On August 31, 2020, the California Senate passed SB 980, establishing the Genetic Information Privacy Act (the Act). Presented to Governor Gavin Newsom on September 9, 2020, the Act would require direct-to-consumer genetic testing companies to comply with certain privacy and data security provisions. Governor Newsom has until September 30, 2020 to sign the Act into law. Whether the Act is ultimately signed into law and made a part of the California privacy landscape remains to be seen. Yet the Genetic Information Privacy Act is the latest effort by The Golden State to impose additional data privacy restrictions and extend rights to consumers concerning personal information. 

The Act would require that any "direct-to-consumer genetic testing company" – defined as any companies that sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers, or analyzes genetic data obtained from consumers (except by licensed providers diagnosing or treating a medical condition) – implement safeguards to protect the privacy, confidentiality, security, and integrity of a consumer's genetic data. The Act creates both obligations for covered business and rights for consumers. 

Under the Act, direct-to-consumer genetic testing companies would be required to: 

  • Provide consumers with clear and complete notice regarding the company's policies and procedures for the collection, use, maintenance, and disclosure (as applicable) of genetic data by making available to the consumer a summary of the business' privacy practices with regards to genetic data, the business' privacy policy, and notice related to any potential disclosure of genetic information;
  • Obtain consumers' express consent for collection, use, and disclosure of their genetic data;
  • Provide effective mechanisms for a consumer to revoke consent after it is given, which will be honored "as soon as practicable, but not later than 30 days" after the individual revokes consent;
  • Not disclose a consumer's genetic data to certain entities (e.g., those responsible for making decisions regarding health insurance, life insurance, or employment); and 
  • Not discriminate against a consumer for exercising their prescribed rights.

Furthermore, direct-to-consumer genetic testing companies would be required to develop procedures and practices to enable a consumer to easily accomplish the following:

  • Access their genetic data;
  • Delete their account and genetic data (except as required to comply with applicable law); and
  • Request that their biological samples are destroyed.

The Act would impose civil penalties and would be enforceable by the California Attorney General or other public prosecutors, but does not create a private right of action. Covered businesses would face penalties of up to $1,000 per negligent violation or between $1,000 and $10,000 for willful violation, plus court costs. 

The passage of the Genetic Information Privacy Act underscores the continuously-shifting privacy landscape that companies must navigate day-to-day. Indeed, California's recent legislative efforts represent just one way in which the privacy terrain has become less and less stable – from the  California Attorney General's promulgation of final regulations implementing the CCPA to the Court of Justice for the European Union's invalidation of the EU-U.S. Privacy Shield under Schrems II, 2020 has brought about a sea change in privacy compliance efforts. Accordingly, companies should routinely assess whether their operations are in line with current data privacy regime requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.