPA, codified similar protections for location data—and five years before the Supreme Court, in Carpenter v. United States, explicitly recognized the Fourth Amendment requires a warrant for access to cell site location information.
Montana may have only a little more than a million residents, but since 2013, it has passed a significant number of other important privacy laws. These run the gamut from prohibiting government face surveillance and limiting face recognition, to providing Montana consumers with explicit privacy rights in their online data and preventing energy utilities from selling or sharing individual advanced meter energy data without consumer consent. In 2021, Montana expressly restricted familial searches of government-maintained DNA databases and became one of only two states to require a warrant to search consumer DNA databases like genetic genealogy sites. Also in 2021, Montana residents overwhelmingly supported (by 80%) a constitutional amendment that added electronic data and communications to the state constitution’s search and seizure protections.
This summer Montana went one step further to protect Montanans’ privacy in, arguably, their most sensitive and personal information by passing the Genetic Information Privacy Act.
Montana’s new law (previously Senate Bill 351) includes the following protections:
- It broadly defines “genetic data” to include not just raw sequence data but also genotypic and phenotypic information and “self-reported health information.” And it broadly defines “genetic testing” to include not just the lab work to extract DNA but also the “interpretation of a consumer’s genetic data.”
- It sets comprehensive notice, use, and consent requirements for companies processing consumer genetic data.
- It requires that companies provide consumers with clear information about their practices and privacy protections through a “high-level privacy policy overview.”
- It requires consumers’ express affirmative consent not just upon initial collection but also separate and additional express consent for secondary uses of the data, retention of the consumer’s biological sample, and any data transfer or disclosure to third parties.
- It prohibits the disclosure of a consumer’s genetic data to the consumer’s employer and any entity offering health insurance, life insurance or long-term care insurance without the consumer’s express consent.
The Genetic Information Privacy Act also addresses government searches of consumer genetic data by reinforcing the 2021 law, 44-6-104, which requires a warrant to search consumer DNA databases. The new law mandates that consumer genetic testing entities comply with 44-6-104 and not disclose data without valid legal process or a consumer’s express consent.
The new law also leaves open the possibility that, after June 1, 2025, other government actions with respect to genetic data would require a warrant. One interpretation of this currently ambiguous section could be that it would prohibit warrantless police searches of inadvertently shed DNA. These searches are becoming increasingly common as a component of forensic genetic genealogy investigations, and EFF has long argued they violate people’s Fourth Amendment rights.
While the Genetic Information Privacy Act lacks a private right of action (this means consumers don’t have the power to sue companies for violating the law), it does provide the state attorney general with authority to enforce the law and allows the AG to recover both actual and statutory damages as well as attorney’s fees. We believe that the best way to ensure compliance with any consumer privacy law is to give consumers the power to enforce it. Montana’s law lacks this insurance policy, so we can only hope here that the state AG cares enough about Montanans’ genetic privacy to go after any company that fails to comply with the law.
Montana’s success in passing mostly reasonable privacy laws, many of which offer strong protections lacking in other, much larger states’ laws, shows that concerns about privacy easily cut across political lines. While we wait for the federal government to pass any meaningful comprehensive privacy laws, states should look to Montana as a model for innovative ways to protect their own residents’ privacy interests.
This article was originally published at EFF.