Privacy Law Essentials: California's Genetic Information Privacy Act

Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends

California Governor Newsom signed the Genetic Information Privacy Act (GIPA) into law on October 6, 2021. GIPA requires direct-to-consumer genetic testing companies to comply with certain privacy and data security requirements such as requiring consumers' affirmative consent regarding the collection, use, maintenance, and disclosure of genetic data, and enabling consumers to access and destroy their genetic data.

To whom does it apply?

GIPA applies to companies that:

  • Sell, market, interpret, or otherwise offer direct-to-consumer genetic testing products or services;
  • Analyze genetic data obtained from consumers;
  • Collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product, service or directly provided by a consumer.

To whom does it not apply?

Licensed medical providers who are actively diagnosing or treating a patient's medical condition.

What types of information would it cover?

GIPA covers "genetic data," which is defined as any data, regardless of the format, that results from analysis of a biological sample from a consumer or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, SNPs, uninterpreted data that results from analysis of the biological sample, and any information extrapolated, derived, or inferred from materials in this list.

Genetic data does not include de-identified data, or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research under very particular circumstances described in the law.

What rights does it create?

GIPA creates safeguards for privacy, security, and confidentiality for consumers of direct-to-consumer genetic testing. It ensures that consumers receive the required notice and have the ability to revoke consent for the use, collection, or disclosure of the consumer's genetic data.

What obligations does it impose?

Under GIPA, companies must do the following, among other requirements identified within the statute:

  • Provide clear and complete information regarding the company's policies and procedures for the collection, use, maintenance, and disclosure of genetic data;
  • Obtain a consumer's express consent for the collection, use, and disclosure of the consumer's genetic data;
  • Provide effective mechanisms, without dark patterns, for how a consumer may file to revoke consent;
  • Implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use, modification, or disclosure; and
  • Not discriminate against a consumer because the consumer exercised any of the consumer's rights under GIPA

How will it be enforced?

Consumers who have suffered injury in fact and lost money or property as a result of the violation of GIPA will have a private right of action. The California Attorney General and local government counsel will also prosecute GIPA through civil penalties.

Where does it stand?

GIPA will go into effect on January 1, 2022.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends | Attorney Advertising

Written by:


Hinshaw Privacy & Cyber Bytes - Insights on Compliance, Best Practices, and Trends on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.