Share this article on:
A bill (SB-980) that establishes the Genetic Information Privacy Act has been passed by the California Senate and now awaits California Governor Gavin Newsom’s signature.
The Genetic Information Privacy Act will introduce new requirements for companies offering direct-to-consumer genetic tests to protect consumer privacy and safeguard personal and genetic data.
Currently, direct-to-consumer genetic testing services are largely unregulated. There is concern that the practices of companies that offer these services could potentially expose sensitive genetic information and that outside parties could exploit the use of genetic data for questionable purposes, such as mass surveillance, tracking individuals without authorization, or disclose genetic data resulting in discrimination against certain individuals. In contrast to many elements of “protected health information”, genomic data is stable and undergoes little change over the lifetime of an individual, so any disclosures of genetic data could have life-long consequences for the individual concerned.
The Genetic Information Privacy Act will apply to any company that sells, markets, interprets, or otherwise offers genetic testing services that are initiated directly by consumers. The Act will not apply to licensed providers who are diagnosing or treating a medical condition.
The Act has several privacy and data security provisions. All consumers must be provided with notice about the company’s policies and procedures with respect to the collection, use, maintenance, and disclosure of personally identifiable genetic data.
Express consent must be obtained from consumers prior to the collection, use, or disclosure a consumer’s genetic data, and separate express consent must be obtained for certain defined activities, such as any transfer of genetic data to a third party and marketing based on a consumer’s genetic data. If a consumer chooses to revoke their consent at any point, any biological samples provided must be destroyed within 30 days of the revocation being received.
Any entity required to comply with the Genetic Information Privacy Act must implement reasonable security safeguards, procedures, and practices to ensure that a consumer’s genetic data is protected against unauthorized access, use, modification, disclosure, and destruction.
Policies and procedures must be developed and implemented to enable a consumer to access their genetic data, have their account and genetic data deleted, and their sample destroyed. Disclosures of genetic data to certain entities, including those that offer health and life insurance and employers, are not permitted, subject to specified exemptions. Companies are also prohibited from discriminating against a consumer for exercising the rights given to them by the Genetic Information Privacy Act.
Any medical information government by the California Confidentiality of Medical Information Act is exempted, as is any protected health information collected, maintained, used, or disclosed by HIPAA-covered entities or their business associates, pursuant to HIPAA and the HITECH Act.
Any entity covered by the Genetic Information Privacy Act found to have violated any of its provisions will be subject to civil monetary penalties.