The Montana Legislature’s contentious decision to ban social media platform TikTok in the name of protecting residents’ digital privacy, now the subject of a high-profile court challenge, has drawn national headlines for months.
By the time all is said and done, however, two lower-profile laws that advanced through the Legislature with relatively little fanfare and near-unanimous support may have a far greater impact on Montanans’ ability to know — and control — how their personal data is being used by for-profit entities.
The first of those laws, Senate Bill 351, enacts strict protections for genetic data collected from Montana consumers, including the results of analyses by 23andMe-style genetic testing companies. Sponsored by Sen. Daniel Zolnikov, R-Billings, it passed the Legislature with bipartisan support this spring and was signed into law by Gov. Greg Gianforte on June 7. Most of its provisions took effect Oct. 1.
The other, Senate Bill 384, will provide Montanans with broad digital privacy protections, including specific rights to access their personal data, correct inaccurate information and have data held by businesses deleted upon request. It also guarantees consumers the option to opt out of targeted advertising and to block companies from selling their information.
Also sponsored by Zolnikov, the digital privacy bill passed the Legislature with unanimous support and was signed by the governor on May 19. Most of the bill’s provisions, however, don’t take effect until Oct. 1 of next year to give companies time to comply with the new rules.
Supporters say both laws will bring Montana into the ranks of states taking action to protect their residents’ privacy in the absence of federal action.
“We should be in charge of our information, and we should be able to decide who we share it with and who they share it with. And that’s it,” Zolnikov said in an interview.
“They’re great bills, and I was really happy to support them,” said Rep. Katie Sullivan, a Missoula Democrat who worked with Zolnikov on both measures.
“Privacy abuses are common in the marketplace, and people don’t feel like they have control over where their data goes,” said Matt Schwartz, a policy analyst with Consumer Reports who was involved with the development of SB 384.
Companies and some lawmakers have worried about state-by-state privacy legislation producing a patchwork of mandates that could tie Internet companies into regulatory knots as they face an array of different rules in different places. Schwartz said, however, that the passage of California’s 2018 Consumer Privacy Act set a precedent that has spurred action by other states.
“That, coupled with the inability of Congress to get a comprehensive bill over the finish line, has spurred states to fill the void,” Schwartz said.
Among other provisions, the new genetic privacy law requires companies that handle genetic data to provide consumers with “clear and complete” information about how their data is being used. It requires them to obtain “express consent” when data is used for purposes beyond the company’s primary service or transferred to third parties, including when that transfer is done for research purposes. It also requires express consent for selling or trading the data and bans companies from storing consumers’ genetic data abroad in countries designated by the U.S. as foreign adversaries, such as Russia and China.
Additionally, the law requires companies to allow consumers to access their data, request its deletion and revoke any previously granted consent. It also guarantees consumers the right to have any biological samples in a company’s possession destroyed and explicitly forbids the disclosure of genetic data to employers or insurance companies without express consent.
Zolnikov and Sullivan described the bill as a forward-looking effort to prevent the sorts of genetic data abuses routinely detailed in dystopian science fiction. For example, they said, they’re hoping to avoid situations where a Montanan takes a casual ancestry DNA test that reveals a cancer risk that, when the data makes its way to the customer’s health insurance provider, results in the company canceling their insurance.
The law has drawn opposition from biotech companies that made an unsuccessful effort to lobby Gov. Greg Gianforte for a veto and continue to push lawmakers for revisions when the Legislature meets again in 2025. They take particular issue with a portion of the law that requires new consent each time a consumer’s data is transferred to a new entity for research purposes.
Those companies maintain the law prevents them from conducting research with data that, in theory, isn’t traceable back to specific individuals because they believe it requires them to go back and obtain new consent from the people who are represented in those datasets. They’ve also argued the law doesn’t provide an exception for hospitals, universities and other entities that are already regulated under the federal Health Insurance Portability and Accountability Act, commonly known as HIPAA.
Representatives from GSK, a United-Kingdom-based international pharmaceutical company that has a manufacturing facility in Hamilton, told lawmakers at an interim committee meeting last month that the genetic privacy law could require them to reverse-engineer the identities of people in de-identified datasets in order to contact them for consent on a project-by-project basis.
“I don’t know how we could comply with the law as written today,” said Susan Griffing, GSK’s global head of monitoring and site engagement. “I am very concerned this would limit our ability to run clinical trials in Montana.”
Zolnikov said this week that he wanted the law to apply to hospitals to ensure DNA from routine lab tests isn’t shared for research purposes without a patient’s knowledge. He also said he doesn’t have sympathy for pharmaceutical companies that are trying to conduct research with genetic data coming from people who may not know how their DNA is being used.
“They have your information without your consent,” he said, adding he’s fine if companies have their research stymied because they’re forced to delete the data. “I’m sorry, but they should have done a better job.”
The broader digital privacy bill, SB 384, offers Montana consumers similar protections for data produced as they browse the web. With the access, correction, deletion and opt-out provisions it aims to give consumers more control over how that data is used.
It also allows consumers to designate a third-party service to act as a privacy advocate on their behalf and includes a “universal opt-out” provision that, when it takes effect in 2025, will, in theory, let Montanans opt out of data collection with a single action like enabling a “do not track” web browser setting, rather than having to opt out of data collection website by website.
That universal opt-out provision is important, Schwartz said, because even if consumers technically have the ability to opt out of data collection, it can be impractical to comb through the privacy settings on every individual website they use.
“Otherwise, it’s very difficult for consumers to actually take advantage of their right to opt out,” he said.
The digital privacy law applies to companies that conduct business in Montana and control personal data from at least 50,000 consumers — or at least 25,000 consumers if a quarter or more of their revenue comes from selling personal data. It exempts government entities, nonprofits, universities and financial and health institutions regulated under other laws.
Zolnikov said some of the law’s key provisions are modeled on Connecticut’s digital privacy law, which passed last year. That decision, Zolnikov said, bucked industry lobbyists who had encouraged him to look for inspiration not to an East Coast blue state that tends to enact stronger consumer protections but rather to other GOP-controlled states that had passed comparatively light-touch measures.
“The Republican state bills were weak — they didn’t give the consumer the full set of protections,” Zolnikov said. “I don’t see that as a political issue.”
One challenge for lawmakers working on digital privacy measures is that, given the highly technical nature of the industry, it’s often difficult to write laws that protect consumers without creating a situation where companies can’t comply with the rules. As a result, lawmakers must often rely on industry lobbyists to tell them how far companies can reasonably bend, a dynamic that gives businesses leverage to push for watered-down regulations.
For example, Zolnikov said, his digital privacy bill originally omitted the universal opt-out requirement because he’d been told by a lobbyist that the provision wasn’t technically feasible. Then, he said, someone sent him a link to a legislative hearing in Maryland, where the same lobbyist was encouraging lawmakers to pass a bill similar to Connecticut’s, which includes the requirement.
Zolnikov said that, in a fit of rage, he then convinced his peers to amend the provision into Montana’s bill late in this year’s legislative session.
“I’m not here to mandate something that’s impossible,” Zolnikov said. “I was just being bamboozled into being a little bit overly sensitive.”
Both of the Zolnikov privacy bills defer enforcement action to the Montana attorney general instead of giving individual consumers the ability to bring lawsuits against companies themselves by providing for what’s known as a private right of action.
Zolnikov and Sullivan said that’s a practical concession to the politics, helping the bills avoid opposition from businesses and business-sympathetic lawmakers who worry about swamping the court system.
“I’ve tried to pass private-right-of-action bills and they never go through,” said Sullivan, the Democratic lawmaker. “They are just squashed right away because there’s a legitimate concern from businesses that they’ll have to deal with thousands and thousands of small lawsuits all the time.”
For third-party privacy activists like Schwartz, though, leaving privacy law enforcement to the attorney general is a major weakness in Montana’s new laws.
“In our view, consumers should be able to take companies to court when they aren’t honoring the rights that they have to under this bill,” Schwartz said. “It’s all going to come out to, under this framework, how aggressive is the AG going to be?”
Asked whether the attorney general’s office intends any immediate enforcement action under the genetic privacy law, a spokesperson for Knudsen said in late September that the office intends to enforce the law primarily in response to consumer complaints, or in situations where it becomes aware of violations as a result of already required data breach notifications.
In the meantime, Knudsen’s office has the TikTok bill to defend in court, where it’s facing a federal lawsuit brought by the company and a group of users.
Those plaintiffs argue that the ban tramples on free speech rights and also oversteps by injecting state government into a national security issue. The suit has also drawn a slew of third-party briefs, including opposition to the law from the American Civil Liberties Union, press freedom groups and tech industry groups and support for it from conservative groups and 18 Republican attorneys general from other states. An initial hearing is scheduled for Oct. 12.
The TikTok bill, the first of its kind in the nation, was championed by Knudsen as an effort to protect Montanans from the service, which, as a Chinese-owned platform with a history of data breaches, has been widely discussed as a national security threat.
As the ban was debated in the Legislature this year as Senate Bill 419, supporters resisted pushes from Democrats and Gianforte, a Republican, to amend it to more generally apply to all social media companies that could theoretically expose personal data to all social media companies that potentially share sensitive data with foreign adversaries.
An amendment Sullivan proposed to expand the bill’s scope beyond TikTok was narrowly defeated on the House floor on a 48-51 vote on April 13. Gianforte’s office later floated a near-identical revision, suggesting it would make the bill easier to defend in court, but was rebuffed by Knudsen.
The bill ultimately passed with support from most Republicans and opposition from most Democrats, before being signed by Gianforte in May. If the law survives the pending court challenge, TikTok will be banned from offering its service to Montana users starting Jan. 1.
Sullivan, an attorney, said she considers the TikTok bill a missed opportunity, adding that lawmakers could have instead adopted a comprehensive measure focused on social media companies. Instead, she said, she believes the Legislature targeted a single company in a way that probably violates First Amendment protections for freedom of speech.
“The TikTok bill was kind of a grandstanding moment, and it will probably get struck down,” Sullivan said.
Zolnikov, who voted with his party on the ban, acknowledged it takes a very different approach to data privacy than the bills he championed, focusing on a specific, high-profile concern rather than developing wonkier, systematic law.
“It’s not a huge-hitting item right now,” Zolnikov said. “No one is trying to call me to be on Fox News because I said to big pharma, ‘You need consent to collect DNA.”