California Enacts New Laws to Protect Genetic Data
Over the course of the past several years, California has pursued an aggressive approach in adopting legislation intended to protect the privacy and security of personal information, including through the adoption of the California Consumer Privacy Act (“CCPA”) and the enhancement of certain rights provided under the CCPA that were adopted in the Consumer Privacy Rights Act (the “CPRA”). California’s governor, Gavin Newsom, added further protections for genetic data in early October by signing two bills passed by the California legislature.
The first bill, A.B. 825, expands the definition of “personal information” under Cal. Civ. Code §§ 1798.80 et seq., California’s state data breach notification laws, to include genetic data, including genetic information that results from the analysis of a biological sample of an individual or from another source enabling equivalent information to be obtained. By expanding this definition, A.B. 825 requires that businesses subject to the state’s data breach notification laws implement reasonable security measures to protect unencrypted personal information – including genetic data – and to notify California residents of a breach involving such information.
S.B. 41, the second bill adopted earlier this month, enacts the Genetic Information Privacy Act (“GIPA”), which will take effect on January 1, 2022. GIPA applies to direct-to-consumer genetic testing companies (“DTC Companies”), which includes any entity that:
- Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers;
- Analyzes genetic data obtained from a consumer; or
- Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product of services.
GIPA requires that DTC Companies provide clear and complete information regarding the organization’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data. Additionally, under GIPA, DTC Companies must:
- Obtain the express consent of the consumer for any such collection, use, maintenance, or disclosure;
- Provide methods to revoke such consent;
- Implement and maintain reasonable security procedures and practices;
- Adopt practices to enable a consumer to access their genetic data, delete the consumer’s account and genetic data, and to request that the consumer’s biological sample be destroyed; and
- Refrain from disclosing a consumer’s genetic data to any provider of health insurance, life insurance, or disability insurance, or to any employer.
Notably, healthcare providers who collect, use, or maintain consumer genetic data in the course of medical diagnosis or treatment are exempted from the new law. The California Attorney General may prosecute violations of GIPA, and DTC Companies may face civil penalties for violations
The new laws are of particular importance as the prevalence of direct-to-consumer genetic tests increases, as does the risk that the genetic information collected from such tests is used for purposes other than those contemplated by the consumer.