On August 31, 2020, the California Senate joined the Assembly in passing SB-980, as amended, a bill to establish the Genetic Information Privacy Act (the “Act”), which would require direct-to-consumer genetic testing companies to comply with certain privacy and data security provisions, including providing consumers with prescribed notice; obtaining consumers’ express consent regarding the collection, use and disclosure of genetic data; and enabling consumers to access and delete their genetic data. The bill is pending California Governor Gavin Newsom’s signature.
If enacted, the Act would require direct-to-consumer genetic testing companies, i.e., those that sell, market, interpret or otherwise offer consumer-initiated genetic testing products or services directly to consumers, or analyze (except by licensed providers diagnosing or treating a medical condition) genetic data obtained from consumers, to comply with certain privacy and data security provisions, including:
- Providing notice, as prescribed in the Act, regarding the company’s policies and procedures for the collection, use, maintenance and disclosure of genetic data;
- Obtaining a consumer’s express consent for the collection, use and disclosure of the consumer’s genetic data, including separate express consent for each of a number of defined activities, e.g., the transfer of genetic data to a third party (other than a service provider or exempted non-profit education institution for scientific research purposes) and the marketing or facilitation of marketing to a consumer based on the consumer’s genetic data;
- Providing effective mechanisms for a consumer to revoke consent after it is given;
- Honoring a consumer’s revocation of consent in accordance with federal regulations on the protection of human subjects and by destroying a consumer’s biological sample within 30 days of the revocation of consent to store the sample;
- Implementing and maintaining reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification or disclosure;
- Developing procedures and practices to enable a consumer to access the consumer’s genetic data, delete the consumer’s account and genetic data (except as required to comply with applicable law) and have the consumer’s biological sample destroyed;
- Not discriminating against a consumer for exercising relevant rights; and
- Not disclosing, subject to specified exceptions, a consumer’s genetic data to certain entities (e.g., those responsible for making decisions regarding health insurance, life insurance or employment).
Violations of the Act are subject to civil penalties. The Act exempts from its application certain information and entities, including medical information governed by the California Confidentiality of Medical Information Act as well as protected health information that is collected, maintained, used or disclosed by a covered entity or business associate governed by privacy, security and breach notification rules issued by the U.S. Department of Health and Human Services pursuant to HIPAA and the HITECH Act. The Act also excludes from the definition of genetic data, “deidentified data,” as defined in the Act.