California is ringing in the New Year with new privacy and security protections for genetic data. On January 1, 2022, California’s new Genetic Information Privacy Act (GIPA) became the latest state genetic data privacy law to go into effect, adding to a growing number of state laws that require special protections for genetic data. This new law, signed by California Governor Gavin Newsom on October 6, 2021, impacts direct-to-consumer (DTC) genetic testing companies as well as service providers to those companies. Among other requirements, GIPA requires DTC genetic testing companies to:
(i) provide California consumers with certain information regarding their policies and procedures for the collection, use, maintenance, and disclosure of genetic data;
(ii) obtain a separate express consent from a consumer for the collection, use, and/or disclosure of the consumer’s genetic data; and
(iii) have in place a contract with specific contractual provisions with certain of their downstream service providers. Below we discuss key provisions of the law.
DTC genetic-testing companies and their service providers will need to review GIPA’s obligations and update their consumer-facing notices and consent forms as well as other internal processes to comply with the new law. GIPA requires DTC genetic testing companies to:
Companies subject to GIPA may face penalties of up to $1,000 plus court costs for each negligent violation of the law, and up to $10,000 plus court costs for each willful violation.
GIPA applies to DTC genetic testing companies, which are entities that (i) sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to a consumer; (ii) analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition; or (iii) collect, use, maintain, or disclose genetic data collected or derived from a DTC genetic testing product or service, or directly provided by a consumer. Note that “genetic testing” under GIPA encompasses any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.
Notably, GIPA contains exemptions for:
Under GIPA, “genetic data” includes any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material (such as DNA and RNA), and any information extrapolated, derived, or inferred therefrom.
De-identified data, or data that cannot be used to infer information about, or otherwise be linked to, a particular individual, is not genetic data under the law, provided the business that possesses the information meets certain requirements to ensure the data is not re-identified.
“Genetic data” also does not include data or biological samples to the extent that data or biological samples are collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the U.S. Department of Health and Human Services pursuant to 45 C.F.R. Part 46, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research.
GIPA requires DTC genetic testing companies to provide consumers with information regarding their policies and procedures for the collection, use, maintenance, and disclosure of genetic data, including the following:
GIPA also requires DTC genetic testing companies to obtain a consumer’s express consent for collection, use, and disclosure of the consumer’s genetic data, including, at a minimum, a separate and express consent for each of the following:[2]
Under GIPA, express consent requires a consumer’s affirmative authorization (i.e., an action that demonstrates an intentional decision by the consumer) to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose that an ordinary consumer would notice and understand.
If a DTC genetic testing company must obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data, as described above, then the company must provide effective mechanisms, without any unnecessary steps, for a consumer to revoke such consent. To comply with this requirement, the DTC genetic testing company must provide at least one mechanism that utilizes the primary medium through which the company communicates with consumers.
If a consumer revokes their consent, the DTC genetic testing company must honor the consumer’s revocation as soon as practicable, but not later than 30 days after such revocation. Additionally, the DTC genetic testing company must destroy a consumer’s biological sample within 30 days of receipt of revocation of consent to store the sample, and revocation of consent must comply with 45 C.F.R. Part 46.
GIPA’s consent requirements do not specifically require DTC genetic testing companies to obtain a separate and express consent from consumers to disclose their genetic data or biological sample to a service provider (although they are required to disclose to the consumer whether they will share any such data with any service providers and the purpose of such sharing when they obtain the consumer’s express consent to use the consumer’s genetic data, as described above).
In order for a DTC genetic testing company’s vendors and other service providers to qualify as “service providers” under GIPA, they must be involved in the collection, transportation, analysis, or delivery of the results of an analysis of consumers’ biological samples or extracted genetic material. In addition, the company and the vendor must enter into a contract that includes both of the following:
GIPA grants consumers the following rights in their genetic data and requires DTC genetic testing companies to develop procedures and practices to enable a consumer to easily exercise such rights:
In addition, under GIPA, no person or public entity may discriminate against a consumer for exercising any of these rights, including with respect to the provision, price, and level or quality of any goods, services, or benefits.
GIPA requires DTC genetic testing companies to implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.
In addition, subject to limited exceptions, GIPA prohibits DTC genetic testing companies from disclosing a consumer’s genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.
GIPA’s consent for marketing requirement, noted above, does not require DTC genetic testing companies to obtain a consumer’s express consent to market to the consumer on such company’s own websites or mobile applications based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from such company. This exception to obtaining a marketing consent applies so long as: (i) the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used; and (ii) the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of the consumer’s sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic information, marital status, sexual orientation, citizenship, primary language, or immigration status.
However, advertisements of third-party products or services that are presented to a consumer pursuant to their consent, or are consistent with the paragraph above, must be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement must also clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the DTC genetic testing company.
The California Attorney General, a California district attorney, county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or a qualified city attorney, will exclusively prosecute any action for relief pursuant to GIPA.
Any person who negligently violates GIPA shall be assessed a civil penalty up to $1,000 plus court costs. Any person who willfully violates GIPA shall be assessed a civil penalty of at least $1,000 and not more than $10,000 plus court costs. Each violation of GIPA is a separate and actionable violation.
[1] In addition to the exceptions set forth above, GIPA also does not apply to any of the following:
GIPA also provides that the law does not affect access to information made available to the public by the consumer.
[2] In this context, “third party” does not include a public or private nonprofit postsecondary educational institution to the extent that the consumer’s genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of certain scientific research or educational activities. (Cal. Civ. Code § 56.181(a)(2).)