HB21INTRODUCED
Page 0
HB21
YRDF66-1
By Representative Brown
RFD: Judiciary
First Read: 05-Feb-24
2024 Regular Session
1
2
3
4
5
6 YRDF66-1 09/26/2023 JC (L)tgw 2023-2837
Page 1
2024 Regular Session
SYNOPSIS:
Existing law provides no privacy protection to
consumers who submit biological samples for testing to
genetic testing companies.
This bill would require genetic testing
companies to obtain express consent from consumers in
order to retain, use, and share consumers' genetic
information with other entities.
This bill would also create a civil penalty for
use and disclosure by testing companies of consumer
genetic information without consent and provide for
enforcement by the Office of the Attorney General.
A BILL
TO BE ENTITLED
AN ACT
Relating to consumer privacy; to require genetic
testing companies to protect the confidentiality of customers'
genetic information; to require customer consent for certain
uses by genetic testing companies of genetic information; and
to further provide a civil penalty for violations of this act
to be enforced by the Attorney General.
BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 HB21 INTRODUCED
Page 2
BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
Section 1. This act shall be known as the "Alabama
Genetic Data Privacy Act."
Section 2. For purposes of this act, the following
words have the following meanings:
(1) BIOLOGICAL SAMPLE. Any human material known to
contain DNA, including, but not limited to, tissue, saliva,
blood, or urine.
(2) CONSUMER. Any individual who is an Alabama
resident.
(3) CONTRACTOR. A person that contracts with a genetic
testing company to provide a service necessary to the genetic
testing company's consumer products or services which requires
possession of a consumer's biological sample or genetic data,
including laboratory facilities for genetic testing.
(4) DEIDENTIFIED DATA. Genetic data possessed by a
genetic testing company that cannot reasonably be linked to an
identifiable consumer.
(5) DNA. Deoxyribonucleic acid.
(6) EXPRESS CONSENT. A consumer's acknowledgment or
permission, in writing or captured electronically, to a clear,
meaningful, and prominent written notice regarding the
collection, use, retention, or disclosure of the consumer's
biological sample or genetic data for a specific purpose.
(7) GENETIC DATA. a. Any data derived from analysis of
a biological sample which concerns a consumer's genetic
characteristics and which may include, but is not limited to,
any of the following formats or sources:
1. Raw data that results from sequencing all or a
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56 HB21 INTRODUCED
Page 3
1. Raw data that results from sequencing all or a
portion of a consumer's extracted DNA.
2. Genotypic and phenotypic information obtained from
analyzing a consumer's raw sequence data.
3. Health information self-reported by the consumer to
a genetic testing company to be used by the company in
connection with analyzing the consumer's raw sequence data or
for product development or scientific research.
b. Genetic data does not include deidentified data.
(8) GENETIC TESTING. Laboratory testing of a consumer's
biological sample to analyze DNA, including, but not limited
to, chromosomes and single nucleotide polymorphisms in order
to derive and interpret genetic data.
(9) GENETIC TESTING COMPANY or COMPANY. Any person that
directly solicits a biological sample from a consumer for
analysis in order to provide products or services to the
consumer which include disclosure of information that may
include, but is not limited to, the following:
a. The genetic link of the consumer to certain
population groups based on ethnicity, geography, or
anthropology.
b. The probable relationship of the consumer to other
individuals based on matching DNA for purposes that include
genealogical research.
c. Recommendations to the consumer for managing
wellness which are based on physical or metabolic traits,
lifestyle tendencies, or disease predispositions that are
associated with genetic markers present in the consumer's DNA.
Section 3. (a)(1) A genetic testing company shall
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84 HB21 INTRODUCED
Page 4
Section 3. (a)(1) A genetic testing company shall
prominently display to a consumer complete information
regarding the company's policies and procedures governing the
collection, use, maintenance, and disclosure of genetic data
in plain language which includes all of the following:
a. A privacy policy overview that includes basic
information about the company's collection, use, or disclosure
of genetic data.
b. A privacy policy notice that sets forth the complete
text of the company's collection, consent, use, access,
disclosure, transfer, security, retention, and deletion
policies or practices.
c. A clear and complete notice that the consumer's
genetic data may be included in deidentified data shared or
disclosed by the company to a third party for research in
compliance with the U.S. Department of Health and Human
Services policy for the protection of human subjects, 45
C.F.R. Part 46.
d. A clear description of how to file a complaint
alleging a violation of this act.
(2) A genetic testing company shall obtain the
consumer's initial express consent for all of the following:
a. Use of the biological sample and resulting genetic
data to provide the product or service ordered by the
consumer.
b. Identification of who may have access to the
biological sample, genetic data, and test results, including a
contractor, in order to fulfill the consumer's order.
c. Permission to retain the biological sample and
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112 HB21 INTRODUCED
Page 5
c. Permission to retain the biological sample and
genetic data for future testing for other products or services
offered by the company.
d. Acknowledgment that the company may seek express
consent in the future to transfer the biological sample or
disclose the genetic data to a third party other than a
contractor for a reason other than fulfillment of an order for
the company's products or services.
e. Permission to market additional customized products
and services to the consumer through the company's online
account portal or electronic application provided to the
consumer.
(3) A genetic testing company shall obtain the
consumer's express consent every time the company does any of
the following:
a. Transferring the biological sample or disclosing the
genetic data to a third party other than a contractor for a
reason other than fulfillment of an order for the company's
products or services.
b. Using the biological sample or genetic data for a
purpose other than the company's products or services ordered
by the consumer.
c. Sharing the consumer's name with a third party to
market the third party's products and services to the
consumer.
(4) A genetic testing company shall obtain the
consumer's informed consent to transfer the biological sample
or disclose the consumer's genetic data in compliance with 45
C.F.R. Part 46, in the following cases:
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140 HB21 INTRODUCED
Page 6
C.F.R. Part 46, in the following cases:
a. For independent research conducted by a third party.
b. For research conducted under the sponsorship of the
genetic testing company for the purpose of product or service
research and development, scientific publication, or promotion
of the company.
(5)a. A genetic testing company shall provide a process
for the consumer to do all of the following:
1. Access the consumer's genetic data.
2. Delete the consumer's account.
3. Request the destruction of the consumer's biological
sample and genetic data.
4. Revoke any express or informed consent given.
b. 1. If the consumer requests the destruction of the
consumer's biological sample and genetic data, the company
shall comply with the request as soon as reasonably possible,
but no more than 30 days after the request is made.
2. If the consumer revokes any express or informed
consent given that resulted in the transfer of the consumer's
biological sample or disclosure of the consumer's genetic data
to a third party, the company shall secure the return of the
biological sample and the genetic data as soon as reasonably
possible, but no more than 60 days after the revocation is
tendered.
(b) A genetic testing company may not do any of the
following without a consumer's express written consent:
(1) Disclose a consumer's genetic data to any law
enforcement or other governmental agency, unless the
disclosure is made pursuant to a valid search warrant,
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168 HB21 INTRODUCED
Page 7
disclosure is made pursuant to a valid search warrant,
subpoena, or court order.
(2) Disclose a consumer's genetic data to any person
issuing health, life, disability, or long-term care insurance.
(3) Disclose a consumer's genetic data to any employer
or prospective employer of the consumer.
Section 4. (a) A contract between the genetic testing
company and a contractor shall prohibit the contractor from
using, retaining, or disclosing any biological sample,
extracted genetic material, genetic data, or information
identifying the consumer for any purpose other than performing
the service specified in the contract.
(b) A contractor shall be subject to the same
confidentiality obligation as the company, consistent with
each express consent given or withheld by a consumer with
respect to using, retaining, or disclosing the consumer's
biological sample, extracted genetic material, genetic data,
or information identifying the consumer.
Section 5. This act does not apply to any of the
following:
(1) Genetic data that is included in protected health
information that is collected by a covered entity or business
associate as those terms are defined in 45 C.F.R. Parts 160
and 164.
(2) The collection, use, or retention of biological
samples or genetic data for noncommercial purposes, including
for research and instruction, by a public or private
institution of higher learning or any entity owned or operated
by a public or private institution of higher learning.
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196 HB21 INTRODUCED
Page 8
by a public or private institution of higher learning.
Section 6. (a) Any consumer may report a violation of
this act to the the Consumer Division of the Office of the
Attorney General.
(b) The Consumer Division of the Office of the Attorney
General may enforce this act by a civil action in circuit
court to enjoin any practice or conduct in violation of this
act or to recover a civil penalty of up to three thousand
dollars ($3,000) for each violation.
(c) Any civil penalty and costs may be waived if the
genetic testing company or contractor has made full
restitution or has paid actual damages to any consumer who has
been injured by a violation of this act.
(d) In any settlement of a claim or civil action
resulting from a violation of this act, the Office of the
Attorney General shall receive reasonable attorney fees and
costs.
Section 7. This act shall become effective on October
1, 2024.
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214