California’s Genetic Information Privacy Act (“GIPA”), which came into effect on January 1, 2022, imposes obligations on direct-to-consumer (“DTC”) genetic testing companies and others that collect and process genetic information. These new obligations, combined with the many differing obligations in other states, may require all organizations processing genetic information to reevaluate their genetic information policies and practices.
California’s Genetic Information Privacy Act
GIPA requires express consent for certain uses and disclosures of an individual’s genetic information. The law applies to DTC genetic testing companies and requires those companies to provide disclosures in its notices and obtain consumers’ express consent regarding the collection, use, and disclosure of genetic data. GIPA imposes civil penalties on DTC testing companies who fail to comply with the law.
The law also grants consumers specified rights over their genetic information and prohibits discriminating against consumers if they exercise any of those rights (e.g., denying goods, services or benefits, or charging different rates or prices). These new rights provide consumers the ability (1) to access their genetic data, (2) to have their account and genetic data deleted (except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements), and (3) to have their biological sample destroyed.
Key obligations for DTC genetic testing companies under GIPA include:
- Notice. Companies must provide clear notice and disclosures with respect to the company’s collection, use, maintenance, and disclosure of consumer genetic information, including notice that de-identified genetic or phenotypic information may be shared with or disclosed to third parties for research.
- Consent. Companies must obtain separate and express consent from consumers for each use of genetic data, storage, and each transfer or disclosure of genetic data to a third party other than to a service provider, including naming the third party.
- Revocation. Companies are required to implement mechanisms (without any unnecessary steps) for consumers to revoke any express consent, honor such revocation within 30 days after the consumer revokes consent, and destroy the consumer’s biological sample within 30 days of such revocation.
- Security. Companies are required to implement security mechanisms to prevent unauthorized access to consumer genetic information.
- Individual Rights. Companies must implement mechanisms to grant consumers certain rights to their genetic information, such as access and deletion rights.
- Marketing. Companies must obtain separate and express consent from consumers to market to consumers or facilitate the marketing to consumers based on the consumer’s genetic data or to market to consumers or facilitate the marketing to consumers based on the consumer having ordered, purchased, received, or used a genetic testing product or service.
Exemption for de-identified data
GIPA exempts de-identified data and, in doing so, creates its own de-identification standard. Under GIPA, de-identified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual. To meet this standard, DTC genetic testing companies must:
take reasonable measures to ensure that the information cannot be associated with a consumer or household;
publicly commit to maintain and use the information only in de-identified form and not to attempt to reidentify the information, except that the DTC genetic testing company may attempt to reidentify the information solely for the purpose of determining whether its de-identification processes satisfy the requirements of the law, subject to some limitations; and
contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in de-identified form and not to reidentify the information.
The law also exempts specific types of data. For example, exempted from the law are medical information governed by the Confidentiality of Medical Information Act (“CMIA”) and Protected Health Information (“PHI”) processed by HIPAA covered entities and business associates. Entities exempted from GIPA include providers of health care governed by the CMIA and covered entities and business associates who handle genetic information in the same manner as they handle PHI.
The law also includes an exception for research, which is likely to prove quite narrow. Exempted from the law are scientific research or educational activities conducted by public or private nonprofit postsecondary educational institutions that have an HHS assurance pursuant to HHS regulations for the protection of human subjects in research. Additionally to be exempted from GIPA, such scientific research or educational activities conducted by public or private nonprofit postsecondary educational institutions must comply with all applicable federal and state laws and regulations for the protection of human subjects in research including the Common Rule, FDA regulations, the federal Family Educational Rights and Privacy Act, and the Protection of Human Subjects in Medical Experimentation Act. The research exemption here is confined to activities conducted by public or private nonprofit postsecondary educational institutions and does not apply broadly to DTC genetic testing companies.
Expected Challenges for DTC Companies
Several obligations under the law may make compliance particularly burdensome for DTC genetic testing companies. For example, the requirement to obtain separate consents from consumers for each use of genetic data, storage, and each transfer or disclosure of genetic data to a third party may require DTC genetic testing companies to obtain and subsequently document multiple consents from consumers. Additionally, the limited research exemption appears to apply only to research conducted by public or private nonprofit postsecondary educational institutions and alienates a vast majority of research activities that are conducted in other contexts. The requirement to obtain separate consents for marketing places additional burdens on DTC genetic testing companies along with the law’s prohibition on charging different rates for consumers who exercise their rights under the law. DTC genetic testing companies will need to review their internal operating procedures to assess compliance with GIPA.
Florida enacted a broader law in 2021
GIPA has become effective on the heals of Florida’s enactment of another significant genetic privacy law.
Florida’s Protecting DNA Privacy Act, which came into effect in October, amends its previous genetic privacy law and regulates the use, retention, disclosure, or transfer of a person’s DNA samples or analysis results. Under the law as revised, it is unlawful to collect, retain, submit for analysis, analyze, sell or transfer a person’s DNA sample, or sell or transfer a person’s DNA analysis results without that person’s express consent. Florida’s law is unique in that it imposes criminal penalties when a person engages in any of the following activities without obtaining the express consent of the individual:
- Collecting or retaining another person’s DNA sample with intent to analyze such sample;
- Submitting another person’s DNA sample for analysis or conducting or procuring the conducting of such analysis;
- Disclosing another person’s DNA analysis results to a third party, unless such results were previously voluntarily disclosed by the person whose DNA was analyzed; and
- Selling or otherwise transferring another person’s DNA sample or analysis results to a third party.
The results of DNA analysis are the “exclusive property” of the person tested, meaning the person tested has the right to exercise a certain level of control over his or her DNA sample or results.
Though the law describes a broad list of prohibited activities, the law does carve out uses of DNA samples and analysis for certain specific purposes, including for medical diagnosis, conducting quality assessment and improvement activities, and patient treatment when the ordering health care practitioner has obtained express consent for clinical lab analysis or when the DNA analysis is performed by a CMS certified clinical lab. The law also exempts DNA analysis within the context of research subject to and conducted in compliance with the Common Rule, FDA Regulations, or HIPAA, or when such research uses HIPAA de-identified information that was originally collected and maintained for research subject to and in compliance with HIPAA, the Common Rule, or FDA Regulations.
These laws illustrate a growing trend in states to increase regulation of genetic information. Companies that collect, use, or disclose genetic information may want to consider evaluating their practices with respect to their handling of genetic information in light of the new obligations under these laws. Companies may want to monitor state genetic privacy laws, as more states may join the nationwide push to regulate genetic information.
Authored by Melissa Bianchi, Scott Loughlin, Melissa Levine, and Fleur Oke.