California Passes Bill Establishing Genetic Information Privacy Act
Data Privacy & Security and Health & Life Sciences Alert 09/21/20 Gregory J. Leighton, Meghan C. O'Connor, Bari L. Nathan
9/29/20 Update: California Governor Gavin Newsom vetoed the Genetic Information Privacy Act on 9/25 and recommended further legislative action to avoid unintended consequences that could interfere with laboratories’ mandatory requirement to report COVID-19 test outcomes to local public health departments. More on the veto is available here.
On September 1, 2020, the California state legislature passed Senate Bill (SB) 980 to establish the Genetic Information Privacy Act. SB 980 is currently awaiting signature by Governor Gavin Newsom. Once approved by the Governor, SB 980 will create a new privacy and security regulatory scheme for direct-to-consumer genetic testing companies.
If enacted, the Genetic Information Privacy Act requires direct-to-consumer genetic testing companies, i.e., those that sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers, or analyze (except licensed providers diagnosing or treating a medical condition) genetic data obtained from consumers, to: comply with certain privacy and data security provisions, including providing consumers with notice; obtain consumers’ express consent regarding the collection, use, and disclosure of genetic data; and enable consumers to access and delete their genetic data.
The Act exempts de-identified data from the definition of “genetic data.” However, de-identification under the Genetic Information Privacy Act requires more than de-identification under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Specifically, direct-to-consumer genetic testing companies or any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service or directly provided by a consumer would be required to:
- Provide notice regarding the company’s policies and procedures regarding the collection, use, maintenance, and disclosure of genetic data;
- Obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data, including separate express consent for each of a number of defined activities, such as the transfer of genetic data to a third party and the marketing to a consumer based on the consumer’s genetic data;
- Provide effective mechanisms for a consumer to revoke consent after it is given;
- Honor a consumer’s revocation of consent and destroy a consumer’s biological sample within 30 days of the revocation of consent to store the sample;
- Implement and maintain reasonable security procedures and practices to protect consumers’ genetic data against unauthorized access, destruction, use, modification, or disclosure;
- Develop practices and procedures to enable a consumer to access the consumer’s genetic data, delete the consumer’s account and genetic data (except as required to comply with applicable law) and have the consumer’s biological sample destroyed;
- Not discriminate against a consumer for exercising his or her rights under the Act; and
- Not disclose, subject to certain exceptions, a consumer’s genetic data to certain entities (e.g., those responsible for making decisions regarding health insurance, life insurance, or employment).
Violations of the Genetic Information Privacy Act may result in civil penalties up to $10,000 plus court costs.
Exemptions exist for “medical information” governed by California’s Confidentiality of Medical Information Act (CMIA), health care providers governed by CMIA, covered entities and business associates governed by HIPAA, scientific research, and educational activities consistent with the Common Rule, to the extent the genetic information or entity is otherwise compliant with applicable law. However, for those direct-to-consumer genetic testing companies that are otherwise exempt from common health information regulatory schemes, the Act outlines a new privacy and security regulatory scheme with action steps required for compliance by January 1, 2021.
The Act will require development of a data privacy and security program. Businesses subject to SB 980 must take steps to meet compliance obligations, including: update website privacy policies to include specific notice required under the Genetic Information Privacy Act; review and update consent and opt-in processes and documents to conform to new requirements; and develop, review, and/or update internal data privacy and security policies and procedures addressing collection, use, maintenance, and disclosure of genetic data.
For more information regarding Genetic Information Privacy Act, how it may affect your business, implementing a compliant data privacy and security program, or de-identifying data, contact your Quarles & Brady attorney or: