With the focus of personal privacy increasing, it is unsurprising that additional laws are being proposed to increase privacy rights, including the California Privacy Rights Act initiative on the ballot this upcoming November. More immediately, the California legislature passed, and Governor Newsom signed, the Genetic Information Privacy Act ("GIPA"). GIPA specifically targets biometric information, due to the increase of genetic tracing services, like 23andMe and Ancestry.com. This law pertains to adding more protections to genetic privacy. Many questions arise following the passage of GIPA, such as what businesses are affected? What, if any, penalties or causes of action exist under this new law? How does this law work alongside the CCPA?
WHAT IS IN THE LAW?
The law requires notices and actual, express consent from consumers for direct-to-consumer genetic testing companies, and any other company that collects, uses, maintains, or discloses information collected from biometric samples, or from any other element concerning genetic material (i.e. genes). Regarding the express consent provision in particular, this requires that consent is provided for: (1) the use of data through the genetic testing product being provided, for those specific purposes; (2) the storage of the consumer's biometric sample after testing is complete; (3) each use of the genetic data or sample beyond what was originally intended; (4) each transfer or disclosure to a third party other than service providers, including that third party's name; and (5) any marketing based on the genetic data. In essence, unless a consumer explicitly opts in, these companies cannot store, use, or market based on the genetic information.
WHAT ARE THE PENALTIES?
The penalties for not following GIPA are akin to those for the CCPA, with a $1,000 fine, plus court costs for negligent violations, and $10,000 for willful violations. Furthermore, unlike the CCPA, this law does include a private right of action, as it allows a person who has suffered injury in fact, or has lost money or property, as a result of a violation. In essence, this increases the damages for a company which fails to reasonably secure genetic information from data breaches, though plaintiffs may have difficulty showing that money or property was lost due to the exposure of their genetic information, unlike the CCPA, which implements statutory damages just for the breach occurring.
HOW DOES THIS INTERACT WITH THE CCPA?
Regarding the CCPA, both laws will be in effect, and these companies would be obliged to provide additional notices in addition to those required under the CCPA. Furthermore, they both would protect the same information, as the CCPA does protect biometric data, which would largely overlap with the protections of the genetic information under GIPA. GIPA and the CCPA also both require that reasonable security is utilized to protect the consumer's genetic information. However, GIPA also goes further, in requiring that reasonable security is taken to prevent unauthorized destruction as well. Furthermore, it is noteworthy that GIPA relies on the same "reasonable security" language as the CCPA.
WHAT SHOULD A BUSINESS DO?
Ultimately, the biggest change to genetic testing companies under GIPA may be an increased reliance on consumer accounts permitting consumers to login, see, and manage their data in order to give the individualized consents, an increased reliance on click-wrap agreements requiring that consumers scroll through, read, and accept actions by the company before the company takes them, or a combination of the two.
For other businesses, GIPA provides an opportunity to implement and utilize stricter privacy guidelines, and implement them as a potential benefit to consumers, as GIPA requirements largely surpass those under the CCPA.