Natali_Mis/istock via Getty Imag

Growing Number of States Enact New Genetic Data Privacy Laws

California, Arizona, and Utah are the latest states to enact genetic data privacy laws to hold genetic testing companies accountable for data protection.

A growing number of states are enacting new genetic data privacy laws to protect patients from misuse of data and to hold private companies accountable for proper data governance practices.

HIPAA holds providers to certain security standards when it comes to collecting genetic data, but private companies are not required to follow the same rules. Companies like 23andMe and Ancestry, which provide genetic testing kits delivered to the customer’s door, fall in a gray area in terms of regulations.

Genetic data is deeply personal and can provide insights about ethnicity, family history, and one’s likelihood of developing certain diseases. A few states, including Nevada and Alaska, already have laws protecting genetic information. More states have been producing legislation and regulations surrounding genetic data use in recent months and years.

California

California Governor Gavin Newsom signed the Genetic Information Privacy Act (GIPA) into law recently, which will go into effect in January. The law requires genetic testing companies to be transparent about data collection practices regarding genetic data and obtain written consent from individuals to use the data.

The bill defined genetic testing companies as any company that sells, markets, interprets, or offers genetic testing products or services directly to consumers, analyzes genetic data, or collects and maintains genetic data.

“This bill would require a direct-to-consumer genetic testing company to honor a consumer’s revocation of consent in accordance with certain procedures, and to destroy a consumer’s biological sample within 30 days of revocation of consent,” the bill explained.

Vendors must obtain separate consent for the use of genetic data for each purpose before transferring it to other parties or using the data for marketing. Companies are also expected to implement security procedures to protect the data from destruction, unauthorized use, or modification.

A negligent violation of the law may result in a $1,000 penalty, while a purposeful violation may result in a $10,000 penalty per incident.

Arizona

Arizona enacted a genetic information privacy law in April. The legislation requires direct-to-consumer genetic testing companies to provide clear information regarding the company’s policies for collecting, using, and disclosing genetic data.

Companies must provide customers with a high-level privacy policy overview and must disclose who has access to test results and how the data may be shared.

Vendors must also “[e]xpress consent for marketing to a consumer based on the consumer's genetic data or for marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service,” the law states.

“For the purposes of this subdivision, marketing does not include providing customized content or offers on websites or through applications or services provided by the direct-to-consumer genetic testing company with the first-party relationship to the consumer.”

The law does not apply to protected health information (PHI) held by a covered entity or business associate, biological samples that are obtained for the purposes of medical treatment, or a public or private higher education institution.

Florida

Florida’s Protecting DNA Privacy Act went into effect on October 1, 2021. In the state of Florida, companies can face criminal penalties for violating the law, compared to California where businesses can only face civil penalties.

Businesses cannot collect or retain DNA samples without the intent to analyze them, submit another persons’ DNA sample on their behalf, or disclose results to a third-party without written consent.

If a person or business does collect another person’s DNA sample without the intent to perform analysis, they could face a first-degree misdemeanor.

It is also a third-degree felony to submit another person’s DNA sample for analysis or to disclose results to a third party without consent. Additionally, the law states that it is a second-degree felony for someone to sell or transfer DNA samples or results to a third party, regardless of whether the DNA sample was originally obtained with consent

Utah

Utah’s Genetic Information Privacy Act went into effect in May 2021. The act is similar to California’s in that it focuses on direct-to-consumer genetic testing companies and requires the vendors to disclose information about the collection and use of genetic data.

Companies must clearly express who has access to test results and how the results may be shared. Businesses also need written consent for the transfer or disclosure of the consumer’s genetic data to anyone other than the company’s own vendors and service providers.

Vendors also must provide a process for consumers to access, delete, and destroy their genetic data. Businesses also cannot disclose genetic data to a health insurance company or an individual’s employer without consent.

Next Steps

Dig Deeper on Health data access & privacy