California’s “Genetic Information Privacy Act” (SB 980), vetoed on September 25, 2020 by Governor Gavin Newsom, would have established obligations for direct-to-consumer (“DTC”) genetic testing companies and others that collect or process genetic information. Although the bill did not become law, its near enactment is another example of the growing trend towards increased government focus on genetic information.

SB 980

California may still see a DTC genetic testing law soon. Governor Newsom stated in his message accompanying the veto that he shares the perspective that the sensitive nature of human genetic data warrants strong privacy protections, but is concerned that the broad language in the bill risked unintended consequences. For example, he recognized that the “opt in” provisions of the bill might interfere with laboratories’ reporting requirements related to COVID-19 testing.

The bill’s veto reflects a disagreement over the details of how best to safeguard genetic information rather than disagreement with the principles of the bill. Governor Newsom is directing the California Health and Human Services Agency and the Department of Public Health to work with the Legislature on a solution that achieves the privacy aims of the bill while preventing inadvertent impacts on COVID-19 testing efforts. There is apparent appetite to get the bill passed in some form, with SB 980’s author, California State Senator Tom Umberg, publicly stating he will work with the governor’s office to craft a new bill quickly.

The drafting and progression of SB 980 in California highlights the movement of state legislatures towards increased regulation of the collection, use, and disclosure of genetic information. If signed, SB 980 would have required DTC genetic testing companies to comply with certain privacy and data security provisions, including providing consumers with prescribed notice, obtaining consumers’ express consent regarding the collection, use, and disclosure of genetic data, and enabling consumers to access and delete their genetic information.

Legal Landscape

Historically, the laws and guidance surrounding genetic privacy focused on prohibiting discrimination, requiring testing of newborns for certain conditions, or requiring consent prior to conducting genetic tests. These laws have traditionally applied to insurers, employers, laboratories, and health care providers and included exceptions necessary for research, treatment, or required regulatory reporting. A number of states already have laws that broadly apply to genetic information or genetic testing and require explicit consent for the collection of genetic information, running of genetic tests, retention of genetic samples and information, and/or disclosure of genetic information.

There also appears to be a trend towards incorporating protections for genetic information into broader lawmaking efforts. In the past few years, a number of states have introduced bills, and some have passed laws, to create new genetic privacy laws or amend existing genetic privacy and breach notification laws to cover consumer genetic testing activities, strengthen notice and consent requirements, and increase the penalties for violations. Additionally, state consumer privacy laws and state biometric privacy laws are increasingly including genetic information in their definitions of protected information.

Federal Activity

Genetic data is becoming part of the federal privacy debate. For example, earlier this year, explicit notice and consent requirements for the use and disclosure of genetic information were included in a number of federal coronavirus relief bills. Federal proposals frequently include genetic information in definitions of sensitive information, such as Senator Roger Wicker’s bill, the “SAFE DATA Act,” that would create new privacy notice requirements, provide for injunctive relief, and establish a victim relief fund to compensate consumers for privacy violations.

In addition, over the past few years, federal regulators have been keeping a close eye on DTC genetic offerings. The Federal Trade Commission issued guidance on consumer genetic testing in 2017 and 2019 and the Food and Drug Administration published DTC guidance in 2018. Around the same time, a number of genetic testing companies worked with the Future of Privacy Forum to develop Privacy Best Practices for Consumer Genetic Testing Services, which sought to establish industry-based standards for genetic data generated in the consumer context.

Comprehensive Data Protection Laws

As SB 980 illustrates, there is a growing trend by state and federal law makers to increase regulation of genetic information and cover non-traditional entities like DTC companies. The market for DTC genetic testing has expanded dramatically in recent years with advances in testing capabilities, increased DTC offerings, and more people using at-home DNA tests to explore their genetic predispositions, family history, and ancestry. Advances in genetic sequencing and analysis technologies coupled with the current pandemic have highlighted the positive impact that rapid testing and identification of genetic variants can have for the identification of diseases, patient testing, and development of new treatments. At the same time, the prevalence of consumer testing and sensitivity of genetic information have also heightened public and legislator scrutiny of genetic privacy practices. Although this particular bill will not be enacted, entities that collect, use, or disclose genetic information can use this as opportunity to evaluate their current practices and prepare for likely changes ahead.