Data Privacy & Security

Publications & Media

California Governor Signs the Genetic Information Privacy Act

Data Privacy & Security Meghan C. O’Connor, Sarah Erdmann

On October 6, 2021, California Governor Gavin Newsom signed into law the Genetic Information Privacy Act (GIPA). This follows Governor Newsom’s veto of an earlier version of the bill almost exactly one year ago. For more information on the earlier version of the bill and the reasons the Governor vetoed it, see our earlier updates here and here.

Under GIPA, direct-to-consumer genetic testing companies and other companies that collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service or directly provided by a consumer are required to comply with certain privacy and data security provisions, including, for example:

  • Providing notice on the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data
  • Obtaining informed consent from consumers regarding the collection, use, and disclosure of their genetic testing, and
  • Destroying a consumer’s genetic information within 30 days of the consumer’s revocation of consent.

GIPA exempts de-identified data from the definition of “genetic data” and also includes various exemptions including for “medical information” governed by California’s Confidentiality of Medical Information Act (CMIA), health care providers governed by CMIA, covered entities and business associates governed by the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), scientific research and educational activities consistent with the Common Rule, to the extent the genetic information or entity is otherwise compliant with applicable law.

GIPA is effective on January 1, 2022, and companies covered under GIPA may face penalties for violations $1,000 and $10,000 plus court costs depending on whether such violation was negligent or willful. The law will be enforced by the California Attorney General, a district attorney, a city counsel authorized by a district attorney, or a qualified city attorney.

For more information regarding the Genetic Information Privacy Act, how it may affect your business, implementing a compliant data privacy and security program, or de-identifying data, contact your Quarles & Brady attorney or:

Payment Portal

You are leaving the Quarles & Brady website and being directed to the bill presentment and paying service offered by a third party provider. If you do not wish to continue to the site, click Close or use the Back button on your web browser to return the Quarles & Brady website.