Genetic Information Privacy Act (California)

2020

Introduction of CA Senate Bill 41

The Genetic Information Privacy Act was introduced as CA Senate Bill 41 (SB 41) on December 7 in response to concerns surrounding the direct-to-consumer genetic testing industry. These included the

• unregulated nature of the businesses
• concern that outside parties were using the data for questionable purposes
• fact that genomic data is highly distinguishable

2021

Genetic Information Privacy Act Signed Into Law

After facing fierce debate and deliberation, SB 41 passed through the CA Assembly and Senate on September 9. The bill was signed into law by Governor Gavin Newsom on October 6.

2022

Genetic Information Privacy Act Went Into Effect

On January 1, the Genetic Information Privacy Act went into effect providing Californians with rights and protections when using direct-to-consumer genetic testing companies. (Cal. Civ. Code § 56.18-56.186)

The Genetic Information Privacy Act applies to direct-to-consumer genetic testing* companies—businesses that do any of the following:

• sell, market, interpret or otherwise offer consumer-initiated genetic testing products or services directly to consumers
• analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in healing arts for diagnosis or treatment of a medical condition
• collect, use, maintain or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service, or that a consumer directly provides

Genetic testing means any lab test of a person’s biological sample for the purpose of determining information concerning the genetic material in the sample.

Genetic Data

Genetic data is data in any format that results from the analysis of a biological sample from a person (or something else enabling equivalent information to be obtained) and that concerns genetic material.

Genetic material includes but is not limited to

• deoxyribonucleic acids (DNA)
• ribonucleic acids (RNA)
• genes
• chromosomes
• alleles
• genomes
• alterations or modifications to DNA or RNA
• single nucleotide polymorphisms
• uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived or inferred from the genetic material

Genetic data does not include deidentified data that cannot be used to infer information about or otherwise be linked to a particular individual. Data is considered deidentified if the business that possesses the data does all of the following:

• takes reasonable measures to ensure information cannot be associated with a consumer or household
• publicly commits to maintain and use the information only in deidentified form and not attempt to reidentify the information, unless it is doing so to determine whether deidentification satisfies the law’s requirements
• contractually obligates any recipients of information to 
  • take the reasonable measures to ensure data cannot be associated with a consumer or household
  • commit to maintaining and using the information only in deidentified form
  • not reidentify the information

Consent (and Revoke Consent) to Collection, Use and Disclosure of Genetic Data

Direct-to-consumer genetic testing companies must obtain express consent from individuals for the use, collection or disclosure of a consumer’s genetic data.

Companies may not be required to obtain express consent to

• market to a consumer on the company’s own website or mobile application if the advertisement does not depend on information specific to the consumer outside the fact that they purchased or received the company's product
• transfer genetic data to certain postsecondary educational institutions for educational and scientific research

Individuals may revoke consent, and the company must honor the revocation within 30 days.

Access Genetic Data

People have the right to access their genetic data with a direct-to-consumer genetic testing company. Because the businesses covered under the Genetic Information Privacy Act must also comply with the California Consumer Privacy Act, the company must provide the genetic data in a readily accessible format.

Delete Genetic Data and Account

People can delete their genetic data and corresponding account with a direct-to-consumer genetic testing company. Requests for deletion may be denied if the genetic data must be retained due to a legal or regulatory requirement.

Request Destruction of Biological Sample

People can request destruction of a biological sample that the company holds, and the company must comply within 30 days. 

Exercise Rights without Being Subject to Discrimination

Direct-to-consumer genetic testing companies may not discriminate against individuals for exercising these rights. 

Access Information on a Company’s Data Policies and Procedures

Direct-to-consumer genetic testing companies must make information available regarding their policies and procedures. At minimum, a privacy notice must contain information about

• data collection
• use
• access
• disclosure
• maintenance
• transfer
• security*
• retention and deletion practices
• complaint filing procedures

Direct-to-consumer genetic companies are required to implement and maintain reasonable security measures to protect a person’s data.

The California Attorney General, district attorneys and (in some circumstances) county counsel or city attorneys can enforce violations. Direct-to-consumer genetic testing companies can be subject to civil penalties:

• up to $1,000 per incident plus court costs for each negligent violation
• from $1,000 to $10,000 plus court costs for intentional violations