Latest Genetic Data Privacy Law Goes into Effect

California is ringing in the New Year with new privacy and security protections for genetic data. On January 1, 2022, California’s new Genetic Information Privacy Act (GIPA) became the latest state genetic data privacy law to go into effect, adding to a growing number of state laws that require special protections for genetic data. This new law, signed by California Governor Gavin Newsom on October 6, 2021, impacts direct-to-consumer (DTC) genetic testing companies as well as service providers to those companies. Among other requirements, GIPA requires DTC genetic testing companies to:

(i) provide California consumers with certain information regarding their policies and procedures for the collection, use, maintenance, and disclosure of genetic data;

(ii) obtain a separate express consent from a consumer for the collection, use, and/or disclosure of the consumer’s genetic data; and

(iii) have in place a contract with specific contractual provisions with certain of their downstream service providers. Below we discuss key provisions of the law.

Key Obligations

DTC genetic-testing companies and their service providers will need to review GIPA’s obligations and update their consumer-facing notices and consent forms as well as other internal processes to comply with the new law. GIPA requires DTC genetic testing companies to:

• Provide consumers with certain information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data;
• Obtain a consumer’s separate express consent for collection, use, and/or disclosure of the consumer’s genetic data;
• Execute a contract with specific contractual provisions with certain of the company’s downstream service providers, in order to avoid obtaining separate express consent for disclosure of genetic data to such providers;
• Honor a consumer’s revocation of consent in accordance with federal regulations governing research subjects (45 C.F.R. Part 46);
• Destroy a consumer’s biological sample within 30 days after a consumer revokes consent;
• Comply with certain labeling requirements for advertising of third-party products or services to consumers, where a consumer’s genetic data or a consumer’s receipt or use of genetic testing products or services is the basis for such advertisement;
• Implement and maintain reasonable security procedures and practices to protect consumers’ genetic data against unauthorized access, destruction, use, modification, or disclosure; and
• Develop procedures and practices to enable consumers to access their genetic data, to delete their accounts and genetic data, and to destroy the biological samples.

Companies subject to GIPA may face penalties of up to $1,000 plus court costs for each negligent violation of the law, and up to $10,000 plus court costs for each willful violation.

Detailed Analysis

Applicability

GIPA applies to DTC genetic testing companies, which are entities that (i) sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to a consumer; (ii) analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition; or (iii) collect, use, maintain, or disclose genetic data collected or derived from a DTC genetic testing product or service, or directly provided by a consumer. Note that “genetic testing” under GIPA encompasses any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.

Notably, GIPA contains exemptions for:

• Medical information governed by the California Confidentiality of Medical Information Act (CMIA), and protected health information (PHI) governed by the Health Information Portability and Accountability Act of 1996 (HIPAA);
• Providers of health care governed by CMIA or covered entities under HIPAA, to the extent such providers and covered entities maintain, use, and disclose genetic information in the same manner as medical information or PHI, respectively;
• Business associates of covered entities under HIPAA, to the extent the business associate maintains, uses, and discloses genetic information in the same manner as medical information or PHI; and
• Scientific research or educational activities conducted by educational institutions that hold assurance with the U.S. Department of Health and Human Services pursuant to Part 46 of Title 45, so long as the research and educational activities comply with all applicable federal and state laws.[1]

Scope of Genetic Data

Under GIPA, “genetic data” includes any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material (such as DNA and RNA), and any information extrapolated, derived, or inferred therefrom.

De-identified data, or data that cannot be used to infer information about, or otherwise be linked to, a particular individual, is not genetic data under the law, provided the business that possesses the information meets certain requirements to ensure the data is not re-identified.

“Genetic data” also does not include data or biological samples to the extent that data or biological samples are collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the U.S. Department of Health and Human Services pursuant to 45 C.F.R. Part 46, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research.

Consumer Notice Requirements

GIPA requires DTC genetic testing companies to provide consumers with information regarding their policies and procedures for the collection, use, maintenance, and disclosure of genetic data, including the following:

• A summary of privacy practices, written in plain language, that includes information about the company’s collection, use, maintenance, and disclosure, as applicable, of genetic data;
• A prominent and easily accessible privacy notice that includes complete information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of GIPA; and
• A notice that the consumer’s de-identified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with 45 C.F.R. Part 46.

Consumer Consent & Revocation of Consent Requirements

GIPA also requires DTC genetic testing companies to obtain a consumer’s express consent for collection, use, and disclosure of the consumer’s genetic data, including, at a minimum, a separate and express consent for each of the following:[2]

• The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed;
• The storage of a consumer’s biological sample after the initial testing requested by the consumer has been fulfilled;
• Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses;
• Each transfer or disclosure of the consumer’s genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumer’s genetic data or biological sample will be transferred or disclosed; and
• The marketing or facilitation of marketing to a consumer based on the consumer’s genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.

Under GIPA, express consent requires a consumer’s affirmative authorization (i.e., an action that demonstrates an intentional decision by the consumer) to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose that an ordinary consumer would notice and understand.

If a DTC genetic testing company must obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data, as described above, then the company must provide effective mechanisms, without any unnecessary steps, for a consumer to revoke such consent. To comply with this requirement, the DTC genetic testing company must provide at least one mechanism that utilizes the primary medium through which the company communicates with consumers.

If a consumer revokes their consent, the DTC genetic testing company must honor the consumer’s revocation as soon as practicable, but not later than 30 days after such revocation. Additionally, the DTC genetic testing company must destroy a consumer’s biological sample within 30 days of receipt of revocation of consent to store the sample, and revocation of consent must comply with 45 C.F.R. Part 46.

Service Provider Agreement Requirements

GIPA’s consent requirements do not specifically require DTC genetic testing companies to obtain a separate and express consent from consumers to disclose their genetic data or biological sample to a service provider (although they are required to disclose to the consumer whether they will share any such data with any service providers and the purpose of such sharing when they obtain the consumer’s express consent to use the consumer’s genetic data, as described above).

In order for a DTC genetic testing company’s vendors and other service providers to qualify as “service providers” under GIPA, they must be involved in the collection, transportation, analysis, or delivery of the results of an analysis of consumers’ biological samples or extracted genetic material. In addition, the company and the vendor must enter into a contract that includes both of the following:

• A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, for a commercial purpose other than providing the services specified in the contract.
• A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.

Individual Rights

GIPA grants consumers the following rights in their genetic data and requires DTC genetic testing companies to develop procedures and practices to enable a consumer to easily exercise such rights:

• To access the consumer’s genetic data.
• To delete the consumer’s account and genetic data, except for genetic data that the company must retain to comply with applicable legal and regulatory requirements.
• To have the consumer’s biological sample destroyed.

In addition, under GIPA, no person or public entity may discriminate against a consumer for exercising any of these rights, including with respect to the provision, price, and level or quality of any goods, services, or benefits.

Security & Restrictions on Disclosure

GIPA requires DTC genetic testing companies to implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.

In addition, subject to limited exceptions, GIPA prohibits DTC genetic testing companies from disclosing a consumer’s genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.

Marketing Requirements

GIPA’s consent for marketing requirement, noted above, does not require DTC genetic testing companies to obtain a consumer’s express consent to market to the consumer on such company’s own websites or mobile applications based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from such company. This exception to obtaining a marketing consent applies so long as: (i) the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used; and (ii) the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of the consumer’s sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status.

However, advertisements of third-party products or services that are presented to a consumer pursuant to their consent, or are consistent with the paragraph above, must be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement must also clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the DTC genetic testing company.

Enforcement & Penalties

The California Attorney General, a California district attorney, county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or a qualified city attorney, will exclusively prosecute any action for relief pursuant to GIPA.

Any person who negligently violates GIPA shall be assessed a civil penalty up to $1,000 plus court costs. Any person who willfully violates GIPA shall be assessed a civil penalty of at least $1,000 and not more than $10,000 plus court costs. Each violation of GIPA is a separate and actionable violation.

[1] In addition to the exceptions set forth above, GIPA also does not apply to any of the following:

• The California Newborn Screening Program authorized by Chapter 1 of Part 5 of Division 106 of the Health and Safety Code.
• Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information.
• Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.

GIPA also provides that the law does not affect access to information made available to the public by the consumer.

[2] In this context, “third party” does not include a public or private nonprofit postsecondary educational institution to the extent that the consumer’s genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of certain scientific research or educational activities. (Cal. Civ. Code § 56.181(a)(2).)