A MoFo Privacy Minute: Neural Data Added to Montana’s Genetic Information Privacy Act

Answer: Montana is now the third state to adopt an amendment regulating neural data—or, as defined in Montana’s law, “neurotechnology data.” SB163 amends GIPA and goes into effect on October 1, 2025. Unlike the amendments in Colorado and California, Montana’s addition affects the state’s genetic privacy statute instead of a more general consumer privacy law. (For background on the other states’ approaches, read our “MoFo Privacy Minute” on California’s amendment and Colorado’s amendment.)

Originally enacted in 2023, GIPA was designed to safeguard the privacy and security of genetic data, such as raw DNA sequencing. Montana’s decision to expand GIPA to include neurotechnology data is a notable departure from Colorado’s and California’s approaches and the approaches taken in other proposed laws. (For more information on proposed neural privacy laws, read our “MoFo Privacy Minute” on bills introduced earlier this year.)

Notably, Montana’s amendment includes:

• No Expansion of Regulated Entities. While SB163 expands GIPA to include “neurotechnology data,” it does not broaden the scope of who is regulated under the law. GIPA continues to apply only to entities that directly offer genetic testing products or services to consumers or entities that collect, use, or analyze genetic data. The Montana legislature could have taken the opportunity to revise the definition of “entity” to include a wider range of organizations, such as manufacturers of neurotechnology devices or companies that collect or process neurotechnology data, but it did not. As a result, the amendment creates a narrow outcome: a very specific set of entities that are already subject to GIPA now face new regulatory obligations for neurotechnology data, while many other companies handling similar data remain outside the law’s scope. The legislature’s intent is difficult to discern based on the bill’s limited published legislative history. In contrast to Montana’s narrow approach, general consumer privacy laws in Colorado and California apply more broadly, setting thresholds for covered entities based on factors such as annual gross revenue; the buying, selling, or sharing of personal information for a specified number of consumers; and/or the percentage of revenue derived from selling or sharing consumers’ personal information.
• A Broader Definition of Neurotechnology Data. The Montana law covers additional types of data, including data from a greater variety of technological sources, than what is covered in Colorado or California. For example, GIPA encompasses “information that is captured by neurotechnologies” and “data associated with neural activity,” in addition to information generated by measuring the activity of an individual’s central or peripheral nervous system. As a result, more integrations of neural data may be included in the Montana definition depending on the neurotechnology or neural activity in question. For instance, Montana may include passive electroencephalography (“EEG”) monitoring as “neurotechnology data” even if no further processing or assessment of the data occurs.
• A Specific Definition of Neurotechnology. Unlike Colorado and California, Montana places parameters on technologies that capture neural data and defines “neurotechnology” as “devices capable of recording, interpreting, or altering the response of an individual’s central or peripheral nervous system to its internal or external environment and includes mental augmentation.” Examples of devices that fall under this definition include deep brain stimulators, brain-computer interface implants, and EEG headsets.
• A Specific Definition of Nonneural Information (which is excluded from the data covered by GIPA). California first referenced “nonneural information” in its definition of neural data as excluding information inferred from nonneural information. However, California did not define the term “nonneural information.” Montana’s law similarly excludes nonneural information, but avoids this ambiguity by defining “nonneural information” as “information about the downstream physical effects of neural activity,” such as “pupil dilation, motor activity, and breathing rate.” For example, if an individual wears an EEG headset during a memory test, electrical signals generated in response to stimuli would be considered “neurotechnology data,” but a physiological response, such as sweating, would be classified as nonneural information and would not be covered by the amendments to GIPA.
• Data Localization Requirements. Unlike Colorado and California—whose general consumer privacy laws require “appropriate technical and organizational measures” and “reasonable security procedures and practices,” respectively—Montana imposes specific data localization requirements. If neurotechnology data collected from a Montana resident is stored or transferred outside the United States, the individual must provide consent, and GIPA explicitly prohibits neurotechnology data collected from Montana residents within the state from being stored in any country sanctioned by the U.S. Office of Foreign Assets Control or designated as a “foreign adversary” under 15 CFR § 7.4(a).
• Limited Entity and Data Exemptions. Montana’s law includes four exemptions, but only two explicitly apply to neurotechnology data. First, GIPA does not apply to neurotechnology data that qualifies as protected health information if it is collected by a HIPAA-covered entity or business associate, under the following conditions: (1) the individual provides separate informed consent for the collection, use, and dissemination of the data; and (2) the individual has the ability to access, delete, and revoke any prior consent regarding their neurotechnology data. Second, GIPA exempts the use of neurotechnology data by governmental agencies, but only if the data is collected, stored, used, or disseminated in accordance with a specific state law or executed through a legal process (e.g., an investigative subpoena). The remaining two exemptions apply only to genetic data, not neurotechnology data. They include: (1) an exemption for entities that collect, use, or analyze genetic data as part of scientific or clinical research, provided that the activity complies with applicable federal standards; and (2) an exemption introduced by the amendment for the use of deidentified genetic data obtained from a third party if it is used for internal, medical, or scientific research purposes, subject to the deidentified data meeting certain other enumerated requirements.

In addition to these provisions, GIPA—like other privacy laws—imposes specific notice and consent requirements. Entities regulated under the law must:

• Provide a clear privacy policy detailing how neurotechnology data is collected, used, or disclosed;
• Provide a publicly accessible privacy notice that includes information on the collection, use, and disclosure of neurotechnology data, as well as instructions on how consumers can exercise their rights over such data;
• Obtain express consent from consumers before collecting, using, or disclosing neurotechnology data;   
• Obtain express consent from consumers for transferring or disclosing neurotechnology data to any third party that is not one of the entity’s data processors;
• Obtain express consent from consumers if neurotechnology data is intended for use beyond the primary purpose of the entity’s genetic testing product or service and “inherent contextual uses”; and
• Obtain express consent from consumers before engaging in marketing or selling information derived from an individual’s neurotechnology data.

Montana’s approach potentially signals a shift toward integrating neural data protections within existing biological data laws. Beyond GIPA, many other states—including Arizona, Nebraska, and Utah—have already enacted genetic privacy laws. Businesses should closely monitor new developments and prepare for a patchwork of neural privacy obligations, varying in restrictions and scope.