HB21ENROLLED
Page 0
HB21
LGGRYAY-3
By Representative Brown
RFD: Judiciary
First Read: 06-Feb-24
PFD: 01-Dec-23
1
2
3
4
5
6 HB21 Enrolled
Page 1
PFD: 01-Dec-23
Enrolled, An Act,
Relating to consumer privacy; to require genetic
testing companies to protect the confidentiality of customers'
genetic information; to require customer consent for certain
uses by genetic testing companies of genetic information; and
to further provide a civil penalty for violations of this act
to be enforced by the Attorney General.
BE IT ENACTED BY THE LEGISLATURE OF ALABAMA:
Section 1. This act shall be known as the "Alabama
Genetic Data Privacy Act."
Section 2. For purposes of this act, the following
words have the following meanings:
(1) BIOLOGICAL SAMPLE. Any human material known to
contain DNA, including, but not limited to, tissue, saliva,
blood, or urine.
(2) CONSUMER. Any individual who is an Alabama
resident.
(3) CONTRACTOR. A person that contracts with a genetic
testing company to provide a service necessary to the genetic
testing company's consumer products or services which requires
possession of a consumer's biological sample or genetic data,
including laboratory facilities for genetic testing.
(4) DEIDENTIFIED DATA. Genetic data possessed by a
genetic testing company that cannot be used to infer
information about, or otherwise be linked to, an identifiable
consumer and that either meets the requirements for
deidentification of genetic data set forth in 45 C.F.R.
164.514 or is subject to the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28 HB21 Enrolled
Page 2
164.514 or is subject to the following:
a. Administrative and technical measures put in place
by the genetic testing company to ensure that the data cannot
be associated with an identified consumer.
b. A public commitment by the genetic testing company
to undertake the following:
1. Maintain and use the data only in a deidentified
form.
2. Prohibit any attempts to reidentify the data.
3. Take legal action to enforce contractual obligations
that prohibit any recipient of the data from attempting to
reidentify the data.
(5) DNA. Deoxyribonucleic acid.
(6) EXPRESS CONSENT. A consumer's acknowledgment or
permission, in writing or captured electronically, to a clear,
meaningful, and prominent written notice regarding the
collection, use, retention, or disclosure of the consumer's
biological sample or genetic data for a specific purpose.
(7) GENETIC DATA. a. Any data derived from analysis of
a biological sample which concerns a consumer's genetic
characteristics and which may include, but is not limited to,
any of the following formats or sources:
1. Raw data that results from sequencing all or a
portion of a consumer's extracted DNA.
2. Genotypic and phenotypic information obtained from
analyzing a consumer's raw sequence data.
3. Health information self-reported by the consumer to
a genetic testing company to be used by the company in
connection with analyzing the consumer's raw sequence data or
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56 HB21 Enrolled
Page 3
connection with analyzing the consumer's raw sequence data or
for product development or scientific research.
b. Genetic data does not include deidentified data.
(8) GENETIC TESTING. Laboratory testing of a consumer's
biological sample to analyze DNA, including, but not limited
to, chromosomes and single nucleotide polymorphisms in order
to derive and interpret genetic data.
(9) GENETIC TESTING COMPANY or COMPANY. Any person,
other than a health care provider, that directly solicits a
biological sample from a consumer for analysis in order to
provide products or services to the consumer which include
disclosure of information that may include, but is not limited
to, the following:
a. The genetic link of the consumer to certain
population groups based on ethnicity, geography, or
anthropology.
b. The probable relationship of the consumer to other
individuals based on matching DNA for purposes that include
genealogical research.
c. Recommendations to the consumer for managing
wellness which are based on physical or metabolic traits,
lifestyle tendencies, or disease predispositions that are
associated with genetic markers present in the consumer's DNA.
(10) HEALTH CARE PROVIDER. Any hospital, as defined in
Section 22-21-20, Code of Alabama 1975, licensed by the State
Board of Health, and any physician, nurse, or other licensed
medical practitioner, whether in individual, group,
professional corporation, or professional association
practice, which provides diagnostic services or treatment for
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84 HB21 Enrolled
Page 4
practice, which provides diagnostic services or treatment for
a patient of such hospital, physician, nurse, or other
licensed medical practitioner.
Section 3. (a)(1) A genetic testing company shall
prominently display to a consumer complete information
regarding the company's policies and procedures governing the
collection, use, maintenance, and disclosure of genetic data
in plain language which includes all of the following:
a. A privacy policy overview that includes basic
information about the company's collection, use, or disclosure
of genetic data.
b. A privacy policy notice that sets forth the complete
text of the company's collection, consent, use, access,
disclosure, transfer, security, retention, and deletion
policies or practices.
c. A clear and complete notice that the consumer's
genetic data may be included in deidentified data shared or
disclosed by the company to a third party for research in
compliance with the U.S. Department of Health and Human
Services policy for the protection of human subjects, 45
C.F.R. Part 46.
d. A clear description of how to file a complaint
alleging a violation of this act.
(2) A genetic testing company shall obtain the
consumer's initial express consent for all of the following:
a. Use of the biological sample and resulting genetic
data to provide the product or service ordered by the
consumer.
b. Identification of who may have access to the
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112 HB21 Enrolled
Page 5
b. Identification of who may have access to the
biological sample, genetic data, and test results, including a
contractor, in order to fulfill the consumer's order.
c. Permission to retain the biological sample and
genetic data for future testing for other products or services
offered by the company.
d. Acknowledgment that the company may seek express
consent in the future to transfer the biological sample or
disclose the genetic data to a third party other than a
contractor for a reason other than fulfillment of an order for
the company's products or services.
(3) A genetic testing company shall obtain the
consumer's express consent every time the company does any of
the following:
a. Transferring the biological sample or disclosing the
genetic data to a third party other than a contractor for a
reason other than fulfillment of an order for the company's
products or services.
b. Using the biological sample or genetic data for a
purpose other than the company's products or services ordered
by the consumer.
c. Marketing to a consumer based on the consumer's
genetic data, or marketing to a consumer by a third party
based on the consumer having ordered or purchased a genetic
testing product or service. Marketing does not include the
provision of customized content or offers on websites or
through the applications or services provided by the
direct-to-consumer genetic testing company with the
first-party relationship to the consumer.
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140 HB21 Enrolled
Page 6
first-party relationship to the consumer.
(4) A genetic testing company shall obtain the
consumer's informed consent to transfer the biological sample
or disclose the consumer's genetic data in compliance with 45
C.F.R. Part 46, in the following cases:
a. For independent research conducted by a third party.
b. For research conducted under the sponsorship of the
genetic testing company for the purpose of product or service
research and development, scientific publication, or promotion
of the company.
(5)a. A genetic testing company shall provide a process
for the consumer to do all of the following:
1. Access the consumer's genetic data.
2. Delete the consumer's account.
3. Request the destruction of the consumer's biological
sample and genetic data.
4. Revoke any express or informed consent given.
b. 1. If the consumer requests the destruction of the
consumer's biological sample and genetic data, the company
shall comply with the request as soon as reasonably possible,
but no more than 30 days after the request is made.
2. If the consumer revokes any express or informed
consent given that resulted in the transfer of the consumer's
biological sample or disclosure of the consumer's genetic data
to a third party, the company shall secure the return of the
biological sample and the genetic data as soon as reasonably
possible, but no more than 60 days after the revocation is
tendered.
(b) A genetic testing company may disclose a consumer's
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168 HB21 Enrolled
Page 7
(b) A genetic testing company may disclose a consumer's
genetic data to any law enforcement agency pursuant to a valid
legal process. When a law enforcement agency requests data
from a genetic testing company, the company shall not disclose
the existence of the valid legal process or the fact of the
company's compliance specifically to the party to whom the
valid legal process pertains. Nothing in this subsection shall
prevent a company from publishing a transparency report that
details the number and types of law enforcement requests
received and the number of times categories of information are
shared, nor prevent a company from complying with other laws
or policies, including a company's privacy policy.
(c) A genetic testing company may not do any of the
following without a consumer's express written consent:
(1) Disclose a consumer's genetic data to any person
issuing health, life, disability, or long-term care insurance.
(2) Disclose a consumer's genetic data to any employer
or prospective employer of the consumer.
Section 4. (a) A contract between the genetic testing
company and a contractor shall prohibit the contractor from
using, retaining, or disclosing any biological sample,
extracted genetic material, genetic data, or information
identifying the consumer for any purpose other than performing
the service specified in the contract.
(b) A contractor shall be subject to the same
confidentiality obligation as the company, consistent with
each express consent given or withheld by a consumer with
respect to using, retaining, or disclosing the consumer's
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196 HB21 Enrolled
Page 8
respect to using, retaining, or disclosing the consumer's
biological sample, extracted genetic material, genetic data,
or information identifying the consumer.
Section 5. This act does not apply to any of the
following:
(1) A covered entity or business associate as those
terms are defined in 45 C.F.R. Parts 160 and 164.
(2) The collection, use, or retention of biological
samples or genetic data for noncommercial purposes, including
for research and instruction, by a public or private
institution of higher learning or any entity owned or operated
by a public or private institution of higher learning.
(3) Biological samples or genetic data lawfully
obtained by law enforcement pursuant to a criminal
investigation.
Section 6. (a) Any consumer may report a violation of
this act to the the Consumer Division of the Office of the
Attorney General.
(b) The Consumer Division of the Office of the Attorney
General may enforce this act by a civil action in circuit
court to enjoin any practice or conduct in violation of this
act or to recover a civil penalty of up to three thousand
dollars ($3,000) for each violation.
(c) Any civil penalty and costs may be waived if the
genetic testing company or contractor has made full
restitution or has paid actual damages to any consumer who has
been injured by a violation of this act.
(d) In any settlement of a claim or civil action
resulting from a violation of this act, the Office of the
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224 HB21 Enrolled
Page 9
resulting from a violation of this act, the Office of the
Attorney General shall receive reasonable attorney fees and
costs.
Section 7. This act shall become effective on October
1, 2024.
225
226
227
228 HB21 Enrolled
Page 10
1, 2024.
________________________________________________
Speaker of the House of Representatives
________________________________________________
President and Presiding Officer of the Senate
House of Representatives
I hereby certify that the within Act originated in and
was passed by the House 20-Feb-24, as amended.
John Treadwell
Clerk
Senate 08-May-24 Amended and Passed
House 08-May-24 Concurred in Senate
Amendment
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261