California’s governor recently signed SB 41 into law. The bill enacts the Genetic Information Privacy Act (GIPA). The governor rejected a similar bill last year over concerns about COVID-19 public health efforts. To address that concern, this bill exempts tests used to diagnose whether an individual has a specific disease.

California’s law adds to the existing federal and state patchwork of laws governing genetic information. It largely mirror’s Utah’s Genetic Information Privacy Act enacted earlier this year (we discussed here). Generally, the law creates requirements for: (1) notice; (2) consent; (3) data security; and (4) individual rights, which we discuss in more detail below.

Applicability: The law applies to a “direct-to-consumer genetic testing company” that collects genetic data from “consumers” (i.e., California residents). “Genetic data” broadly means any data that results from an analysis of a biological sample or an equivalent element from a consumer that concerns genetic material. This includes DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, and SNPs. The definition does not include deidentified data or data that is processed exclusively for condoned scientific research.

Requirements: The obligations under the law are described in more detail below.

  • Notice. Companies subject to GIPA must provide consumers with a clear and complete summary of its privacy practices. This includes giving information about the company’s use, maintenance, and disclosure of genetic data. As a separate requirement, companies must also display a prominent and accessible privacy notice. The notice must include “complete” information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices. It must also explain how to file a complaint under the Act. Lastly, the law requires notice to consumers that deidentified genetic information may be shared with third parties for research purposes.
  • Data Use and Consent. Under GIPA companies must get consumers’ express consent for collection, use, and disclosure of genetic data. Separate, express consent must also be obtained for (1) the storage of a biological sample after initial testing has been fulfilled; (2) use of genetic data beyond the primary purpose of the testing or service; and (3) transfer of genetic data to a third party (other than a service provider). Express consent is also required for direct marketing based on a consumer’s genetic data or third party marketing based on the consumer’s order, purchase, reception, or use of a genetic testing product or service. However, consent is not needed to market on the company’s own website or mobile application, so long as the marketing is not based on information specific to the consumer. If a company conducts this kind of marketing, the ad itself has to be “prominently labeled as advertising” and include the name of any third parties who “contributed to the placement” of the ad. Companies must provide mechanisms for a consumer to revoke consent after it is given. Requests to revoke consent must be honored no later than 30 days after receipt of the request.
  • Data security. Companies must implement and maintain reasonable security procedures and practices. Those practices need to be designed to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.
  • Individual rights. GIBA requires that companies put procedures in place so consumers can access their genetic data. Consumers must also be able to delete their account or genetic data and to destroy biological samples. Companies cannot discriminate against consumers for exercising any of these rights.

Enforcement: GIPA may be enforced by the Attorney General, district attorneys, county counsel, and city attorneys and prosecutors with appropriate authorization. In addition to court costs, these actors can recover up $1,000 in civil penalties for a negligent violation and up to $10,000 for willful violations. Any recovered penalty will be paid to the individual whose genetic data is at issue.

Effective Date: The law is expected to go into effect on January 1, 2022.

Putting it Into Practice: Direct-to-consumer companies are facing increased notice and consent requirements under state laws. This is particularly true for companies collecting health, medical, genetic, or biometric data that are not regulated by HIPAA. As more states develop genetic privacy laws, these companies should continue to be mindful of  requirements around notice, individual rights, and data security.