Utah recently signed into law SB 227, creating the Genetic Information Privacy Act (GIPA). The law, which is anticipated to go into effect in May 2021, is aimed at protecting genetic data collected from direct-to-consumer (DTC) genetic testing companies. Companies distributing DTC tests should evaluate their current data privacy policies and practices against the obligations the new Utah law imposes on data use and protection, including user consent, data security, and access and deletion rights, to ensure they are in a position to comply with the new law.
Overview of Current Legal Framework for Privacy of Genetic Information
To understand this new law, it’s helpful to put it in context. Like many areas of data privacy and security law in the United States, the laws governing genetic information very much remain a patchwork. At the federal level, the Genetic Information Nondiscrimination Act, passed in 2008, generally protects individuals against discrimination based on their genetic information in the health coverage and employment context. The law does not preempt state laws that provide equal or greater protection with respect to genetic discrimination and privacy. Other federal laws such as the Federal Policy for the Protection of Human Subjects, aka the “Common Rule,” or the 21st Century Cures Act may also impose requirements on how genetic information is collected and used. Such information, depending on the context in which it is collected or shared, might also be subject to the Health Insurance Portability and Accountability Act (HIPAA). The Clinical Laboratory Improvement Amendments and the Affordable Care Act may also impact the collection and use of genetic information. Claims about how genetic information is used (or not) also would be subject to regulation by the US Federal Trade Commission (FTC) under its Section 5 authority (i.e., unfair and/or deceptive practices). The FDA also regulates the type of genetic health information that may be provided to consumers, including required labeling, through its premarket clearance process.
In addition to these myriad of federal laws, states have continued to enact laws applying to genetic information. Some of these states have similarly focused on prohibiting discrimination based on genetic information by certain parties (i.e., insurers or employers). Other laws require informed consent to perform a genetic test or to obtain genetic information. While more comprehensive general privacy laws, California’s Privacy Rights Act and Virginia’s Consumer Data Protection Act (both set to come into effect in 2023) specifically contemplate “genetic data” in the definition of “sensitive personal information” (and impose certain requirements on the collection of such information).
However historically, legislation specifically aimed at the privacy of information collected by consumer genetic testing companies has been rarer. Just last fall, California’s governor vetoed a somewhat similar (but broader) law aimed at DTC companies (which we wrote about here). In terms of self-regulation, the Future of Privacy Forum issued guidance on privacy best practices in 2018 for DTC genetic companies.
Who is subject to GIPA?
Utah’s law applies to a “direct-to-consumer genetic testing company” collecting “genetic data” from residents of Utah. “Genetic data” broadly means any data, regardless of format, concerning a consumer’s genetic characteristics (but excluding de-identified data). Genetic data includes:
- (i) raw sequence data that result from sequencing all or a portion of a consumer’s extracted DNA;
- (ii) genotypic and phenotypic information obtained from analyzing a consumer’s raw sequence data; and
- (iii) self-reported health information regarding a consumer’s health conditions that the consumer provides to a company that the company:
- (A) uses for scientific research or product development; and
- (B) analyzes in connection with the consumer’s raw sequence data.
Requirements Under GIPA
The law imposes obligations around notice, data use, data security and individual rights, which we describe in more detail here:
- Notice. Companies subject to this law must provide a prominent, publicly available privacy notice that includes information about the company’s data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices. This is likely to impose little new requirements for those companies already meeting other US (or EU) privacy notice legal obligations.
- Data uses and consent. The law requires separate (and sometimes “express”) consent for various uses of genetic data. Initially, “express consent” must be obtained for the collection, use, or disclosure of genetic information. This express consent must disclose who has access to test results and how the company may share genetic data. Separate express consent is also required for: (i) transfers or disclosures of genetic data to any person (other than vendors); (ii) use of the information beyond the primary purpose of the genetic testing; or (iii) retention of the biological sample following completion of the initial testing service. Express consent also is required for direct or third party marketing activities. However, companies with a first party relationship may, without express consent, provide customized content or offer’s on the company’s website or through the app/service.
There are also consent requirements for disclosing genetic data to third parties for research purposes, health insurance companies, and/or a consumer’s employer. The law also requires companies to have a valid legal process for the company’s disclosure of a consumer’s genetic data to law enforcement or any government entity without the consumer’s express written consent.
- Data security. Companies subject to this law must develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure.
- Individual Rights. There must be a process in place for consumers to access their genetic data, delete their account and genetic data, and destroy the biological sample.
Enforcement and Effective Date of GIPA
The Utah State Attorney General may initiate a civil enforcement action and recover actual damages, costs, attorney fees, and up to $2,500 for each violation. The law does not contemplate a private cause of action. In Utah, unless specifically noted otherwise in the bill, a law becomes effective 60-days after adjournment. Given that March 5, 2021 was the last day of the annual general session, the law is anticipated to go into effect early May 2021.
For those entities to which this law applies, now is a good time to review existing website privacy policies, separate disclosures and the consent processes for other data uses, as well the processes in place for handling of individual rights. Companies operating generally in this industry should continue to be mindful of the increasing appetite for legislation in this area (as well as the patchwork of existing laws). Furthermore, with the continued proliferation of the use of digital health and other direct-to-consumer and at-home health and wellness testing and wearables, more regulation in this area is likely.