| 1 | | - | Senate Bill No. 41 CHAPTER 596 An act to add Chapter 2.6 (commencing with Section 56.18) to Part 2.6 of Division 1 of the Civil Code, relating to privacy. [ Approved by Governor October 06, 2021. Filed with Secretary of State October 06, 2021. ] LEGISLATIVE COUNSEL'S DIGESTSB 41, Umberg. Privacy: genetic testing companies.Existing law, the California Consumer Privacy Act of 2018, provides various protections to a consumer with respect to a business that collects the consumers personal information, including biometric information such as the consumers deoxyribonucleic acid (DNA). The act requires a business that collects a consumers personal information to, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the information will be used, and grants to a consumer the right to opt-out of the sale of the consumers personal information by the business to a third party. Existing law also prohibits the disclosure by a health care service plan of the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization to do so. This bill would establish the Genetic Information Privacy Act, which would require a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumers express consent for collection, use, or disclosure of the consumers genetic data, as specified.This bill would require a direct-to-consumer genetic testing company to honor a consumers revocation of consent in accordance with certain procedures, and to destroy a consumers biological sample within 30 days of revocation of consent. The bill would further require a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified. The bill would exclude from its provisions the California Newborn Screening Program, specific tests, and certain information, providers, entities, and activities subject to specified state and federal laws.This bill would provide that the act does not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal law for the protection of privacy and security and would further provide, if a conflict exists between the act and any other law, that the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.This bill would impose civil penalties for a violation of those provisions, as specified. The bill would require actions for relief pursuant to these provisions to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act. Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES Bill TextThe people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) Direct-to-consumer genetic testing services are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk.(b) There is growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization.(c) Genomic data is highly distinguishable. There is a confirmation that a sequence of 30 to 80 single nucleotide polymorphisms could uniquely identify an individual. Genomic data is also very stable. It undergoes little change over the lifetime of an individual and thus has a long-lived value, as opposed to other biometric data such as blood tests, which have expiry dates.(d) The potential information hidden within genomic data is cause for significant concern. As our knowledge in genomics evolves, so will our view on the sensitivity of genomic data.SEC. 2. Chapter 2.6 (commencing with Section 56.18) is added to Part 2.6 of Division 1 of the Civil Code, to read: CHAPTER 2.6. Genetic Privacy56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.(b) For purposes of this chapter, the following definitions apply: (1) Affirmative authorization means an action that demonstrates an intentional decision by the consumer.(2) Biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).(3) Consumer means a natural person who is a California resident.(4) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.(5) Direct-to-consumer genetic testing company means an entity that does any of the following:(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.(6) Express consent means a consumers affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent.(7) (A) Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.(B) Genetic data does not include deidentified data. For purposes of this subparagraph, deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.(C) Genetic data does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(8) Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.(9) Person means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.(10) Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumers biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following:(A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business.(B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.56.181. (a) To safeguard the privacy, confidentiality, security, and integrity of a consumers genetic data, a direct-to-consumer genetic testing company shall do both of the following:(1) Provide clear and complete information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:(A) A summary of its privacy practices, written in plain language, that includes information about the companys collection, use, maintenance, and disclosure, as applicable, of genetic data.(B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the companys data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.(C) A notice that the consumers deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.(2) Obtain a consumers express consent for collection, use, and disclosure of the consumers genetic data, including, at a minimum, separate and express consent for each of the following:(A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.(B) The storage of a consumers biological sample after the initial testing requested by the consumer has been fulfilled.(C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses. (D) Each transfer or disclosure of the consumers genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumers genetic data or biological sample will be transferred or disclosed.(E) (i) The marketing or facilitation of marketing to a consumer based on the consumers genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.(ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumers express consent to market to the consumer on the companys own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law.(iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. (F) For the purpose of this paragraph, third party does not include a public or private nonprofit postsecondary educational institution to the extent that the consumers genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184.(b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers.(c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumers consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following:(1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations. (2) The company shall destroy a consumers biological sample within 30 days of receipt of revocation of consent to store the sample.(d) The direct-to-consumer genetic testing company shall do both of the following: (1) Implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure.(2) Develop procedures and practices to enable a consumer to easily do any of the following:(A) Access the consumers genetic data.(B) Delete the consumers account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.(C) Have the consumers biological sample destroyed.(e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumers rights under this chapter by doing any of the following, including, but not limited to:(1) Denying goods, services, or benefits to the customer.(2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties.(3) Providing a different level or quality of goods, services, or benefits to the consumer.(4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits.(5) Considering the consumers exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.(f) (1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumers genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.(2) A direct-to-consumer genetic testing company may disclose a consumers genetic data or biological sample to an entity described in paragraph (1) if all of the following are true:(A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment.(B) The consumers genetic data or biological sample is not disclosed to the entity in that entitys capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment.(C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumers genetic data or biological sample.56.182. (a) Any person who negligently violates this chapter shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court.(b) Any person who willfully violates this chapter shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars ($10,000) plus court costs, as determined by the court.(c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter.(d) Court costs recovered pursuant to this section shall be paid to the party or parties that prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual to whom the genetic data at issue pertains.(e) Any provision of a contract or agreement between a consumer and a person governed by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to this chapter.(f) Each violation of this chapter is a separate and actionable violation.56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. (c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.56.186. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.SEC. 3. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 1 | + | Enrolled September 13, 2021 Passed IN Senate September 09, 2021 Passed IN Assembly September 08, 2021 Amended IN Assembly August 30, 2021 Amended IN Assembly June 17, 2021 Amended IN Assembly June 14, 2021 Amended IN Senate March 11, 2021 CALIFORNIA LEGISLATURE 20212022 REGULAR SESSION Senate Bill No. 41Introduced by Senator Umberg(Coauthor: Assembly Member Wicks)December 07, 2020 An act to add Chapter 2.6 (commencing with Section 56.18) to Part 2.6 of Division 1 of the Civil Code, relating to privacy.LEGISLATIVE COUNSEL'S DIGESTSB 41, Umberg. Privacy: genetic testing companies.Existing law, the California Consumer Privacy Act of 2018, provides various protections to a consumer with respect to a business that collects the consumers personal information, including biometric information such as the consumers deoxyribonucleic acid (DNA). The act requires a business that collects a consumers personal information to, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the information will be used, and grants to a consumer the right to opt-out of the sale of the consumers personal information by the business to a third party. Existing law also prohibits the disclosure by a health care service plan of the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization to do so. This bill would establish the Genetic Information Privacy Act, which would require a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumers express consent for collection, use, or disclosure of the consumers genetic data, as specified.This bill would require a direct-to-consumer genetic testing company to honor a consumers revocation of consent in accordance with certain procedures, and to destroy a consumers biological sample within 30 days of revocation of consent. The bill would further require a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified. The bill would exclude from its provisions the California Newborn Screening Program, specific tests, and certain information, providers, entities, and activities subject to specified state and federal laws.This bill would provide that the act does not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal law for the protection of privacy and security and would further provide, if a conflict exists between the act and any other law, that the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.This bill would impose civil penalties for a violation of those provisions, as specified. The bill would require actions for relief pursuant to these provisions to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act. Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above.Digest Key Vote: MAJORITY Appropriation: NO Fiscal Committee: YES Local Program: YES Bill TextThe people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) Direct-to-consumer genetic testing services are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk.(b) There is growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization.(c) Genomic data is highly distinguishable. There is a confirmation that a sequence of 30 to 80 single nucleotide polymorphisms could uniquely identify an individual. Genomic data is also very stable. It undergoes little change over the lifetime of an individual and thus has a long-lived value, as opposed to other biometric data such as blood tests, which have expiry dates.(d) The potential information hidden within genomic data is cause for significant concern. As our knowledge in genomics evolves, so will our view on the sensitivity of genomic data.SEC. 2. Chapter 2.6 (commencing with Section 56.18) is added to Part 2.6 of Division 1 of the Civil Code, to read: CHAPTER 2.6. Genetic Privacy56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.(b) For purposes of this chapter, the following definitions apply: (1) Affirmative authorization means an action that demonstrates an intentional decision by the consumer.(2) Biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).(3) Consumer means a natural person who is a California resident.(4) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.(5) Direct-to-consumer genetic testing company means an entity that does any of the following:(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.(6) Express consent means a consumers affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent.(7) (A) Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.(B) Genetic data does not include deidentified data. For purposes of this subparagraph, deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.(C) Genetic data does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(8) Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.(9) Person means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.(10) Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumers biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following:(A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business.(B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.56.181. (a) To safeguard the privacy, confidentiality, security, and integrity of a consumers genetic data, a direct-to-consumer genetic testing company shall do both of the following:(1) Provide clear and complete information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:(A) A summary of its privacy practices, written in plain language, that includes information about the companys collection, use, maintenance, and disclosure, as applicable, of genetic data.(B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the companys data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.(C) A notice that the consumers deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.(2) Obtain a consumers express consent for collection, use, and disclosure of the consumers genetic data, including, at a minimum, separate and express consent for each of the following:(A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.(B) The storage of a consumers biological sample after the initial testing requested by the consumer has been fulfilled.(C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses. (D) Each transfer or disclosure of the consumers genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumers genetic data or biological sample will be transferred or disclosed.(E) (i) The marketing or facilitation of marketing to a consumer based on the consumers genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.(ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumers express consent to market to the consumer on the companys own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law.(iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. (F) For the purpose of this paragraph, third party does not include a public or private nonprofit postsecondary educational institution to the extent that the consumers genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184.(b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers.(c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumers consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following:(1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations. (2) The company shall destroy a consumers biological sample within 30 days of receipt of revocation of consent to store the sample.(d) The direct-to-consumer genetic testing company shall do both of the following: (1) Implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure.(2) Develop procedures and practices to enable a consumer to easily do any of the following:(A) Access the consumers genetic data.(B) Delete the consumers account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.(C) Have the consumers biological sample destroyed.(e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumers rights under this chapter by doing any of the following, including, but not limited to:(1) Denying goods, services, or benefits to the customer.(2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties.(3) Providing a different level or quality of goods, services, or benefits to the consumer.(4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits.(5) Considering the consumers exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.(f) (1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumers genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.(2) A direct-to-consumer genetic testing company may disclose a consumers genetic data or biological sample to an entity described in paragraph (1) if all of the following are true:(A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment.(B) The consumers genetic data or biological sample is not disclosed to the entity in that entitys capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment.(C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumers genetic data or biological sample.56.182. (a) Any person who negligently violates this chapter shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court.(b) Any person who willfully violates this chapter shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars ($10,000) plus court costs, as determined by the court.(c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter.(d) Court costs recovered pursuant to this section shall be paid to the party or parties that prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual to whom the genetic data at issue pertains.(e) Any provision of a contract or agreement between a consumer and a person governed by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to this chapter.(f) Each violation of this chapter is a separate and actionable violation.56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. (c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.56.186. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.SEC. 3. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 14 | 27 | | |
|---|
| 15 | 28 | | LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 16 | 29 | | |
|---|
| 17 | 30 | | ## LEGISLATIVE COUNSEL'S DIGEST |
|---|
| 18 | 31 | | |
|---|
| 19 | 32 | | SB 41, Umberg. Privacy: genetic testing companies. |
|---|
| 20 | 33 | | |
|---|
| 21 | 34 | | Existing law, the California Consumer Privacy Act of 2018, provides various protections to a consumer with respect to a business that collects the consumers personal information, including biometric information such as the consumers deoxyribonucleic acid (DNA). The act requires a business that collects a consumers personal information to, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the information will be used, and grants to a consumer the right to opt-out of the sale of the consumers personal information by the business to a third party. Existing law also prohibits the disclosure by a health care service plan of the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization to do so. This bill would establish the Genetic Information Privacy Act, which would require a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumers express consent for collection, use, or disclosure of the consumers genetic data, as specified.This bill would require a direct-to-consumer genetic testing company to honor a consumers revocation of consent in accordance with certain procedures, and to destroy a consumers biological sample within 30 days of revocation of consent. The bill would further require a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified. The bill would exclude from its provisions the California Newborn Screening Program, specific tests, and certain information, providers, entities, and activities subject to specified state and federal laws.This bill would provide that the act does not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal law for the protection of privacy and security and would further provide, if a conflict exists between the act and any other law, that the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.This bill would impose civil penalties for a violation of those provisions, as specified. The bill would require actions for relief pursuant to these provisions to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act. Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program.The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above. |
|---|
| 22 | 35 | | |
|---|
| 23 | 36 | | Existing law, the California Consumer Privacy Act of 2018, provides various protections to a consumer with respect to a business that collects the consumers personal information, including biometric information such as the consumers deoxyribonucleic acid (DNA). The act requires a business that collects a consumers personal information to, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the information will be used, and grants to a consumer the right to opt-out of the sale of the consumers personal information by the business to a third party. |
|---|
| 24 | 37 | | |
|---|
| 25 | 38 | | Existing law also prohibits the disclosure by a health care service plan of the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the test results apply, except pursuant to a written authorization to do so. |
|---|
| 26 | 39 | | |
|---|
| 27 | 40 | | This bill would establish the Genetic Information Privacy Act, which would require a direct-to-consumer genetic testing company, as defined, to provide a consumer with certain information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data, and to obtain a consumers express consent for collection, use, or disclosure of the consumers genetic data, as specified. |
|---|
| 28 | 41 | | |
|---|
| 29 | 42 | | This bill would require a direct-to-consumer genetic testing company to honor a consumers revocation of consent in accordance with certain procedures, and to destroy a consumers biological sample within 30 days of revocation of consent. The bill would further require a direct-to-consumer genetic testing company to implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified. The bill would exclude from its provisions the California Newborn Screening Program, specific tests, and certain information, providers, entities, and activities subject to specified state and federal laws. |
|---|
| 30 | 43 | | |
|---|
| 31 | 44 | | This bill would provide that the act does not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal law for the protection of privacy and security and would further provide, if a conflict exists between the act and any other law, that the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. |
|---|
| 32 | 45 | | |
|---|
| 33 | 46 | | This bill would impose civil penalties for a violation of those provisions, as specified. The bill would require actions for relief pursuant to these provisions to be prosecuted exclusively by the Attorney General, a district attorney, county counsel, city attorney, or city prosecutor, as specified, in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of the act. Because the bill would require local officials to perform additional duties, the bill would impose a state-mandated local program. |
|---|
| 34 | 47 | | |
|---|
| 35 | 48 | | The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement. |
|---|
| 36 | 49 | | |
|---|
| 37 | 50 | | This bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to the statutory provisions noted above. |
|---|
| 38 | 51 | | |
|---|
| 39 | 52 | | ## Digest Key |
|---|
| 40 | 53 | | |
|---|
| 41 | 54 | | ## Bill Text |
|---|
| 42 | 55 | | |
|---|
| 43 | 56 | | The people of the State of California do enact as follows:SECTION 1. The Legislature finds and declares all of the following:(a) Direct-to-consumer genetic testing services are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk.(b) There is growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization.(c) Genomic data is highly distinguishable. There is a confirmation that a sequence of 30 to 80 single nucleotide polymorphisms could uniquely identify an individual. Genomic data is also very stable. It undergoes little change over the lifetime of an individual and thus has a long-lived value, as opposed to other biometric data such as blood tests, which have expiry dates.(d) The potential information hidden within genomic data is cause for significant concern. As our knowledge in genomics evolves, so will our view on the sensitivity of genomic data.SEC. 2. Chapter 2.6 (commencing with Section 56.18) is added to Part 2.6 of Division 1 of the Civil Code, to read: CHAPTER 2.6. Genetic Privacy56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.(b) For purposes of this chapter, the following definitions apply: (1) Affirmative authorization means an action that demonstrates an intentional decision by the consumer.(2) Biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).(3) Consumer means a natural person who is a California resident.(4) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.(5) Direct-to-consumer genetic testing company means an entity that does any of the following:(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.(6) Express consent means a consumers affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent.(7) (A) Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.(B) Genetic data does not include deidentified data. For purposes of this subparagraph, deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.(C) Genetic data does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(8) Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.(9) Person means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.(10) Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumers biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following:(A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business.(B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.56.181. (a) To safeguard the privacy, confidentiality, security, and integrity of a consumers genetic data, a direct-to-consumer genetic testing company shall do both of the following:(1) Provide clear and complete information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:(A) A summary of its privacy practices, written in plain language, that includes information about the companys collection, use, maintenance, and disclosure, as applicable, of genetic data.(B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the companys data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.(C) A notice that the consumers deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.(2) Obtain a consumers express consent for collection, use, and disclosure of the consumers genetic data, including, at a minimum, separate and express consent for each of the following:(A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.(B) The storage of a consumers biological sample after the initial testing requested by the consumer has been fulfilled.(C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses. (D) Each transfer or disclosure of the consumers genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumers genetic data or biological sample will be transferred or disclosed.(E) (i) The marketing or facilitation of marketing to a consumer based on the consumers genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.(ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumers express consent to market to the consumer on the companys own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law.(iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. (F) For the purpose of this paragraph, third party does not include a public or private nonprofit postsecondary educational institution to the extent that the consumers genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184.(b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers.(c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumers consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following:(1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations. (2) The company shall destroy a consumers biological sample within 30 days of receipt of revocation of consent to store the sample.(d) The direct-to-consumer genetic testing company shall do both of the following: (1) Implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure.(2) Develop procedures and practices to enable a consumer to easily do any of the following:(A) Access the consumers genetic data.(B) Delete the consumers account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.(C) Have the consumers biological sample destroyed.(e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumers rights under this chapter by doing any of the following, including, but not limited to:(1) Denying goods, services, or benefits to the customer.(2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties.(3) Providing a different level or quality of goods, services, or benefits to the consumer.(4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits.(5) Considering the consumers exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.(f) (1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumers genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.(2) A direct-to-consumer genetic testing company may disclose a consumers genetic data or biological sample to an entity described in paragraph (1) if all of the following are true:(A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment.(B) The consumers genetic data or biological sample is not disclosed to the entity in that entitys capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment.(C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumers genetic data or biological sample.56.182. (a) Any person who negligently violates this chapter shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court.(b) Any person who willfully violates this chapter shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars ($10,000) plus court costs, as determined by the court.(c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter.(d) Court costs recovered pursuant to this section shall be paid to the party or parties that prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual to whom the genetic data at issue pertains.(e) Any provision of a contract or agreement between a consumer and a person governed by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to this chapter.(f) Each violation of this chapter is a separate and actionable violation.56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. (c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.56.186. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application.SEC. 3. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 44 | 57 | | |
|---|
| 45 | 58 | | The people of the State of California do enact as follows: |
|---|
| 46 | 59 | | |
|---|
| 47 | 60 | | ## The people of the State of California do enact as follows: |
|---|
| 48 | 61 | | |
|---|
| 49 | 62 | | SECTION 1. The Legislature finds and declares all of the following:(a) Direct-to-consumer genetic testing services are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk.(b) There is growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization.(c) Genomic data is highly distinguishable. There is a confirmation that a sequence of 30 to 80 single nucleotide polymorphisms could uniquely identify an individual. Genomic data is also very stable. It undergoes little change over the lifetime of an individual and thus has a long-lived value, as opposed to other biometric data such as blood tests, which have expiry dates.(d) The potential information hidden within genomic data is cause for significant concern. As our knowledge in genomics evolves, so will our view on the sensitivity of genomic data. |
|---|
| 50 | 63 | | |
|---|
| 51 | 64 | | SECTION 1. The Legislature finds and declares all of the following:(a) Direct-to-consumer genetic testing services are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk.(b) There is growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization.(c) Genomic data is highly distinguishable. There is a confirmation that a sequence of 30 to 80 single nucleotide polymorphisms could uniquely identify an individual. Genomic data is also very stable. It undergoes little change over the lifetime of an individual and thus has a long-lived value, as opposed to other biometric data such as blood tests, which have expiry dates.(d) The potential information hidden within genomic data is cause for significant concern. As our knowledge in genomics evolves, so will our view on the sensitivity of genomic data. |
|---|
| 52 | 65 | | |
|---|
| 53 | 66 | | SECTION 1. The Legislature finds and declares all of the following: |
|---|
| 54 | 67 | | |
|---|
| 55 | 68 | | ### SECTION 1. |
|---|
| 56 | 69 | | |
|---|
| 57 | 70 | | (a) Direct-to-consumer genetic testing services are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk. |
|---|
| 58 | 71 | | |
|---|
| 59 | 72 | | (b) There is growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization. |
|---|
| 60 | 73 | | |
|---|
| 61 | 74 | | (c) Genomic data is highly distinguishable. There is a confirmation that a sequence of 30 to 80 single nucleotide polymorphisms could uniquely identify an individual. Genomic data is also very stable. It undergoes little change over the lifetime of an individual and thus has a long-lived value, as opposed to other biometric data such as blood tests, which have expiry dates. |
|---|
| 62 | 75 | | |
|---|
| 63 | 76 | | (d) The potential information hidden within genomic data is cause for significant concern. As our knowledge in genomics evolves, so will our view on the sensitivity of genomic data. |
|---|
| 64 | 77 | | |
|---|
| 65 | 78 | | SEC. 2. Chapter 2.6 (commencing with Section 56.18) is added to Part 2.6 of Division 1 of the Civil Code, to read: CHAPTER 2.6. Genetic Privacy56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.(b) For purposes of this chapter, the following definitions apply: (1) Affirmative authorization means an action that demonstrates an intentional decision by the consumer.(2) Biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).(3) Consumer means a natural person who is a California resident.(4) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.(5) Direct-to-consumer genetic testing company means an entity that does any of the following:(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.(6) Express consent means a consumers affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent.(7) (A) Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.(B) Genetic data does not include deidentified data. For purposes of this subparagraph, deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.(C) Genetic data does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(8) Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.(9) Person means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.(10) Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumers biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following:(A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business.(B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.56.181. (a) To safeguard the privacy, confidentiality, security, and integrity of a consumers genetic data, a direct-to-consumer genetic testing company shall do both of the following:(1) Provide clear and complete information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:(A) A summary of its privacy practices, written in plain language, that includes information about the companys collection, use, maintenance, and disclosure, as applicable, of genetic data.(B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the companys data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.(C) A notice that the consumers deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.(2) Obtain a consumers express consent for collection, use, and disclosure of the consumers genetic data, including, at a minimum, separate and express consent for each of the following:(A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.(B) The storage of a consumers biological sample after the initial testing requested by the consumer has been fulfilled.(C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses. (D) Each transfer or disclosure of the consumers genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumers genetic data or biological sample will be transferred or disclosed.(E) (i) The marketing or facilitation of marketing to a consumer based on the consumers genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.(ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumers express consent to market to the consumer on the companys own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law.(iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. (F) For the purpose of this paragraph, third party does not include a public or private nonprofit postsecondary educational institution to the extent that the consumers genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184.(b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers.(c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumers consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following:(1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations. (2) The company shall destroy a consumers biological sample within 30 days of receipt of revocation of consent to store the sample.(d) The direct-to-consumer genetic testing company shall do both of the following: (1) Implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure.(2) Develop procedures and practices to enable a consumer to easily do any of the following:(A) Access the consumers genetic data.(B) Delete the consumers account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.(C) Have the consumers biological sample destroyed.(e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumers rights under this chapter by doing any of the following, including, but not limited to:(1) Denying goods, services, or benefits to the customer.(2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties.(3) Providing a different level or quality of goods, services, or benefits to the consumer.(4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits.(5) Considering the consumers exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.(f) (1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumers genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.(2) A direct-to-consumer genetic testing company may disclose a consumers genetic data or biological sample to an entity described in paragraph (1) if all of the following are true:(A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment.(B) The consumers genetic data or biological sample is not disclosed to the entity in that entitys capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment.(C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumers genetic data or biological sample.56.182. (a) Any person who negligently violates this chapter shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court.(b) Any person who willfully violates this chapter shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars ($10,000) plus court costs, as determined by the court.(c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter.(d) Court costs recovered pursuant to this section shall be paid to the party or parties that prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual to whom the genetic data at issue pertains.(e) Any provision of a contract or agreement between a consumer and a person governed by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to this chapter.(f) Each violation of this chapter is a separate and actionable violation.56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. (c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.56.186. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application. |
|---|
| 66 | 79 | | |
|---|
| 67 | 80 | | SEC. 2. Chapter 2.6 (commencing with Section 56.18) is added to Part 2.6 of Division 1 of the Civil Code, to read: |
|---|
| 68 | 81 | | |
|---|
| 69 | 82 | | ### SEC. 2. |
|---|
| 70 | 83 | | |
|---|
| 71 | 84 | | CHAPTER 2.6. Genetic Privacy56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.(b) For purposes of this chapter, the following definitions apply: (1) Affirmative authorization means an action that demonstrates an intentional decision by the consumer.(2) Biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).(3) Consumer means a natural person who is a California resident.(4) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.(5) Direct-to-consumer genetic testing company means an entity that does any of the following:(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.(6) Express consent means a consumers affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent.(7) (A) Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.(B) Genetic data does not include deidentified data. For purposes of this subparagraph, deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.(C) Genetic data does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(8) Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.(9) Person means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.(10) Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumers biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following:(A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business.(B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.56.181. (a) To safeguard the privacy, confidentiality, security, and integrity of a consumers genetic data, a direct-to-consumer genetic testing company shall do both of the following:(1) Provide clear and complete information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:(A) A summary of its privacy practices, written in plain language, that includes information about the companys collection, use, maintenance, and disclosure, as applicable, of genetic data.(B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the companys data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.(C) A notice that the consumers deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.(2) Obtain a consumers express consent for collection, use, and disclosure of the consumers genetic data, including, at a minimum, separate and express consent for each of the following:(A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.(B) The storage of a consumers biological sample after the initial testing requested by the consumer has been fulfilled.(C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses. (D) Each transfer or disclosure of the consumers genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumers genetic data or biological sample will be transferred or disclosed.(E) (i) The marketing or facilitation of marketing to a consumer based on the consumers genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.(ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumers express consent to market to the consumer on the companys own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law.(iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. (F) For the purpose of this paragraph, third party does not include a public or private nonprofit postsecondary educational institution to the extent that the consumers genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184.(b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers.(c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumers consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following:(1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations. (2) The company shall destroy a consumers biological sample within 30 days of receipt of revocation of consent to store the sample.(d) The direct-to-consumer genetic testing company shall do both of the following: (1) Implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure.(2) Develop procedures and practices to enable a consumer to easily do any of the following:(A) Access the consumers genetic data.(B) Delete the consumers account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.(C) Have the consumers biological sample destroyed.(e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumers rights under this chapter by doing any of the following, including, but not limited to:(1) Denying goods, services, or benefits to the customer.(2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties.(3) Providing a different level or quality of goods, services, or benefits to the consumer.(4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits.(5) Considering the consumers exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.(f) (1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumers genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.(2) A direct-to-consumer genetic testing company may disclose a consumers genetic data or biological sample to an entity described in paragraph (1) if all of the following are true:(A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment.(B) The consumers genetic data or biological sample is not disclosed to the entity in that entitys capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment.(C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumers genetic data or biological sample.56.182. (a) Any person who negligently violates this chapter shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court.(b) Any person who willfully violates this chapter shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars ($10,000) plus court costs, as determined by the court.(c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter.(d) Court costs recovered pursuant to this section shall be paid to the party or parties that prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual to whom the genetic data at issue pertains.(e) Any provision of a contract or agreement between a consumer and a person governed by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to this chapter.(f) Each violation of this chapter is a separate and actionable violation.56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. (c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.56.186. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application. |
|---|
| 72 | 85 | | |
|---|
| 73 | 86 | | CHAPTER 2.6. Genetic Privacy56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.(b) For purposes of this chapter, the following definitions apply: (1) Affirmative authorization means an action that demonstrates an intentional decision by the consumer.(2) Biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).(3) Consumer means a natural person who is a California resident.(4) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.(5) Direct-to-consumer genetic testing company means an entity that does any of the following:(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.(6) Express consent means a consumers affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent.(7) (A) Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.(B) Genetic data does not include deidentified data. For purposes of this subparagraph, deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.(C) Genetic data does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(8) Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.(9) Person means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.(10) Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumers biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following:(A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business.(B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.56.181. (a) To safeguard the privacy, confidentiality, security, and integrity of a consumers genetic data, a direct-to-consumer genetic testing company shall do both of the following:(1) Provide clear and complete information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:(A) A summary of its privacy practices, written in plain language, that includes information about the companys collection, use, maintenance, and disclosure, as applicable, of genetic data.(B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the companys data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.(C) A notice that the consumers deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.(2) Obtain a consumers express consent for collection, use, and disclosure of the consumers genetic data, including, at a minimum, separate and express consent for each of the following:(A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.(B) The storage of a consumers biological sample after the initial testing requested by the consumer has been fulfilled.(C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses. (D) Each transfer or disclosure of the consumers genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumers genetic data or biological sample will be transferred or disclosed.(E) (i) The marketing or facilitation of marketing to a consumer based on the consumers genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.(ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumers express consent to market to the consumer on the companys own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law.(iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. (F) For the purpose of this paragraph, third party does not include a public or private nonprofit postsecondary educational institution to the extent that the consumers genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184.(b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers.(c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumers consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following:(1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations. (2) The company shall destroy a consumers biological sample within 30 days of receipt of revocation of consent to store the sample.(d) The direct-to-consumer genetic testing company shall do both of the following: (1) Implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure.(2) Develop procedures and practices to enable a consumer to easily do any of the following:(A) Access the consumers genetic data.(B) Delete the consumers account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.(C) Have the consumers biological sample destroyed.(e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumers rights under this chapter by doing any of the following, including, but not limited to:(1) Denying goods, services, or benefits to the customer.(2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties.(3) Providing a different level or quality of goods, services, or benefits to the consumer.(4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits.(5) Considering the consumers exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.(f) (1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumers genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.(2) A direct-to-consumer genetic testing company may disclose a consumers genetic data or biological sample to an entity described in paragraph (1) if all of the following are true:(A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment.(B) The consumers genetic data or biological sample is not disclosed to the entity in that entitys capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment.(C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumers genetic data or biological sample.56.182. (a) Any person who negligently violates this chapter shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court.(b) Any person who willfully violates this chapter shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars ($10,000) plus court costs, as determined by the court.(c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter.(d) Court costs recovered pursuant to this section shall be paid to the party or parties that prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual to whom the genetic data at issue pertains.(e) Any provision of a contract or agreement between a consumer and a person governed by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to this chapter.(f) Each violation of this chapter is a separate and actionable violation.56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. (c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.56.186. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application. |
|---|
| 74 | 87 | | |
|---|
| 75 | 88 | | CHAPTER 2.6. Genetic Privacy |
|---|
| 76 | 89 | | |
|---|
| 77 | 90 | | CHAPTER 2.6. Genetic Privacy |
|---|
| 78 | 91 | | |
|---|
| 79 | 92 | | 56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.(b) For purposes of this chapter, the following definitions apply: (1) Affirmative authorization means an action that demonstrates an intentional decision by the consumer.(2) Biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).(3) Consumer means a natural person who is a California resident.(4) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.(5) Direct-to-consumer genetic testing company means an entity that does any of the following:(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.(6) Express consent means a consumers affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent.(7) (A) Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.(B) Genetic data does not include deidentified data. For purposes of this subparagraph, deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.(C) Genetic data does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(8) Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.(9) Person means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.(10) Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumers biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following:(A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business.(B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law. |
|---|
| 80 | 93 | | |
|---|
| 81 | 94 | | |
|---|
| 82 | 95 | | |
|---|
| 83 | 96 | | 56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act. |
|---|
| 84 | 97 | | |
|---|
| 85 | 98 | | (b) For purposes of this chapter, the following definitions apply: |
|---|
| 86 | 99 | | |
|---|
| 87 | 100 | | (1) Affirmative authorization means an action that demonstrates an intentional decision by the consumer. |
|---|
| 88 | 101 | | |
|---|
| 89 | 102 | | (2) Biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA). |
|---|
| 90 | 103 | | |
|---|
| 91 | 104 | | (3) Consumer means a natural person who is a California resident. |
|---|
| 92 | 105 | | |
|---|
| 93 | 106 | | (4) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice. |
|---|
| 94 | 107 | | |
|---|
| 95 | 108 | | (5) Direct-to-consumer genetic testing company means an entity that does any of the following: |
|---|
| 96 | 109 | | |
|---|
| 97 | 110 | | (A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers. |
|---|
| 98 | 111 | | |
|---|
| 99 | 112 | | (B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition. |
|---|
| 100 | 113 | | |
|---|
| 101 | 114 | | (C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer. |
|---|
| 102 | 115 | | |
|---|
| 103 | 116 | | (6) Express consent means a consumers affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent. |
|---|
| 104 | 117 | | |
|---|
| 105 | 118 | | (7) (A) Genetic data means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom. |
|---|
| 106 | 119 | | |
|---|
| 107 | 120 | | (B) Genetic data does not include deidentified data. For purposes of this subparagraph, deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following: |
|---|
| 108 | 121 | | |
|---|
| 109 | 122 | | (i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household. |
|---|
| 110 | 123 | | |
|---|
| 111 | 124 | | (ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment. |
|---|
| 112 | 125 | | |
|---|
| 113 | 126 | | (iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information. |
|---|
| 114 | 127 | | |
|---|
| 115 | 128 | | (C) Genetic data does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code. |
|---|
| 116 | 129 | | |
|---|
| 117 | 130 | | (8) Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom. |
|---|
| 118 | 131 | | |
|---|
| 119 | 132 | | (9) Person means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization. |
|---|
| 120 | 133 | | |
|---|
| 121 | 134 | | (10) Service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumers biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following: |
|---|
| 122 | 135 | | |
|---|
| 123 | 136 | | (A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business. |
|---|
| 124 | 137 | | |
|---|
| 125 | 138 | | (B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law. |
|---|
| 126 | 139 | | |
|---|
| 127 | 140 | | 56.181. (a) To safeguard the privacy, confidentiality, security, and integrity of a consumers genetic data, a direct-to-consumer genetic testing company shall do both of the following:(1) Provide clear and complete information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:(A) A summary of its privacy practices, written in plain language, that includes information about the companys collection, use, maintenance, and disclosure, as applicable, of genetic data.(B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the companys data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.(C) A notice that the consumers deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.(2) Obtain a consumers express consent for collection, use, and disclosure of the consumers genetic data, including, at a minimum, separate and express consent for each of the following:(A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.(B) The storage of a consumers biological sample after the initial testing requested by the consumer has been fulfilled.(C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses. (D) Each transfer or disclosure of the consumers genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumers genetic data or biological sample will be transferred or disclosed.(E) (i) The marketing or facilitation of marketing to a consumer based on the consumers genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.(ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumers express consent to market to the consumer on the companys own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law.(iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. (F) For the purpose of this paragraph, third party does not include a public or private nonprofit postsecondary educational institution to the extent that the consumers genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184.(b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers.(c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumers consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following:(1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations. (2) The company shall destroy a consumers biological sample within 30 days of receipt of revocation of consent to store the sample.(d) The direct-to-consumer genetic testing company shall do both of the following: (1) Implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure.(2) Develop procedures and practices to enable a consumer to easily do any of the following:(A) Access the consumers genetic data.(B) Delete the consumers account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.(C) Have the consumers biological sample destroyed.(e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumers rights under this chapter by doing any of the following, including, but not limited to:(1) Denying goods, services, or benefits to the customer.(2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties.(3) Providing a different level or quality of goods, services, or benefits to the consumer.(4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits.(5) Considering the consumers exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.(f) (1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumers genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.(2) A direct-to-consumer genetic testing company may disclose a consumers genetic data or biological sample to an entity described in paragraph (1) if all of the following are true:(A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment.(B) The consumers genetic data or biological sample is not disclosed to the entity in that entitys capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment.(C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumers genetic data or biological sample. |
|---|
| 128 | 141 | | |
|---|
| 129 | 142 | | |
|---|
| 130 | 143 | | |
|---|
| 131 | 144 | | 56.181. (a) To safeguard the privacy, confidentiality, security, and integrity of a consumers genetic data, a direct-to-consumer genetic testing company shall do both of the following: |
|---|
| 132 | 145 | | |
|---|
| 133 | 146 | | (1) Provide clear and complete information regarding the companys policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following: |
|---|
| 134 | 147 | | |
|---|
| 135 | 148 | | (A) A summary of its privacy practices, written in plain language, that includes information about the companys collection, use, maintenance, and disclosure, as applicable, of genetic data. |
|---|
| 136 | 149 | | |
|---|
| 137 | 150 | | (B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the companys data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182. |
|---|
| 138 | 151 | | |
|---|
| 139 | 152 | | (C) A notice that the consumers deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations. |
|---|
| 140 | 153 | | |
|---|
| 141 | 154 | | (2) Obtain a consumers express consent for collection, use, and disclosure of the consumers genetic data, including, at a minimum, separate and express consent for each of the following: |
|---|
| 142 | 155 | | |
|---|
| 143 | 156 | | (A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed. |
|---|
| 144 | 157 | | |
|---|
| 145 | 158 | | (B) The storage of a consumers biological sample after the initial testing requested by the consumer has been fulfilled. |
|---|
| 146 | 159 | | |
|---|
| 147 | 160 | | (C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses. |
|---|
| 148 | 161 | | |
|---|
| 149 | 162 | | (D) Each transfer or disclosure of the consumers genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumers genetic data or biological sample will be transferred or disclosed. |
|---|
| 150 | 163 | | |
|---|
| 151 | 164 | | (E) (i) The marketing or facilitation of marketing to a consumer based on the consumers genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service. |
|---|
| 152 | 165 | | |
|---|
| 153 | 166 | | (ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumers express consent to market to the consumer on the companys own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law. |
|---|
| 154 | 167 | | |
|---|
| 155 | 168 | | (iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. |
|---|
| 156 | 169 | | |
|---|
| 157 | 170 | | (F) For the purpose of this paragraph, third party does not include a public or private nonprofit postsecondary educational institution to the extent that the consumers genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184. |
|---|
| 158 | 171 | | |
|---|
| 159 | 172 | | (b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers. |
|---|
| 160 | 173 | | |
|---|
| 161 | 174 | | (c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumers consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following: |
|---|
| 162 | 175 | | |
|---|
| 163 | 176 | | (1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations. |
|---|
| 164 | 177 | | |
|---|
| 165 | 178 | | (2) The company shall destroy a consumers biological sample within 30 days of receipt of revocation of consent to store the sample. |
|---|
| 166 | 179 | | |
|---|
| 167 | 180 | | (d) The direct-to-consumer genetic testing company shall do both of the following: |
|---|
| 168 | 181 | | |
|---|
| 169 | 182 | | (1) Implement and maintain reasonable security procedures and practices to protect a consumers genetic data against unauthorized access, destruction, use, modification, or disclosure. |
|---|
| 170 | 183 | | |
|---|
| 171 | 184 | | (2) Develop procedures and practices to enable a consumer to easily do any of the following: |
|---|
| 172 | 185 | | |
|---|
| 173 | 186 | | (A) Access the consumers genetic data. |
|---|
| 174 | 187 | | |
|---|
| 175 | 188 | | (B) Delete the consumers account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements. |
|---|
| 176 | 189 | | |
|---|
| 177 | 190 | | (C) Have the consumers biological sample destroyed. |
|---|
| 178 | 191 | | |
|---|
| 179 | 192 | | (e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumers rights under this chapter by doing any of the following, including, but not limited to: |
|---|
| 180 | 193 | | |
|---|
| 181 | 194 | | (1) Denying goods, services, or benefits to the customer. |
|---|
| 182 | 195 | | |
|---|
| 183 | 196 | | (2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties. |
|---|
| 184 | 197 | | |
|---|
| 185 | 198 | | (3) Providing a different level or quality of goods, services, or benefits to the consumer. |
|---|
| 186 | 199 | | |
|---|
| 187 | 200 | | (4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits. |
|---|
| 188 | 201 | | |
|---|
| 189 | 202 | | (5) Considering the consumers exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct. |
|---|
| 190 | 203 | | |
|---|
| 191 | 204 | | (f) (1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumers genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions. |
|---|
| 192 | 205 | | |
|---|
| 193 | 206 | | (2) A direct-to-consumer genetic testing company may disclose a consumers genetic data or biological sample to an entity described in paragraph (1) if all of the following are true: |
|---|
| 194 | 207 | | |
|---|
| 195 | 208 | | (A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment. |
|---|
| 196 | 209 | | |
|---|
| 197 | 210 | | (B) The consumers genetic data or biological sample is not disclosed to the entity in that entitys capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment. |
|---|
| 198 | 211 | | |
|---|
| 199 | 212 | | (C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumers genetic data or biological sample. |
|---|
| 200 | 213 | | |
|---|
| 201 | 214 | | 56.182. (a) Any person who negligently violates this chapter shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court.(b) Any person who willfully violates this chapter shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars ($10,000) plus court costs, as determined by the court.(c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter.(d) Court costs recovered pursuant to this section shall be paid to the party or parties that prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual to whom the genetic data at issue pertains.(e) Any provision of a contract or agreement between a consumer and a person governed by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to this chapter.(f) Each violation of this chapter is a separate and actionable violation. |
|---|
| 202 | 215 | | |
|---|
| 203 | 216 | | |
|---|
| 204 | 217 | | |
|---|
| 205 | 218 | | 56.182. (a) Any person who negligently violates this chapter shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court. |
|---|
| 206 | 219 | | |
|---|
| 207 | 220 | | (b) Any person who willfully violates this chapter shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than ten thousand dollars ($10,000) plus court costs, as determined by the court. |
|---|
| 208 | 221 | | |
|---|
| 209 | 222 | | (c) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or upon a complaint by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter. |
|---|
| 210 | 223 | | |
|---|
| 211 | 224 | | (d) Court costs recovered pursuant to this section shall be paid to the party or parties that prosecuted the violation. Penalties recovered pursuant to this section shall be paid to the individual to whom the genetic data at issue pertains. |
|---|
| 212 | 225 | | |
|---|
| 213 | 226 | | (e) Any provision of a contract or agreement between a consumer and a person governed by this chapter that has, or would have, the effect of delaying or limiting access to a legal remedy for a violation of this chapter shall not apply to the exercise of rights or enforcement pursuant to this chapter. |
|---|
| 214 | 227 | | |
|---|
| 215 | 228 | | (f) Each violation of this chapter is a separate and actionable violation. |
|---|
| 216 | 229 | | |
|---|
| 217 | 230 | | 56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.(b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. (c) This chapter shall not apply to any of the following:(1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).(2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.(5) The California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code.(6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1).(7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.(d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer. |
|---|
| 218 | 231 | | |
|---|
| 219 | 232 | | |
|---|
| 220 | 233 | | |
|---|
| 221 | 234 | | 56.184. (a) The provisions of this chapter shall not reduce a direct-to-consumer genetic testing companys duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security. |
|---|
| 222 | 235 | | |
|---|
| 223 | 236 | | (b) In the event of a conflict between the provisions of this chapter and any other law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control. |
|---|
| 224 | 237 | | |
|---|
| 225 | 238 | | (c) This chapter shall not apply to any of the following: |
|---|
| 226 | 239 | | |
|---|
| 227 | 240 | | (1) Medical information governed by the Confidentiality of Medical Information Act, Part 2.6 (commencing with Section 56), or to protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5). |
|---|
| 228 | 241 | | |
|---|
| 229 | 242 | | (2) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56)) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the provider or covered entity maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1). |
|---|
| 230 | 243 | | |
|---|
| 231 | 244 | | (3) A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009 (Public Law 111-5), to the extent that the business associate maintains, uses, and discloses genetic information in the same manner as medical information or protected health information, as described in paragraph (1). |
|---|
| 232 | 245 | | |
|---|
| 233 | 246 | | (4) Scientific research or educational activities conducted by a public or private nonprofit postsecondary educational institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 of Title 45 of the Code of Federal Regulations, to the extent that the scientific research and educational activities conducted by that institution comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code. |
|---|
| 234 | 247 | | |
|---|
| 235 | 248 | | (5) The California Newborn Screening Program authorized by Chapter 1 (commencing with Section 124975) of Part 5 of Division 106 of the Health and Safety Code. |
|---|
| 236 | 249 | | |
|---|
| 237 | 250 | | (6) Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic information in the same manner as medical information or protected health information, as described in paragraph (1). |
|---|
| 238 | 251 | | |
|---|
| 239 | 252 | | (7) Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of that data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation. |
|---|
| 240 | 253 | | |
|---|
| 241 | 254 | | (d) Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer. |
|---|
| 242 | 255 | | |
|---|
| 243 | 256 | | 56.186. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application. |
|---|
| 244 | 257 | | |
|---|
| 245 | 258 | | |
|---|
| 246 | 259 | | |
|---|
| 247 | 260 | | 56.186. The provisions of this chapter are severable. If any provision of this chapter or its application is held invalid, that invalidity shall not affect other provisions or applications that can be given effect without the invalid provision or application. |
|---|
| 248 | 261 | | |
|---|
| 249 | 262 | | SEC. 3. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 250 | 263 | | |
|---|
| 251 | 264 | | SEC. 3. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 252 | 265 | | |
|---|
| 253 | 266 | | SEC. 3. If the Commission on State Mandates determines that this act contains costs mandated by the state, reimbursement to local agencies and school districts for those costs shall be made pursuant to Part 7 (commencing with Section 17500) of Division 4 of Title 2 of the Government Code. |
|---|
| 254 | 267 | | |
|---|
| 255 | 268 | | ### SEC. 3. |
|---|