On January 1, 2022, a new privacy statute, GIPA (the Genetic Information Privacy Act), will introduce significant protections for California residents who undergo non-medical genetic testing. Some 30 million people have spat in a tube and shared their unique genetic data with prominent genealogy companies, like Ancestry.com and 23andMe. Customers expect their DNA will be used for tracking down distant relatives and discovering new branches on the family tree. But very few will study the lengthy disclosures indicating how their personal genetic information might be sold or shared with third parties. A broader concern is that, once genetic data is uploaded to a digital database, it can potentially be exposed to accidental data breach or cyber-theft, like any other information stored in “the cloud.” As the genomics industry continues to evolve, GIPA will hopefully protect California residents from having their genetic data shared with third parties without their consent or knowledge.
- As of January 1st 2022, affected companies will need to update their customer consent forms so that they satisfy the “plain language” requirements of the new law.
- Specific consent forms for data transfers and sales to third-parties will need to identify the third-party recipient by name. Considering the implausibility of obtaining consent from users who have ceased using the web interface, this law may render much of these databases useless for remarketing to for-profit entities.
- In general, policies and procedures regarding the collection, use, and maintenance of genetic data will also need to be prominent and easily accessible on company websites, so consumers can learn how their information is being used.
- In addition, companies will need to create straightforward mechanisms allowing consumers the ability to delete their accounts, revoke consent, and request that their biological data be destroyed.
The negligent violation of the statute can be assessed a civil penalty of $1,000. While the penalty for intentional violation is set between $1,000 and $10,000. As each violation is “separate” and “actionable”, liability for a mass data breach is immense. The statute itself stipulates that public attorneys can prosecute actions for relief. This is in addition to potential class-action claims.
Who is Exempt
A number of service providers and professionals are excluded from the reach of GIPA:
- Licensed medical professionals that use biological data solely for diagnosing and treating patients.
- Covid-19 testing companies. (A previous iteration of the bill, which would have impacted pandemic testing, was vetoed by Governor Newsom.)
- There are also some use exclusions for “deidentified data,” where the genetic data cannot be matched with a particular person. Under certain circumstances, database information can be shared with an educational non-profit for scientific purposes.
If the Law Applies to You…
If your business is in possession of a genetic database, transports biometric samples, or engages in genomics research and development, there are some immediate steps to take. We recommend the following:
- Businesses involved in marketing, selling, interpreting, or analyzing direct-to-consumer genetic testing should review and update their consent forms.
- Website information may require extensive review and updating so information is easily accessed and comprehended by consumers.
- Risk-analysis. Companies that store genetic information, digitally or physically, should review their security precautions. Even companies that maintain genetic databases, but do not offer DTC genetic testing, must comply with the new statute.
We invite you to contact us with any additional information you have obtained regarding this important matter.
Yehuda Hausman, Law Clerk
Harry Nelson, Managing Partner
*This article is provided for educational purposes only and is not offered as, and should not be relied on as, legal advice. Any individual or entity reading this information should consult an attorney for their particular situation.*