On October 6, 2021, California’s governor signed the Genetic Information Privacy Act (the “Act”), adding the state to the growing number enacting laws requiring direct-to-consumer genetic testing companies to protect the privacy and security of their customers’ genetic data.
Applicability
The law generally applies to any company that does any of the following:
Sells, markets, interprets, or offers genetic testing products or services directly to a California resident,
Analyzes genetic data obtained from a California resident, or
Collects, uses, and maintains, or discloses genetic data collected or derived from a direct-to-California Resident genetic testing product or service, or is directly provided by a California resident.
Under the Act, genetic data is broadly defined as any data that results from the analysis of a biological sample from a California Resident, or from another element enabling equivalent information to be obtained, and concerns genetic material, which includes but is not limited to, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, SNPs, uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom. Genetic data does not include de-identified data or data that is processed exclusively for scientific research conducted by an investigator that complies with certain HHS requirements for the protection of human subjects in research.
The Act does not apply to: medical information protected by, and health care providers governed by, the California’s Confidentiality of Medical Information Act; a covered entity or business associate governed by HIPAA; scientific research and education activities conducted by a public or non-profit post-secondary education institution that complies with certain HHS requirements for the protection of human subjects in research; or genetic data processed by an employer to the extent the processing is necessary to comply with workplace health and safety laws.
Requirements
Direct-to-consumer genetic testing companies to which the Act applies must comply with the following requirements:
Notice: Provide California residents with clear and complete information about the company’s privacy policies and procedures for genetic data, including: a summary of its privacy practices; a prominent and easily accessible privacy notice that includes, at a minimum, complete information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of the Act. The notice must also provide notice that the California Resident’s deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with the Common Rule.
Consent for Non-Marketing Collection, Use and Disclosure: Obtain express consent for collection, use, and disclosure of the California Resident’s genetic data. The express consent must be separate for each of the following activities:
Use of the genetic data collected through the genetic testing product or service offered to the California Resident, including notice about who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed
Storage of a biological sample after initial testing has been fulfilled;
Each use of genetic data beyond the primary purpose of the testing or service and inherent contextual uses; and
Transfer of genetic data to a third party (other than a service provider).
Consent for Marketing: Obtain separate express consent for marketing to a California Resident based on that California Resident’s genetic data. Consent is not required for marketing conducted on the company’s own website or mobile application based upon the California Resident having ordered, purchased, received, or used a genetic testing product or service from that company if the marketing is not based on information specific to that California Resident. In addition, if a company conducts any marketing permitted by the Act the advertisement must be prominently labeled as advertising and include the name of any third parties who contributed to the advertising’s placement.
Revocation of Consent: Whether for marketing or non-marketing activities, companies relying on consent must provide mechanisms for a California Resident to revoke consent after it is given and honor that request within 30 days after receipt of the request.
Data Security: Implement and maintain reasonable security procedures and practices to protect a California Resident’s genetic data against unauthorized access, destruction, use, modification, or disclosure
Individual Rights: Implement procedures to enable California residents to easily: access their own genetic data; delete their account and genetic data (unless the genetic data must be retained to comply with legal and regulatory requirements); and have their biological sample destroyed. Companies are prohibited from discriminating against California residents because they exercise any of these rights
Enforcement
Violations of the Act are subject to $1,000 in civil penalties for a negligent violation and up to $10,000 for willful violations. While there is no private right of action, any recovered penalty will be paid to the individual whose genetic data is at issue.
Other State Genetic Testing Privacy Laws Enacted in 2021.
Earlier this year, Utah enacted its own Genetic Information Privacy Act which became effective May 5, 2021 and Arizona enacted HB 2069 which became effective September 29. 2021. Both of these laws share many of California’s requirements for direct-to-consumer genetic testing companies related to notice, consent, data security, and individual rights.
Sheila Sokolowski, is a partner at Hintze Law PLLC and chairs the firm’s Health and Biotech Privacy Group.