| 18 | 20 | | Relating to consumer privacy; to require genetic |
|---|
| 19 | 21 | | testing companies to protect the confidentiality of customers' |
|---|
| 20 | 22 | | genetic information; to require customer consent for certain |
|---|
| 21 | 23 | | uses by genetic testing companies of genetic information; and |
|---|
| 22 | 24 | | to further provide a civil penalty for violations of this act |
|---|
| 23 | 25 | | to be enforced by the Attorney General. |
|---|
| 24 | 26 | | BE IT ENACTED BY THE LEGISLATURE OF ALABAMA: |
|---|
| 25 | 27 | | Section 1. This act shall be known as the "Alabama |
|---|
| 26 | 28 | | Genetic Data Privacy Act." |
|---|
| 27 | 29 | | Section 2. For purposes of this act, the following |
|---|
| 28 | 30 | | words have the following meanings: |
|---|
| 29 | 31 | | (1) BIOLOGICAL SAMPLE. Any human material known to |
|---|
| 30 | 32 | | contain DNA, including, but not limited to, tissue, saliva, |
|---|
| 31 | 33 | | blood, or urine. |
|---|
| 32 | 34 | | (2) CONSUMER. Any individual who is an Alabama |
|---|
| 33 | 35 | | resident. |
|---|
| 34 | 36 | | (3) CONTRACTOR. A person that contracts with a genetic |
|---|
| 35 | 37 | | testing company to provide a service necessary to the genetic |
|---|
| 36 | 38 | | testing company's consumer products or services which requires |
|---|
| 37 | 39 | | possession of a consumer's biological sample or genetic data, |
|---|
| 74 | | - | 164.514 or is subject to the following: |
|---|
| 75 | | - | a. Administrative and technical measures put in place |
|---|
| 76 | | - | by the genetic testing company to ensure that the data cannot |
|---|
| 77 | | - | be associated with an identified consumer. |
|---|
| 78 | | - | b. A public commitment by the genetic testing company |
|---|
| 79 | | - | to undertake the following: |
|---|
| 80 | | - | 1. Maintain and use the data only in a deidentified |
|---|
| 81 | | - | form. |
|---|
| 82 | | - | 2. Prohibit any attempts to reidentify the data. |
|---|
| 83 | | - | 3. Take legal action to enforce contractual obligations |
|---|
| 84 | | - | that prohibit any recipient of the data from attempting to |
|---|
| 85 | | - | reidentify the data. |
|---|
| 69 | + | possession of a consumer's biological sample or genetic data, |
|---|
| 70 | + | including laboratory facilities for genetic testing. |
|---|
| 71 | + | (4) DEIDENTIFIED DATA. Genetic data possessed by a |
|---|
| 72 | + | genetic testing company that cannot reasonably be linked to an |
|---|
| 73 | + | identifiable consumer. |
|---|
| 86 | 74 | | (5) DNA. Deoxyribonucleic acid. |
|---|
| 87 | 75 | | (6) EXPRESS CONSENT. A consumer's acknowledgment or |
|---|
| 88 | 76 | | permission, in writing or captured electronically, to a clear, |
|---|
| 89 | 77 | | meaningful, and prominent written notice regarding the |
|---|
| 90 | 78 | | collection, use, retention, or disclosure of the consumer's |
|---|
| 91 | 79 | | biological sample or genetic data for a specific purpose. |
|---|
| 92 | 80 | | (7) GENETIC DATA. a. Any data derived from analysis of |
|---|
| 93 | 81 | | a biological sample which concerns a consumer's genetic |
|---|
| 94 | 82 | | characteristics and which may include, but is not limited to, |
|---|
| 95 | 83 | | any of the following formats or sources: |
|---|
| 96 | 84 | | 1. Raw data that results from sequencing all or a |
|---|
| 97 | 85 | | portion of a consumer's extracted DNA. |
|---|
| 98 | 86 | | 2. Genotypic and phenotypic information obtained from |
|---|
| 99 | 87 | | analyzing a consumer's raw sequence data. |
|---|
| 100 | 88 | | 3. Health information self-reported by the consumer to |
|---|
| 101 | 89 | | a genetic testing company to be used by the company in |
|---|
| 102 | 90 | | connection with analyzing the consumer's raw sequence data or |
|---|
| 91 | + | for product development or scientific research. |
|---|
| 92 | + | b. Genetic data does not include deidentified data. |
|---|
| 93 | + | (8) GENETIC TESTING. Laboratory testing of a consumer's |
|---|
| 94 | + | biological sample to analyze DNA, including, but not limited |
|---|
| 95 | + | to, chromosomes and single nucleotide polymorphisms in order |
|---|
| 96 | + | to derive and interpret genetic data. |
|---|
| 97 | + | (9) GENETIC TESTING COMPANY or COMPANY. Any person, |
|---|
| 132 | | - | connection with analyzing the consumer's raw sequence data or |
|---|
| 133 | | - | for product development or scientific research. |
|---|
| 134 | | - | b. Genetic data does not include deidentified data. |
|---|
| 135 | | - | (8) GENETIC TESTING. Laboratory testing of a consumer's |
|---|
| 136 | | - | biological sample to analyze DNA, including, but not limited |
|---|
| 137 | | - | to, chromosomes and single nucleotide polymorphisms in order |
|---|
| 138 | | - | to derive and interpret genetic data. |
|---|
| 139 | 127 | | (9) GENETIC TESTING COMPANY or COMPANY. Any person, |
|---|
| 140 | 128 | | other than a health care provider, that directly solicits a |
|---|
| 141 | 129 | | biological sample from a consumer for analysis in order to |
|---|
| 142 | 130 | | provide products or services to the consumer which include |
|---|
| 143 | 131 | | disclosure of information that may include, but is not limited |
|---|
| 144 | 132 | | to, the following: |
|---|
| 145 | 133 | | a. The genetic link of the consumer to certain |
|---|
| 146 | 134 | | population groups based on ethnicity, geography, or |
|---|
| 147 | 135 | | anthropology. |
|---|
| 148 | 136 | | b. The probable relationship of the consumer to other |
|---|
| 149 | 137 | | individuals based on matching DNA for purposes that include |
|---|
| 150 | 138 | | genealogical research. |
|---|
| 151 | 139 | | c. Recommendations to the consumer for managing |
|---|
| 152 | 140 | | wellness which are based on physical or metabolic traits, |
|---|
| 153 | 141 | | lifestyle tendencies, or disease predispositions that are |
|---|
| 154 | 142 | | associated with genetic markers present in the consumer's DNA. |
|---|
| 155 | 143 | | (10) HEALTH CARE PROVIDER. Any hospital, as defined in |
|---|
| 156 | 144 | | Section 22-21-20, Code of Alabama 1975, licensed by the State |
|---|
| 157 | 145 | | Board of Health, and any physician, nurse, or other licensed |
|---|
| 158 | 146 | | medical practitioner, whether in individual, group, |
|---|
| 159 | 147 | | professional corporation, or professional association |
|---|
| 160 | 148 | | practice, which provides diagnostic services or treatment for |
|---|
| 149 | + | a patient of such hospital, physician, nurse, or other |
|---|
| 150 | + | licensed medical practitioner. |
|---|
| 151 | + | Section 3. (a)(1) A genetic testing company shall |
|---|
| 152 | + | prominently display to a consumer complete information |
|---|
| 153 | + | regarding the company's policies and procedures governing the |
|---|
| 154 | + | collection, use, maintenance, and disclosure of genetic data |
|---|
| 155 | + | in plain language which includes all of the following: |
|---|
| 190 | | - | practice, which provides diagnostic services or treatment for |
|---|
| 191 | | - | a patient of such hospital, physician, nurse, or other |
|---|
| 192 | | - | licensed medical practitioner. |
|---|
| 193 | | - | Section 3. (a)(1) A genetic testing company shall |
|---|
| 194 | | - | prominently display to a consumer complete information |
|---|
| 195 | | - | regarding the company's policies and procedures governing the |
|---|
| 196 | | - | collection, use, maintenance, and disclosure of genetic data |
|---|
| 197 | 185 | | in plain language which includes all of the following: |
|---|
| 198 | 186 | | a. A privacy policy overview that includes basic |
|---|
| 199 | 187 | | information about the company's collection, use, or disclosure |
|---|
| 200 | 188 | | of genetic data. |
|---|
| 201 | 189 | | b. A privacy policy notice that sets forth the complete |
|---|
| 202 | 190 | | text of the company's collection, consent, use, access, |
|---|
| 203 | 191 | | disclosure, transfer, security, retention, and deletion |
|---|
| 204 | 192 | | policies or practices. |
|---|
| 205 | 193 | | c. A clear and complete notice that the consumer's |
|---|
| 206 | 194 | | genetic data may be included in deidentified data shared or |
|---|
| 207 | 195 | | disclosed by the company to a third party for research in |
|---|
| 208 | 196 | | compliance with the U.S. Department of Health and Human |
|---|
| 209 | 197 | | Services policy for the protection of human subjects, 45 |
|---|
| 210 | 198 | | C.F.R. Part 46. |
|---|
| 211 | 199 | | d. A clear description of how to file a complaint |
|---|
| 212 | 200 | | alleging a violation of this act. |
|---|
| 213 | 201 | | (2) A genetic testing company shall obtain the |
|---|
| 214 | 202 | | consumer's initial express consent for all of the following: |
|---|
| 215 | 203 | | a. Use of the biological sample and resulting genetic |
|---|
| 216 | 204 | | data to provide the product or service ordered by the |
|---|
| 217 | 205 | | consumer. |
|---|
| 218 | 206 | | b. Identification of who may have access to the |
|---|
| 269 | | - | c. Marketing to a consumer based on the consumer's |
|---|
| 270 | | - | genetic data, or marketing to a consumer by a third party |
|---|
| 271 | | - | based on the consumer having ordered or purchased a genetic |
|---|
| 272 | | - | testing product or service. Marketing does not include the |
|---|
| 273 | | - | provision of customized content or offers on websites or |
|---|
| 274 | | - | through the applications or services provided by the |
|---|
| 275 | | - | direct-to-consumer genetic testing company with the |
|---|
| 276 | | - | first-party relationship to the consumer. |
|---|
| 261 | + | c. Sharing the consumer's name with a third party to |
|---|
| 262 | + | market the third party's products and services to the |
|---|
| 263 | + | consumer. |
|---|
| 264 | + | (4) A genetic testing company shall obtain the |
|---|
| 265 | + | consumer's informed consent to transfer the biological sample |
|---|
| 266 | + | or disclose the consumer's genetic data in compliance with 45 |
|---|
| 267 | + | C.F.R. Part 46, in the following cases: |
|---|
| 268 | + | a. For independent research conducted by a third party. |
|---|
| 269 | + | b. For research conducted under the sponsorship of the |
|---|
| 270 | + | genetic testing company for the purpose of product or service |
|---|
| 271 | + | research and development, scientific publication, or promotion |
|---|
| 306 | | - | first-party relationship to the consumer. |
|---|
| 307 | | - | (4) A genetic testing company shall obtain the |
|---|
| 308 | | - | consumer's informed consent to transfer the biological sample |
|---|
| 309 | | - | or disclose the consumer's genetic data in compliance with 45 |
|---|
| 310 | | - | C.F.R. Part 46, in the following cases: |
|---|
| 311 | | - | a. For independent research conducted by a third party. |
|---|
| 312 | | - | b. For research conducted under the sponsorship of the |
|---|
| 313 | | - | genetic testing company for the purpose of product or service |
|---|
| 314 | 301 | | research and development, scientific publication, or promotion |
|---|
| 315 | 302 | | of the company. |
|---|
| 316 | 303 | | (5)a. A genetic testing company shall provide a process |
|---|
| 317 | 304 | | for the consumer to do all of the following: |
|---|
| 318 | 305 | | 1. Access the consumer's genetic data. |
|---|
| 319 | 306 | | 2. Delete the consumer's account. |
|---|
| 320 | 307 | | 3. Request the destruction of the consumer's biological |
|---|
| 321 | 308 | | sample and genetic data. |
|---|
| 322 | 309 | | 4. Revoke any express or informed consent given. |
|---|
| 323 | 310 | | b. 1. If the consumer requests the destruction of the |
|---|
| 324 | 311 | | consumer's biological sample and genetic data, the company |
|---|
| 325 | 312 | | shall comply with the request as soon as reasonably possible, |
|---|
| 326 | 313 | | but no more than 30 days after the request is made. |
|---|
| 327 | 314 | | 2. If the consumer revokes any express or informed |
|---|
| 328 | 315 | | consent given that resulted in the transfer of the consumer's |
|---|
| 329 | 316 | | biological sample or disclosure of the consumer's genetic data |
|---|
| 330 | 317 | | to a third party, the company shall secure the return of the |
|---|
| 331 | 318 | | biological sample and the genetic data as soon as reasonably |
|---|
| 332 | 319 | | possible, but no more than 60 days after the revocation is |
|---|
| 333 | 320 | | tendered. |
|---|
| 334 | 321 | | (b) A genetic testing company may disclose a consumer's |
|---|
| 364 | | - | (b) A genetic testing company may disclose a consumer's |
|---|
| 365 | | - | genetic data to any law enforcement agency pursuant to a valid |
|---|
| 366 | | - | legal process. When a law enforcement agency requests data |
|---|
| 367 | | - | from a genetic testing company, the company shall not disclose |
|---|
| 368 | | - | the existence of the valid legal process or the fact of the |
|---|
| 369 | | - | company's compliance specifically to the party to whom the |
|---|
| 370 | | - | valid legal process pertains. Nothing in this subsection shall |
|---|
| 371 | | - | prevent a company from publishing a transparency report that |
|---|
| 372 | | - | details the number and types of law enforcement requests |
|---|
| 373 | | - | received and the number of times categories of information are |
|---|
| 374 | | - | shared, nor prevent a company from complying with other laws |
|---|
| 375 | | - | or policies, including a company's privacy policy. |
|---|
| 376 | | - | (c) A genetic testing company may not do any of the |
|---|
| 377 | | - | following without a consumer's express written consent: |
|---|
| 378 | 358 | | (1) Disclose a consumer's genetic data to any person |
|---|
| 379 | 359 | | issuing health, life, disability, or long-term care insurance. |
|---|
| 380 | 360 | | (2) Disclose a consumer's genetic data to any employer |
|---|
| 381 | 361 | | or prospective employer of the consumer. |
|---|
| 382 | 362 | | Section 4. (a) A contract between the genetic testing |
|---|
| 383 | 363 | | company and a contractor shall prohibit the contractor from |
|---|
| 384 | 364 | | using, retaining, or disclosing any biological sample, |
|---|
| 385 | 365 | | extracted genetic material, genetic data, or information |
|---|
| 386 | 366 | | identifying the consumer for any purpose other than performing |
|---|
| 387 | 367 | | the service specified in the contract. |
|---|
| 388 | 368 | | (b) A contractor shall be subject to the same |
|---|
| 389 | 369 | | confidentiality obligation as the company, consistent with |
|---|
| 390 | 370 | | each express consent given or withheld by a consumer with |
|---|
| 391 | 371 | | respect to using, retaining, or disclosing the consumer's |
|---|
| 372 | + | biological sample, extracted genetic material, genetic data, |
|---|
| 373 | + | or information identifying the consumer. |
|---|
| 374 | + | Section 5. This act does not apply to any of the |
|---|
| 375 | + | following: |
|---|
| 376 | + | (1) A covered entity or business associate as those |
|---|
| 377 | + | terms are defined in 45 C.F.R. Parts 160 and 164. |
|---|
| 378 | + | (2) The collection, use, or retention of biological |
|---|
| 379 | + | samples or genetic data for noncommercial purposes, including |
|---|
| 380 | + | for research and instruction, by a public or private |
|---|
| 381 | + | institution of higher learning or any entity owned or operated |
|---|
| 382 | + | by a public or private institution of higher learning. |
|---|
| 383 | + | Section 6. (a) Any consumer may report a violation of |
|---|
| 384 | + | this act to the the Consumer Division of the Office of the |
|---|
| 385 | + | Attorney General. |
|---|
| 421 | | - | respect to using, retaining, or disclosing the consumer's |
|---|
| 422 | | - | biological sample, extracted genetic material, genetic data, |
|---|
| 423 | | - | or information identifying the consumer. |
|---|
| 424 | | - | Section 5. This act does not apply to any of the |
|---|
| 425 | | - | following: |
|---|
| 426 | | - | (1) A covered entity or business associate as those |
|---|
| 427 | | - | terms are defined in 45 C.F.R. Parts 160 and 164. |
|---|
| 428 | | - | (2) The collection, use, or retention of biological |
|---|
| 429 | | - | samples or genetic data for noncommercial purposes, including |
|---|
| 430 | | - | for research and instruction, by a public or private |
|---|
| 431 | | - | institution of higher learning or any entity owned or operated |
|---|
| 432 | | - | by a public or private institution of higher learning. |
|---|
| 433 | | - | (3) Biological samples or genetic data lawfully |
|---|
| 434 | | - | obtained by law enforcement pursuant to a criminal |
|---|
| 435 | | - | investigation. |
|---|
| 436 | | - | Section 6. (a) Any consumer may report a violation of |
|---|
| 437 | | - | this act to the the Consumer Division of the Office of the |
|---|
| 438 | 415 | | Attorney General. |
|---|
| 439 | 416 | | (b) The Consumer Division of the Office of the Attorney |
|---|
| 440 | 417 | | General may enforce this act by a civil action in circuit |
|---|
| 441 | 418 | | court to enjoin any practice or conduct in violation of this |
|---|
| 442 | 419 | | act or to recover a civil penalty of up to three thousand |
|---|
| 443 | 420 | | dollars ($3,000) for each violation. |
|---|
| 444 | 421 | | (c) Any civil penalty and costs may be waived if the |
|---|
| 445 | 422 | | genetic testing company or contractor has made full |
|---|
| 446 | 423 | | restitution or has paid actual damages to any consumer who has |
|---|
| 447 | 424 | | been injured by a violation of this act. |
|---|
| 448 | 425 | | (d) In any settlement of a claim or civil action |
|---|
| 449 | 426 | | resulting from a violation of this act, the Office of the |
|---|
| 487 | | - | 228 HB21 Enrolled |
|---|
| 488 | | - | Page 10 |
|---|
| 489 | | - | 1, 2024. |
|---|
| 490 | | - | ________________________________________________ |
|---|
| 491 | | - | Speaker of the House of Representatives |
|---|
| 492 | | - | ________________________________________________ |
|---|
| 493 | | - | President and Presiding Officer of the Senate |
|---|
| 494 | | - | House of Representatives |
|---|
| 495 | | - | I hereby certify that the within Act originated in and |
|---|
| 496 | | - | was passed by the House 20-Feb-24, as amended. |
|---|
| 497 | | - | John Treadwell |
|---|
| 498 | | - | Clerk |
|---|
| 499 | | - | Senate 08-May-24 Amended and Passed |
|---|
| 500 | | - | House 08-May-24 Concurred in Senate |
|---|
| 501 | | - | Amendment |
|---|
| 481 | + | 228 |
|---|