On January 01, 2022, the Senate Bill (‘SB’) 41 which establishes the Genetic Information Privacy Act entered into effect, following its approval by the California Governor on 6 October 2021.
Applicability: The Act applies to direct-to-consumer genetic testing companies.
Key Features:
Direct-to-consumer genetic testing company must:
-
Provide clear and complete information regarding the company’s policies and procedures for the collection, use, maintenance, and disclosure of genetic data.
-
Obtain a consumer’s express consent for collection, use, and disclosure of the consumer’s genetic data, including, at a minimum, separate and express consent for each of the following:
-
- The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.
- The storage of a consumer’s biological sample after the initial testing requested by the consumer has been fulfilled.
- Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses.
- Each transfer or disclosure of the consumer’s genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumer’s genetic data or biological sample will be transferred or disclosed.
- The marketing or facilitation of marketing to a consumer based on the consumer’s genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.
- Implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.
- Develop procedures and practices to enable a consumer to easily do any of the following:
-
- Access the consumer’s genetic data.
- Delete the consumer’s account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.
- Have the consumer’s biological sample destroyed.