Golden State Killer, Genetic Data, and Now GIPA: California's Genetic Information Privacy Act Takes Effect
GIPA was enacted to alleviate concerns that outside parties might exploit genetic data for questionable purposes, including mass surveillance and tracking individuals without authorization. Many may recall the Golden State serial killer case that was solved due to a family member's DNA being uploaded into a home testing system. This led to numerous ethical debates tied to the use of DNA collected from at-home tests. Senator Tom Umberg, the bill's author, declared that "at-home DNA tests have provided people with the ability to seek meaningful connections to long-lost family or their own cultural and religious histories," but noted that many consumers do not know that "this data can then legally be shared with third parties or potentially used against them in a variety of ways." Given that few laws outside of general privacy laws require disclosure of data practices for genetic testing companies, GIPA implements requirements to address these concerns.
To Whom Does GIPA Apply?
GIPA regulates "direct-to-consumer genetic testing companies," or any other company that collects, uses, maintains, or discloses genetic testing data collected or derived from a direct-to-consumer genetic testing product or service, or provided directly by a consumer.
- "Direct-to-consumer genetic testing company" means:
an entity that: (A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers; or (B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.
- "Genetic testing" means:
any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.
What Is Regulated by GIPA?
GIPA regulates the collection, use, and disclosure of "consumer" "genetic data." GIPA also regulates "biological samples."
- "Consumer" means a natural person who is a California resident.
- "Genetic data" means "any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material."
It is important to note that the definition of genetic data excludes data that cannot be used to infer information about, or otherwise be linked to, a particular individual.
What Does This Law Require?
GIPA requires direct-to-consumer genetic testing companies to obtain a consumer's express consent for each of the following actions:
- The use of genetic data collected through a genetic testing product or service offered by the direct-to-consumer genetic company. The consent must describe who has access to genetic data, how genetic data may be shared, and the specific purposes for which it will be collected and used.
- The storage of a consumer's biological sample after the consumer's initial testing has been completed.
- Each use of the consumer's genetic data or biological sample beyond uses is associated with the primary purpose of the genetic testing or service.
- Each transfer or disclosure of the consumer's genetic data or biological sample to a third party other than to a service provider.
- The consent must include the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed.
- Marketing is directed towards a consumer based on the consumer's genetic data, or the company's facilitation of marketing by a third party based on the consumer's order, purchase, or use of a DTC Company's genetic testing product or service.
GIPA also requires effective mechanisms for a consumer to revoke consent. Revocation of consent shall be honored "as soon as practicable, but no later than 30 days." Finally, GIPA limits the disclosure of a consumer's genetic data. Specifically, a direct-to-consumer genetic testing company shall not disclose a consumer's genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, or disability insurance.
Exclusions: COVID Tests and Others
Given Governor Newsom's former concern about GIPA's interference with mandatory COVID-19 testing reporting, the law does not apply to tests that are conducted exclusively to diagnose whether an individual has a specific disease. This carveout illustrates the continued push for health and safety amidst the ongoing pandemic.
Additionally, GIPA does not apply to:
- Medical information and health care providers covered by the Confidentiality of Medical Information Act
- A business associate of a covered entity governed by the privacy, security, and data breach notification rules under HIPAA
- Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services; and
- The California newborn screening program.
What To Do
In light of the new guidelines, direct-to-consumer testing companies that handle genetic information should review their practices and ensure that the proper methods are in place. As the law is now effective, companies in this space should carefully review and confirm compliance. Failure to comply may result in civil penalties.
Arent Fox's Privacy, Cybersecurity & Data Protection group will continue to monitor this issue. For more information or to otherwise discuss questions, please contact Eva Pulliam, Christine Chong, Destiny Planter, or the Arent Fox attorney with whom you regularly work.
- Related Practices