The Genetic Information Privacy Act is a California law that places data collection, use, security and disclosure requirements on direct-to-consumer genetic testing companies and provides consumers with access and deletion rights.
A Brief History
Introduction of CA Senate Bill 41
The Genetic Information Privacy Act was introduced as CA Senate Bill 41 (SB 41) on December 7 in response to concerns surrounding the direct-to-consumer genetic testing industry. These included the
- unregulated nature of the businesses
- concern that outside parties were using the data for questionable purposes
- fact that genomic data is highly distinguishable
Genetic Information Privacy Act Signed Into Law
After facing fierce debate and deliberation, SB 41 passed through the CA Assembly and Senate on September 9. The bill was signed into law by Governor Gavin Newsom on October 6.
Genetic Information Privacy Act Went Into Effect
On January 1, the Genetic Information Privacy Act went into effect providing Californians with rights and protections when using direct-to-consumer genetic testing companies. (Cal. Civ. Code § 56.18-56.186)
Who Must Comply
The Genetic Information Privacy Act applies to direct-to-consumer genetic testing* companies—businesses that do any of the following:
- sell, market, interpret or otherwise offer consumer-initiated genetic testing products or services directly to consumers
- analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in healing arts for diagnosis or treatment of a medical condition
- collect, use, maintain or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service, or that a consumer directly provides
Genetic testing means any lab test of a person’s biological sample for the purpose of determining information concerning the genetic material in the sample.
Genetic data is data in any format that results from the analysis of a biological sample from a person (or something else enabling equivalent information to be obtained) and that concerns genetic material.
Genetic material includes but is not limited to
- deoxyribonucleic acids (DNA)
- ribonucleic acids (RNA)
- alterations or modifications to DNA or RNA
- single nucleotide polymorphisms
- uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived or inferred from the genetic material
Genetic data does not include deidentified data that cannot be used to infer information about or otherwise be linked to a particular individual. Data is considered deidentified if the business that possesses the data does all of the following:
- takes reasonable measures to ensure information cannot be associated with a consumer or household
- publicly commits to maintain and use the information only in deidentified form and not attempt to reidentify the information, unless it is doing so to determine whether deidentification satisfies the law’s requirements
- contractually obligates any recipients of information to
- take the reasonable measures to ensure data cannot be associated with a consumer or household
- commit to maintaining and using the information only in deidentified form
- not reidentify the information
Consent (and Revoke Consent) to Collection, Use and Disclosure of Genetic Data
Direct-to-consumer genetic testing companies must obtain express consent from individuals for the use, collection or disclosure of a consumer’s genetic data.
Companies may not be required to obtain express consent to
- market to a consumer on the company’s own website or mobile application if the advertisement does not depend on information specific to the consumer outside the fact that they purchased or received the company's product
- transfer genetic data to certain postsecondary educational institutions for educational and scientific research
Individuals may revoke consent, and the company must honor the revocation within 30 days.
Access Genetic Data
People have the right to access their genetic data with a direct-to-consumer genetic testing company. Because the businesses covered under the Genetic Information Privacy Act must also comply with the California Consumer Privacy Act, the company must provide the genetic data in a readily accessible format.
Delete Genetic Data and Account
People can delete their genetic data and corresponding account with a direct-to-consumer genetic testing company. Requests for deletion may be denied if the genetic data must be retained due to a legal or regulatory requirement.
Request Destruction of Biological Sample
People can request destruction of a biological sample that the company holds, and the company must comply within 30 days.
Exercise Rights without Being Subject to Discrimination
Direct-to-consumer genetic testing companies may not discriminate against individuals for exercising these rights.
Access Information on a Company’s Data Policies and Procedures
Direct-to-consumer genetic testing companies must make information available regarding their policies and procedures. At minimum, a privacy notice must contain information about
- data collection
- retention and deletion practices
- complaint filing procedures
Direct-to-consumer genetic companies are required to implement and maintain reasonable security measures to protect a person’s data.
The California Attorney General, district attorneys and (in some circumstances) county counsel or city attorneys can enforce violations. Direct-to-consumer genetic testing companies can be subject to civil penalties:
- up to $1,000 per incident plus court costs for each negligent violation
- from $1,000 to $10,000 plus court costs for intentional violations