Bill Summary – FastDemocracy

This bill requires a direct-to-consumer genetic testing company to do the following:
     (1)  Provide to a consumer essential information about the company’s collection, use, and disclosure of genetic data and a prominent, publicly available privacy notice that includes information about the company’s data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices;
     (2)  Obtain a consumer’s initial express consent for collection, use, or disclosure of the consumer’s genetic data that clearly describes the company’s use of the genetic data that the company collects through the company’s genetic testing product or services; specify who has access to test results; and specify how the company may share the genetic data;
     (3)  Obtain a consumer’s separate express consent for the transfer or disclosure of the consumer’s genetic data to a person other than the company’s vendors and service providers; the use of genetic data beyond the primary purpose of the company’s genetic testing product or service; or the company’s retention of a biological sample provided by the consumer following the company’s completion of the initial testing service requested by the consumer.  However, such a company with a first-party relationship to a consumer may, without obtaining the consumer’s express consent, provide customized content or offers on the company’s website or through the company’s application or service;
     (4)  Obtain a consumer’s informed consent in accordance with federal law and regulations for the transfer or disclosure of the consumer’s genetic data to a third party for research purposes for research conduct under the control of the company for the purpose of publication or generalizable knowledge; 
     (5)  Obtain a consumer’s express consent for marketing to a consumer based on the consumer’s genetic data or marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service; 
     (6)   Require valid legal process for the company’s disclosure of a consumer’s genetic data to law enforcement or a government entity without the consumer’s express written consent;
     (7)  Develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure; and 
     (8)  Provide a process for a consumer to access the consumer’s genetic data; delete the consumer’s account and genetic data; and destroy the consumer’s biological sample. 
     Additionally, this bill prohibits such a company from disclosing a consumer’s genetic data without first obtaining the consumer’s written consent to an entity that offers health insurance, life insurance, or long-term care insurance; or an employer of the consumer.  
REMEDIES
     This bill requires the division of consumer affairs in the office of the attorney general ("division") to enforce this bill and establish a means by which a consumer is able to submit a complaint for a violation.
APPLICABILITY
This bill does not apply to protected health information that is collected by a covered entity or business associate; a public or private institution of higher education; or an entity owned or operated by a public or private institution of higher education.  This bill applies to conduct occurring on or after July 1, 2023.
RULEMAKING
     This bill requires the division to promulgate rules to effectuate this bill.
     ON APRIL 6, 2023, THE HOUSE ADOPTED AMENDMENT #1 AND PASSED HOUSE BILL 1310, AS AMENDED.
     AMENDMENT #1 makes the following changes to this bill:
     (1)  Clarifies that deidentified data also includes data that meets the standard for deidentification under the federal Health Insurance Portability and Accountability Act of 1996 (HIPPA) and rules promulgated pursuant to that act;
     (2)  Adds that “direct-to-consumer genetic testing company” or “company” also includes an entity that collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing product or service and was provided to the company by a consumer, but does not include a law enforcement agency; or an entity that is, and only while, engaged in collecting, using, or analyzing genetic data or biological samples in the context of research that is conducted in accordance with federal law or regulation; and 
     (3)  Adds that this act also does not apply to:
     (A)  Biomedical or academic research conducted by a research hospital, academic medical center, or other entity affiliated with such hospital or medical center that is not a direct-to-consumer genetic testing company;
     (B)  Genetic data that is shared with or by a research hospital, academic medical center, or other entity affiliated with such hospital or medical center that is not a direct-to-consumer genetic testing company for the purposes of biomedical or academic research or to find causes of or cures for a disease or medical condition; or
     (C)  The sharing of genetic data that does not require consent pursuant to the Federal Policy for the Protection of Human Subjects.