USA-California | Bill establishing Genetic Information Privacy Act (GIPA) passed by Senate and awaiting Governor’s assent

The Government of California has passed Senate Bill 41 on September 9, 2021. The Bill seeks to establish Genetic Information Privacy Act (GIPA). The Bill is awaiting Governor Newsom’s assent and once signed, it will come into force on January 1, 2022. The GIPA will enforce privacy requirements on direct-to-consumer genetic testing companies (DTC Companies).

Key highlights of the Bill are:

• The Bill aims to improve privacy protections for “genetic data” which is not protected by the Confidentiality of Medical Information Act (CMIA) or Health Insurance Portability and Accountability Act (HIPAA).
• GIPA defines DTC Companies as entities that do any of the following:

1. Sell, market, interpret, or otherwise offer consumer-initiated genetic testing products or services directly to consumers;
2. Analyze genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition; or
3. Collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.

• GIPA shall impose a standard requiring that data cannot be used to infer information about, or otherwise be linked to, a particular individual and requires that DTC Companies do all of the following:

1. Take reasonable measures to ensure that the information cannot be associated with a consumer or household.
2. Publicly commit to maintain and use the information only in de-identified form and not to attempt to re-identify the information.
3. Contractually obligate any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in de-identified form and not to re-identify the information.

• GIPA would need DTC Companies to provide consumers with information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain an express authorization for collection, use, or disclosure of consumers’ genetic data, subject to limited exceptions for research and educational purposes.
• GIPA would also require DTC Companies to honor any revocation of consent to use, collect, or disclose a consumer’s genetic data and destroy a consumer’s biological sample within 30 days of their revocation of consent.
• DTC Companies would need to implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data.
• In contravention of the provisions under GIPA, penalties up to $10,000 per violation plus court costs, can be imposed, depending on whether negligence or willful conduct was involved.

*Tanvi Singh, Editorial Assistant has reported this brief.