Last month, California Governor Gavin Newsom signed Senate Bill 41, the Genetic Information Privacy Act (“GIPA”), a law that regulates “direct-to-consumer genetic testing companies” that handle the “genetic data” of California residents.  GIPA becomes effective on January 1, 2022 and is notable for its strict disclosure and consent requirements, and for its broad application to companies that provide genetic testing services or support other organizations that do.

This post explores GIPA’s application and requirements and offers suggestions on how organizations that are or may be subject to the law can prepare to comply.

GIPA’s Background

As we’ve noted in our previous discussions of the California Privacy Rights Act and Virginia Consumer Data Privacy Act, state legislatures seeking to regulate businesses’ personal information practices have focused particular attention on “sensitive information” and imposed strict requirements on the collection, processing, and disclosure of information that falls into that category.

Consistent with that trend, GIPA regulates the collection, use, and disclosure of “genetic data,” defined as “any data . . . that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained and concerns genetic material,” where “generic material” can include “[DNA], [RNA], genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.”  To some observers, genetic data represents some of the most sensitive forms of personal information because it contains vast amounts of unique health and non-health related information.

As the preamble to GIPA notes, despite the sensitivity of genetic data, direct-to-consumer genetic testing services are largely unregulated, and could create unintended security consequences and increase risk, the seriousness of which is unknown as our knowledge of genomics and our views on the sensitivity of genetic data evolve.  GIPA was introduced to close the gap in the protection of genetic data under the current patchwork of federal and state privacy laws.

Who is a DTC Company under GIPA?

GIPA defines a direct-to-consumer genetic testing company (“DTC Company”) as an entity that does any one of the following:

• Sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers;
• Analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition; or
• Collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.

This broad definition includes those companies that offer at-home self-administered genetic testing services directly to consumers, such as 23andMe and AncestryDNA.  It also includes genetic testing companies that market directly to consumers yet require or permit such testing to be administered in a clinical or laboratory setting, provided the consumer initiated the genetic test (as opposed to the testing being initiated through a physician’s order), as well as health care professionals that analyze genetic data from California residents for purposes other than diagnosing or treating a medical condition.

Most importantly, the definition of a DTC Company sweeps in any company that collects, uses, or maintains genetic data collected by a DTC Company that directly comes from a consumer.  This last category will require any company in the genetic testing space to be able to clearly map the flow of genetic data within its custody and determine whether any such data was obtained from a DTC Company.  If so, the company may be subject to GIPA.

Exemptions and Exclusions

The broad reach of GIPA’s definition of DTC Company is limited by several exemptions.  Some of the more notable include:

• Medical information governed by California’s Confidentiality of Medical Information Act (CMIA), and protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate and that is governed by HIPAA;
• Providers of health care governed by the CMIA, and covered entities and business associates governed by HIPAA, to the extent the provider or covered entity maintains, uses, and discloses genetic data in the same manner as protected health information or medical information under HIPAA or CMIA;
• Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution, if the institution holds an assurance with HHS of its compliance with the requirements of 45 CFR part 46;
• Genetic Data used or maintained by an employer, or disclosed by an employee to an employer, to the extent the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation; and
• De-identified data, provided that the business that possesses the information takes various measures to ensure that the information cannot be associated with a consumer or household, and to avoid reidentifying the information.

What Obligations Apply to DTC Companies?

GIPA imposes several obligations on DTC Companies.  They include the following:

• Notices and Privacy Policies. A DTC Company must make available to consumers:
  • a summary of its privacy practices, written in plain language, that includes information about the company’s collection, use, maintenance, and disclosure of genetic data;
  • a prominent and easily accessible privacy notice that includes at minimum, information about data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of GIPA; and
  • a notice that deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 of Title 45 of the Code of Federal Regulations (providing for the protection for human subject in research).
• Separate and Express Consent. A DTC Company must obtain the consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data, including at a minimum separate and express consent for each of the following:
  • Primary Use: the use of the genetic data collected from the consumer, including who has access to genetic data, how genetic data is shared, specific purposes for collection, use, and disclosure.
  • Storage: the storage of consumer’s biological sample after the initial consumer testing has been fulfilled.
  • Secondary Uses: each use of genetic data or biological sample beyond the primary purpose or inherent contextual uses.
  • Transfers: each transfer or disclosure to a third party other than a service provider, including the name of the third party.
  • Marketing: marketing or facilitation of marketing by a third party to a consumer based on the consumer’s use of DTC Company’s product (DTC Company can generally market its own products to consumers, provided not targeted marketing based on information specific to the consumer).
• Reasonable Security Measures. A DTC Company must implement and maintain reasonable security procedures and practices to protect genetic data against unauthorized access, destruction, use, modification, or disclosure.
• Consumer Rights. A DTC Company must develop procedures and practices to allow consumers to exercise their rights with respect to genetic data, including by:
  • enabling a consumer to easily access their genetic data, delete their account, delete their genetic data (subject to certain exceptions) and have the consumer’s biological sample destroyed, and
  • establishing mechanisms that allows for consumer to withdraw their consent after it is given – one of which must include the primary medium through which the DTC Company communicates with its consumers.
• Service Provider Agreements. A DTC Company must execute an agreement with any third‑party service provider to whom it discloses genetic data that prohibits the service provider from:
  • retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business; and
  • associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.

What’s Prohibited under GIPA?

DTC Companies are prohibited from discriminating against a consumer by denying goods, services, or benefits to consumers for exercising any of their rights under GIPA, including by:

• Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties;
• Providing a different level or quality of goods, services, or benefits to the consumer;
• Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits; or
• Considering the consumer’s exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.

GIPA also prohibits DTC Companies from disclosing a consumer’s genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions, unless the receiving entity:

• is not primarily engaged in the provision of insurance or employment of the consumer;
• is not acting in the capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment; and
• any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumer’s genetic data.

Finally, DTC Companies are expressly prohibited from inferring a consumer’s consent from inaction or relying on dark patterns to obtain consent.

Enforcement and Penalties

GIPA authorizes the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor in the name of the people of the State of California to bring actions for relief pursuant to GIPA.  Negligent violations are punishable by a civil penalty of up to $1,000 USD, and willful violations are punishable for not less than $1,000 USD and not more than $10,000 USD.  Each violation is a separate and actionable violation.

Although there is no private right of action under GIPA, the law provides that penalties recovered in an action by the Attorney General or other prosecuting authority “shall be paid to the individual to whom the genetic data at issue pertains.”  This provision may have the effect (intended or not) of encouraging consumers and those acting on their behalf to submit complaints to the Attorney General or other prosecuting authorities for any perceived violations of the law by DTC Companies.

What to Do?

As GIPA’s January 1, 2022 effective date approaches, we offer the following suggestions for companies that operate in and around the genetic testing space.

• Evaluate whether your company falls within the definition of a DTC Company, or acts as a service provider to customers that do.
• If your company qualifies as a DTC Company, or acts as a service provider to customers that do, evaluate GIPA’s exemptions and exclusions to determine whether your handling of that data falls outside of GIPA’s scope.
• If your company cannot escape application of GIPA through an exemption or exclusion, then consider:
  • What updates need to be made to your privacy policy and other notices that you provide to California consumers?
  • Whether you have the requisite security measures, access mechanisms, policies, and procedures in place to meet the above obligations?
  • What amendments need to be made to your agreements with any service providers to whom you provide Genetic Data?
  • If you are a service provider, whether to proactively seek amendment of any agreements you have with your DTC Company customers?
  • Whether to extend the rights that GIPA requires DTC Companies to provide to California residents to individuals in other jurisdictions?