California Passes the Genetic Information Privacy Act

| Baraa Kahf

UPDATE: On September 25, 2020, Governor Gavin Newsom vetoed the California Genetic Information Privacy Act (“GIPA”). Click here for an update.

On August 31, 2020, the California Legislature passed the Genetic Information Privacy Act (“GIPA”), which regulates the privacy and security aspects of Direct-to-Consumer (“DTC”) genetic testing and testing companies. If Governor Gavin Newsom signs GIPA into law, it will take effect on January 1, 2021.

A DTC genetic test provides consumers access to their genetic information in a variety of formats without necessarily involving their healthcare providers. The most notable examples of DTC genetic testing companies include 23andMe, Family Tree DNA, and A number of DTC genetic testing companies also provide other tailored genetic tests for a diverse range of purposes. Some of these purposes include identifying consumers’ genetic ancestry, food sensitivities, and predisposition for harmful diseases. Undoubtedly, DTC genetic testing has beneficial applications, but DTC genetic testing also presents data privacy and security risks if left unregulated.

Federal law already regulates genetic tests for safety through the Food and Drug Administration, the Centers for Medicare and Medicaid Services, and the Federal Trade Commission. The Genetic Information Nondiscrimination Act also prevents discrimination in hiring or medical care based on a person’s genetic proclivities. These laws, however, do not comprehensively regulate the privacy and security concerns of DTC genetic testing, which GIPA aims to address.

GIPA applies to companies that sell, market, interpret, or otherwise offer DTC genetic testing products or services and to companies that analyze genetic data obtained from consumers. GIPA, however, exempts licensed medical providers who are actively diagnosing or treating a patient’s medical condition.

From a security perspective, GIPA requires DTC genetic testing companies to “[i]mplement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.” Like other data privacy and security laws, GIPA does not specifically state what constitutes “reasonable” security, and leaves it to individual companies to determine what is reasonable for them based on the industry’s best practices.

On the privacy side, GIPA is much more detailed. GIPA requires DTC genetic testing companies to provide notice to consumers regarding their data handling and privacy practices. DTC genetic testing companies must also obtain consumers’ express consent for collection, use, and disclosure of their genetic data and separate express consent for each use and disclosure of their genetic data. Further, GIPA requires companies to enable users to access and delete their genetic data, and to comply with a consumer’s request to destroy any genetic samples, subject to some federal provisions for regulatory compliance, within thirty days of the request.

In sum, DTC genetic testing companies should assess gaps in their data privacy and security procedures, and ensure compliance with GIPA. Failure to comply with this law carries stiff penalties–up to $1,000 penalty for each negligent violation, and intentional violations ranging from $1,000 to $10,000 per incident. If these penalties are aggregated in a class action lawsuit, companies could face significant liability for GIPA violations.