On June 17, 2023, Texas enacted legislation (the “Legislation”) limiting use of genetic data by certain genetic data testing companies, joining a number of other states in tackling the ever-increasing privacy concerns surrounding health and genetic information.
Application
As a starting point, the Legislation imposes a number of obligations on “direct-to-consumer genetic testing companies” (the “Companies”) which include entities that offer genetic testing products or services directly to consumers and which also collect, use, or otherwise analyze genetic data derived from individuals using such products/services.[1] For purposes of the Legislation, “genetic data” is defined as including any data regarding an individual’s genetic characteristics.[2] This concept would include raw sequence data, genotypic and phenotypic information derived from raw sequence data, and information regarding health conditions that an individual reports to a company and which the company uses for scientific research, product development, or in analysis of such individual’s raw sequence data.[3] Notably, the definition excludes de-identified information and protected health information collected by a covered entity or business associate under HIPAA.[4]
Significantly, the Legislation provides that an individual “has a property right in, and retains the right to exercise exclusive control over, the individual’s biological sample that is provided to or used by a direct-to-consumer genetic testing company and the results of genetic testing or analysis . . .”[5] From that central touchpoint, the Legislation limits Companies’ use and disclosure of genetic data.
Limitations on Use and Disclosures
The Legislation prohibits a Company from disclosing genetic data to a governmental body or law enforcement entity unless the subject of the data in question has consented to disclosure in writing or a warrant has been issued.[6] Similarly, a Company may not disclose genetic data, without the subject’s written consent, to the subject’s employer or an entity which offers health insurance, life insurance, or long-term care insurance.[7]
In addition, the Legislation requires that Companies which possess de-identified information complete each of the following:
- Implement administrative and technical measures to ensure that data is not associated with individuals; [8]
- Implement a comprehensive security program to protect genetic data against unauthorized use, disclosure, or access;[9]
- Publicly commit to use and store data in a de-identified format, while also committing to refrain from attempting to identify an individual through use of such de-identified data; [10]
- To the extent the Company shares de-identified data with a third party, establish a contract prohibiting such third party from attempting to identify individuals through use of de-identified data;[11]
- Publish a publicly available privacy policy that includes a high-level summary of essential information about such Company’s use, disclosure, and collection of genetic data;[12]
- Publish a prominent privacy notice that includes information about the Company’s practices with respect to data collection, consent, use, access, disclosure, transfer, security, retention, and deletion;[13] and
- Establish a process through which an individual can access, delete, or destroy such data.[14]
In addition, prior to collecting, using, or disclosing an individual’s genetic data, a Company must provide such individual with information outlining its collection, use, and disclosure of genetic data.[15]
The Legislation also imposes a number of consent requirements for Companies seeking to transfer or disclose genetic data for purposes unrelated to the testing product or service for which the data was obtained, for research, and for marketing, among other activities.[16]
Additional Considerations
A Company that violates the Legislation may be liable for a civil penalty up to $2,500 per violation.[17] In addition, the Legislation empowers the Texas Attorney General to bring an action to recover said civil penalty.[18]
The Legislation is slated to take effect on September 1, 2023.
FOOTNOTES
[1] Section 503A.001(3).
[2] Section 503A.001(6).
[3] Section 503A.001(6)(A).
[4] Section 503A.001(6)(B); Section 503A.002(b)(2).
[5] Section 503A.003.
[6] Section 503A.007(a).
[7] Section 503A.007(b).
[8] Section 503A.004(a)(1).
[9] Section 503A.005(a)(1).
[10] Section 503A.004(a)(2).
[11] Section 503A.004(b).
[12] Section 503A.005(a)(2)(A).
[13] Section 503A.005(a)(2)(B).
[14] Section 503A.005(c).
[15] Section 503A.005(b).
[16] Section 503A.006.
[17] Section 503A.008(a).
[18] Section 503A.008(b).
