Montana Neural Privacy and Expanded Child Protections Take Effect
Montana became the third state to regulate neural data as an amendment to the state’s genetic privacy law took effect Wednesday, adding to a trend of states overseeing the neurotechnology space (see 2508180034). On the same day, amendments to Montana’s comprehensive privacy law took effect, expanding its scope and introducing more protections for children.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Compared to Colorado and California, whose neural data laws are already in effect (see 2508120003), Montana has a different “approach to how they want to contextualize and ring-fence neural data and what they're trying to capture,” said Linda Clark, a Morrison Foerster privacy lawyer. Montana amended its Genetic Information Privacy Act (GIPA) to include neurotechnology and neurotechnology data.
Clark noted Montana emphasized the concept of "the data and the technology" behind it. "That really reveals what they're thinking about,” Clark said, adding, "We're not talking just about data. We're also talking about [the] technology."
For example, Montana is "very specific" about "obligations associated with the processing of neurotechnology data,” such as having a privacy policy, a public privacy notice, express consent, a comprehensive information security program and consumer rights, added Clark.
Especially important with neurotechnology is consent, Clark said, because typically it's predicated on "the individual understanding what the data is so they can consent on an informed basis.” But "how do you get consent when … it's hard to understand what neural data looks like and what it can reveal about a person?"
This difficulty suggests companies emphasize the basics of transparency, Clark said, and using data for expected purposes only and considering real risks to individuals.
Clark additionally highlighted GIPA's prohibition on storing neural technology data [within] "the boundaries of a foreign adversary.”
Expanding the Comprehensive Law
Montana also amended its Consumer Data Privacy Act, just one year after its effective date.
“It's interesting to see another state continuing to tinker,” said privacy lawyer Josh Hansen of Shook Hardy, who noted states didn't "pass new comprehensive privacy laws," this year but several, including Montana, "went back to the drawing board to expand privacy protections.”
He added, "That's a sign that this is really [a] space where … in terms of compliance, you can't just set it and forget it.” Companies should know "legislatures may be making changes [yearly] that have significant impacts on compliance obligations.”
However, Hansen notes that states sometimes amend laws based on what's been done elsewhere. For example, none of what Montana’s law adds has not already been done by at least one state, so “it's nice for companies, from a compliance perspective, to see more harmonization across the board.”
In addition, Hansen said, legislators update legislation not necessarily because they "believed their law was failing so much as there was room for improvement.”
For instance, GIPA's updates cover more businesses and add regulations for children’s data (see 2505120005). “There's nothing more impactful to companies than, all of a sudden, you're back in scope of a law that you might have written off, and you completely miss all these new compliance obligations because you thought, ‘We are not subject to Montana's law,’” Hansen said.
The children’s privacy provisions included in the amended bill seem influenced by the Colorado and Connecticut model, he said, while lowering the threshold of applicability is consistent with the lower triggers seen across states in more recent years.
“You have to be aware, if you're processing minors’ data, there are a lot more obligations and considerations now in Montana,” Hansen said. These include “increased obligations for data protection assessments, a duty to use reasonable care to avoid heightened risks of harm [and] more requirements to obtain consent for some of your processing.”
Though the amendment deletes the cure period, regulators are “not trying to punish companies,” Hansen said. “They want this to be a collaborative process, and they know there's a lot of uncertainty in these laws.”
Company websites likely are violating GIPA, “but we don't see regulators targeting ticky-tack violations,” he said. Instead, there are cure notices and regulators reaching out to companies, but few lawsuits or settlements. "I think that's indicative of this collaborative approach. The goal here is to increase privacy protections,” so Montana will focus on "bad-faith actors.”
Another thing Montana did in its revision, following the lead of Connecticut, was get rid of entity-level exemptions for the Gramm-Leach-Bliley Act, since they “could be very broad,” Hansen said. A data-level exemption for GLBA remains, however.
Why Update?
Updates to laws and coverage expansion are trending because “a lot of legislatures [are] realizing there's more appetite for privacy,” Hansen said. "It's a nonpartisan -- or maybe even bipartisan -- issue because there are strong privacy advocates across the political spectrum and these bills are often passing overwhelmingly in red, blue and purple states.”
Much has happened since California and European privacy laws came on the scene about seven years ago, so it's "not surprising" to see legislators "tinker" with laws based on technological change and “what works, what doesn't work," and "what [they] can draw from other states.”
Neural data is a hot topic for states lately, “because it can feel scary, it can feel really high risk," said Clark. “It's meeting at this inflection point where you have new technology and data that … is often very sensitive and can be used in ways that impact real people, for good or bad."
Some neural data laws are “shedding light on the fact that this technology exists, and this data is being gathered,” while other “laws are really helping move the regulatory framework forward,” said Clark. Even though some proposed laws won’t pass, the act of bringing them up for people to consider has an effect, she said. “In addition, the use of tools that gather this data is only growing, and it's affecting key populations that people, including regulators, care about, such as children and vulnerable adults."
There's also a public education aspect to Montana's amendments. For example, another update in Montana's law requires the attorney general “to publish information" online and create an online complaint form, Hansen notes.
In any “area where legislators can get along, and there's a strong public interest ... there's an enticement" to improve laws, Hansen said. The public is "interested” in privacy and "people want those protections.”