On September 08, 2021, the California State Senate passed Senate Bill (SB-41) on genetic testing companies’ data practices.
Key highlights:
-
Genetic data has been defined as
(A) any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.
(B) “Genetic data” does not include de-identified data. For purposes of this subparagraph, “deidentified data” means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:
(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.
(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.
(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.
(C) “Genetic data” does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.
- A direct-to-consumer genetic testing company is required to do both of the following:
1. Provide clear and complete information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:
(i) A summary of its privacy practices, written in plain language, that includes information about the company’s collection, use, maintenance, and disclosure, as applicable, of genetic data.
(ii) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.
(iii) A notice that the consumer’s de-identified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.
2. Obtain a consumer’s express consent for collection, use, and disclosure of the consumer’s genetic data, including, at a minimum, separate and express consent.
Read the Bill here