In May 2025, Montana enacted Senate Bill 163 (SB 163), amending that state's Genetic Information Privacy Act (MGIPA) to include protections for neurotechnology data—namely, data collected from the activity of the central or peripheral nervous system.
This amendment reflects a growing nationwide recognition of the sensitivity of neural data and positions Montana, alongside California and Colorado, at the forefront of its regulation. For companies that operate in this evolving space, the law introduces new compliance obligations, particularly around consent, notice, and research uses. The law will become effective on October 1, 2025.
SB 163 Overview
The MGIPA applies to entities that offer consumer genetic testing products or services directly to a consumer or collect, use, or analyze genetic data. The law protects genetic data, and SB 163 broadens the scope to include "neurotechnology data" in many of its existing provisions, such as requiring entities that handle this data to obtain consent and to provide additional notice and data subject rights to consumers.
Montana's legislative findings closely track those found in Colorado's amendment to its privacy law. Both states express concerns that each human brain is unique, so neural data is specific to the individual from whom it is collected and contains sensitive information that may link the data to an identified or identifiable individual. Both states found that while neural data may be used in medical settings that are regulated under health privacy laws, like Health Insurance Portability and Accountability Act (HIPAA), there is a gap in regulation for products used outside the medical setting, which are considered consumer products.
"Neurotechnology" is defined as devices that can record, interpret, or alter an individual's central or peripheral nervous system response to its internal or external environment and includes "mental augmentation," which is defined as "improving human cognition and behavior through direct recording or manipulation of neural activity by neurotechnology." "Neurotechnology data" is defined as data captured by a neurotechnology—and specifically data that is generated by measuring the activity of an individual's central or peripheral nervous system—or data associated with "neural activity." Excluded from neurotechnology data is "nonneural information," meaning information about the downstream effects of neural activity, like eye dilation, motor activity, or breathing rate.
Key Requirements for Entities
The following requirements existed in the MGIPA prior to SB 163 but now apply to neurotechnology data as well.
Consent
Entities must ensure that they obtain the requisite consent based on the activities outlined below.
|
Type of Consent |
Activity |
| Initial Express Consent | Collect, use, or disclose genetic or neurotechnology data |
| Separate Informed Express Consent | Transfer or disclose genetic or neurotechnology data to third parties for research or research conducted under the entity's control for publication or generalizable knowledge |
| Separate Express Consent | Transfer or disclose genetic or neurotechnology data or biological sample to any third party (not processors) |
| Use genetic or neurotechnology data beyond primary purpose of the genetic testing product or service | |
| Retain biological sample after initial testing service is complete | |
| Market to consumer based on their genetic or neurotechnology data | |
| Third-party marketing to a consumer based on the consumer ordering or purchasing a genetic testing product or service | |
| Sale or other valuable consideration of the consumer's genetic or neurotechnology data | |
| Disclose genetic or neurotechnology data to any entity offering health insurance, life insurance, long-term care insurance, or the consumer's employer |
Notice to Consumers
In addition to any notices provided to obtain consent, covered entities will need to provide all individuals with two privacy policies. The first is a high-level privacy policy overview that includes basic essential information about the entity's collection, use, and disclosure of genetic or neurotechnology data. The second is a prominent publicly available privacy notice that includes information about the entity's data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices for genetic or neurotechnology data in particular.
Consumer Rights
Entities must provide consumers with a way to access and delete their neurotechnology data, revoke their consent, and request and obtain destruction of their biological sample. These requirements are waived if the entity has obtained express and informed written consent from a consumer for their participation in a clinical research trial, subject to specific requirements, or if the neural biological sample and data are only used for clinical research purposes.
Key Exceptions
SB 163 also added exceptions to the MGIPA's requirements. Deidentified genetic data obtained from third parties is now excluded, provided that it is used to conduct internal, medical, or scientific research. Similar to many state privacy laws, the data will be deemed deidentified if it cannot be reasonably linked to an identifiable individual and the entity (i) takes measures to ensure that the data cannot be associated with a particular consumer, (ii) keeps and uses the data in deidentified form and doesn't attempt reidentification, and (iii) has a contract in place that prohibits recipients from attempting to reidentify the data.
SB 163 also modified some of the existing exclusions. The MGIPA requirements generally do not apply to:
- protected health information collected by a HIPAA-covered entity or business associate; however, covered entities and business associates must obtain separate informed consent for the collection, use, or dissemination of genetic or neurotechnology data and provide the mandated consumer rights;
- entities that only collect, use, or analyze genetic or biometric data for scientific or clinical research with an individual's express consent, including in clinical trials, which carry their own requirements (this exclusion was narrowed from any research to only scientific or clinical research); and
- government agency uses, which must comply with state law or be executed through a search warrant or investigative subpoena. Government access to consumer neurotechnology database search results also require a court-issued search warrant or investigative subpoena.
Neural Data Protection in California and Colorado
While Montana, California, and Colorado now all protect neural or neurotechnology data, there are a few differences between the states' approach. California and Colorado both amended their general consumer privacy laws to classify neural data as "sensitive personal information" and "sensitive data," respectively, while Montana's protections are housed in the MGIPA. Montana and Colorado require consumers to provide consent before the data is collected and processed, but California does not require separate consent. Instead, California consumers can ask businesses to limit the use of their sensitive data, subject to narrow exceptions. All three states offer consumers rights to access and delete their data. Montana requires separate consent before businesses can use data for different processing activities.
Other differences between the three states lie in how neural data is defined. All three start with the same essential definition: data or information generated by measuring the activity of an individual's central or peripheral nervous system. Colorado and Montana require the involvement of a device, which is not required under the California Consumer Protection Act (although given the definition, it may be implied). Montana and California explicitly exclude "non-neural" data from the protections, but only Montana defines the term to mean information about the downstream effects of neural activity, like eye dilation, motor activity, or breathing rate. Thus, it's unclear whether inferences derived from neural data are covered by California or Colorado. Most notably, Colorado is unique in that it requires that such data be used or intended to be used for identification purposes to fall under its protections.
Key Takeaways
- HIPAA-covered entities and business associates that process neurotechnology data should check whether they have obtained separate informed consent for any collected neurotechnology data rather than assume that they are excluded.
- Other entities that process neurotechnology data will need to provide consumers with two privacy policies and expand their existing data subject rights.
- Entities that process neurotechnology data must ensure that they obtain separate express consent from consumers for specified activities prior to collecting or processing their data.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
