Privacy Law Essentials: California's Genetic Information Privacy Act

California Governor Newsom signed the Genetic Information Privacy Act (GIPA) into law on October 6, 2021. GIPA requires direct-to-consumer genetic testing companies to comply with certain privacy and data security requirements such as requiring consumers' affirmative consent regarding the collection, use, maintenance, and disclosure of genetic data, and enabling consumers to access and destroy their genetic data.

To whom does it apply?

GIPA applies to companies that:

• Sell, market, interpret, or otherwise offer direct-to-consumer genetic testing products or services;
• Analyze genetic data obtained from consumers;
• Collect, use, maintain, or disclose genetic data collected or derived from a direct-to-consumer genetic testing product, service or directly provided by a consumer.

To whom does it not apply?

Licensed medical providers who are actively diagnosing or treating a patient's medical condition.

What types of information would it cover?

GIPA covers "genetic data," which is defined as any data, regardless of the format, that results from analysis of a biological sample from a consumer or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, SNPs, uninterpreted data that results from analysis of the biological sample, and any information extrapolated, derived, or inferred from materials in this list.

Genetic data does not include de-identified data, or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research under very particular circumstances described in the law.

What rights does it create?

GIPA creates safeguards for privacy, security, and confidentiality for consumers of direct-to-consumer genetic testing. It ensures that consumers receive the required notice and have the ability to revoke consent for the use, collection, or disclosure of the consumer's genetic data.

What obligations does it impose?

Under GIPA, companies must do the following, among other requirements identified within the statute:

• Provide clear and complete information regarding the company's policies and procedures for the collection, use, maintenance, and disclosure of genetic data;
• Obtain a consumer's express consent for the collection, use, and disclosure of the consumer's genetic data;
• Provide effective mechanisms, without dark patterns, for how a consumer may file to revoke consent;
• Implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use, modification, or disclosure; and
• Not discriminate against a consumer because the consumer exercised any of the consumer's rights under GIPA

How will it be enforced?

Consumers who have suffered injury in fact and lost money or property as a result of the violation of GIPA will have a private right of action. The California Attorney General and local government counsel will also prosecute GIPA through civil penalties.

Where does it stand?

GIPA will go into effect on January 1, 2022.