States Continue to Step in to Safeguard Genetic Information
Utah’s governor recently signed into law SB 227, creating the Genetic Information Privacy Act (GIPA). The law, which is anticipated to go into effect in May, is aimed at protecting genetic data collected from direct-to-consumer genetic testing companies. Generally, the law creates requirements for (i) notice; (ii) consent for certain data uses; (iii) data security obligations; and (iv) access, deletion, and destruction rights.
Overview of Current Legal Framework for Genetic Information
To understand this new law, it’s helpful to put it in context. Like many areas of data privacy and security law in the United States, the laws governing genetic information very much remain a patchwork. At the federal level, the Genetic Information Nondiscrimination Act, passed in 2008, generally protects individuals against discrimination based on their genetic information in the health coverage and employment context. The law does not preempt state laws that provide equal or greater protection with respect to genetic discrimination and privacy. Other federal laws such as the Federal Policy for the Protection of Human Subjects aka the “Common Rule,” or the 21st Century Cures Act, may also impose requirements on how genetic information is collected and used. Such information, depending on the context in what it is collected or shared, might also be subject to the Health Insurance Portability and Accountability Act. The Clinical Laboratory Improvement Amendments and the Affordable Care Act may also impact the collection and use of genetic information. Claims about how genetic information is used (or not) would also be subject to regulation from the FTC under Section 5 authority.
In addition to these myriad of federal laws, states have continued to enact laws applying to genetic information. Some of these states have similarly focused on prohibiting discrimination based on genetic information by certain parties (i.e., insurers or employers). Other laws require informed consent to perform a genetic test or to obtain genetic information. While more comprehensive in terms of the scope of information subject to the laws, California’s Privacy Rights Act and Virginia’s Consumer Data Protection Act (both set to come into effect in 2023) specifically contemplate “genetic data” in their definitions of “sensitive” personal information. However historically, legislation specifically aimed at the privacy of information collected by consumer genetic testing companies has been rarer. Just last fall, California’s governor vetoed a somewhat similar (but broader) law aimed at direct-to-consumer (DTC) companies, which we wrote about here. In 2018, the Future of Privacy Forum issued industry self-regulating privacy best practices for DTC genetic testing companies.
Applicability and Requirements of Utah’s Law
Utah’s law applies to a “direct-to-consumer genetic testing company” that collects “genetic data” from residents of Utah. “Genetic data” broadly means any data, regardless of format, concerning a consumer’s genetic characteristics. This includes: (i) raw sequence data that result from sequencing all or a portion of a consumer’s extracted DNA; (ii) genotypic and phenotypic information obtained from analyzing a consumer’s raw sequence data; and (iii) self-reported health information regarding a consumer’s health conditions that the consumer provides to a company that the company: (A) uses for scientific research or product development; and (B) analyzes in connection with the consumer’s raw sequence data. Genetic data does not include de-identified data.
As noted above, the law imposes other obligations around notice, data use, data security and individual rights, described in more detail below.
Notice. Companies subject to this law must provide a prominent, publicly available privacy notice that includes information about the company’s data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices. This is likely to impose little new requirements for those companies already meeting other US (or EU) privacy notice legal obligations.
Data uses and consent. The law requires separate (and sometimes “express”) consent for various uses of genetic data. Initially, express consent must be obtained for the collection, use, or disclosure of genetic information. This express consent must disclose who has access to test results and how the company may share genetic data. Separate express consent is also required for: (i) transfers or disclosures of genetic data to any person (other than vendors); (ii) use of the information beyond the primary purpose of the genetic testing; or (iii) retention of the biological sample following completion of the initial testing service. Express consent is also required for direct or third party marketing activities. However, companies with a first party relationship may, without express consent, provide customized content or offer’s on the company’s website or through the app/service. There are also consent requirements for disclosing genetic data to third parties for research purposes, health insurance companies, and/or a consumer’s employer. The law also requires companies to have a valid legal process for the company’s disclosure of a consumer’s genetic data to law enforcement or any government entity without the consumer’s express written consent.
Data security. Companies subject to this law must develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure.
Individual Rights. There must be a process in place for consumers to access their genetic data, delete their account and genetic data, and destroy the biological sample.
Enforcement and Effective Date
The attorney general may initiate a civil enforcement action and recover actual damages, costs, attorney fees, and up to $2,500 for each violation. The law does not contemplate a private cause of action. In Utah, unless specifically noted otherwise in the bill, a law becomes effective 60-days after adjournment. Given that March 5, 2021 was the last day of the annual general session, the law is anticipated to go into effect early May 2021.
Putting it into Practice. Companies operating in the growing DTC industry should continue to be mindful of the increasing appetite for legislation in this area (as well as the patchwork of existing laws), and growing expectations around notice, consent, and data security. With the continued proliferation of the use of digital health and other direct-to-consumer and at-home health and wellness testing and wearable devices, more regulation in this area is likely.