88R13807 JES-F
By: Capriglione H.B. No. 2545
A BILL TO BE ENTITLED
AN ACT
relating to the use of an individual's genetic data by certain
genetic testing companies for commercial purposes; authorizing a
civil penalty.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
SECTION 1. Subtitle A, Title 11, Business & Commerce Code,
is amended by adding Chapter 503A to read as follows:
CHAPTER 503A. DIRECT-TO-INDIVIDUAL GENETIC TESTING COMPANIES
Sec. 503A.001. DEFINITIONS. In this chapter:
(1) "Biological sample" means a material part of the
human body, or a discharge or derivative part of the body, including
tissue, blood, urine, or saliva that is known to contain DNA.
(2) "Deidentified data" means data not reasonably
linked to and that cannot reasonably be used to infer information
about an identifiable individual.
(3) "Direct-to-individual genetic testing company"
means an entity that:
(A) offers genetic testing products or services
directly to individuals; or
(B) collects, uses, or analyzes genetic data that
results from a direct-to-individual genetic testing product or
service and that an individual provides to the entity.
(4) "DNA" means deoxyribonucleic acid.
(5) "Express consent" means an individual's
affirmative response to a clear and meaningful notice regarding the
collection, use, or disclosure of genetic data for a specific
purpose.
(6) "Genetic data" means any data, regardless of
format, concerning an individual's genetic characteristics. The
term:
(A) includes:
(i) raw sequence data derived from
sequencing all or a portion of an individual's extracted DNA;
(ii) genotypic and phenotypic information
obtained from analyzing an individual's raw sequence data; and
(iii) health information regarding the
health conditions that an individual self-reports to a company and
that the company:
(a) uses for scientific research or
product development; and
(b) analyzes in connection with the
individual's raw sequence data; and
(B) does not include deidentified data.
(7) "Genetic testing" means a laboratory test of an
individual's complete DNA, regions of DNA, chromosomes, genes, or
gene products to determine the presence of the individual's genetic
characteristics.
(8) "Person" means an individual, partnership,
corporation, association, business, or business trust or the legal
representative of an organization.
Sec. 503A.002. APPLICABILITY. (a) This chapter applies to
a direct-to-individual genetic testing company that:
(1) offers its products or services to individuals who
are residents of this state; or
(2) collects, uses, or analyzes genetic data that
results from the company's products or services and was provided to
the company by an individual who is a resident of this state.
(b) This chapter does not apply to:
(1) an entity only when they are engaged in
collecting, using, or analyzing genetic data or biological samples
in the context of research, as defined by 45 C.F.R. Section 164.501,
that is conducted in accordance with:
(A) the federal policy for the protection of
human subjects (45 C.F.R. Part 46);
(B) the good clinical practice guidelines issued
by the International Council for Harmonisation of Technical
Requirements for Pharmaceuticals for Human Use (ICH); or
(C) the United States Food and Drug
Administration policy for the protection of human subjects (21
C.F.R. Parts 50 and 56); or
(2) genetic data that is protected health information
collected by a covered entity or business associate, as defined by
45 C.F.R. Part 160, subject to the privacy, security, and breach
notification rules under the Health Insurance Portability and
Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).
Sec. 503A.003. REQUIREMENTS FOR CERTAIN USES OF
DEIDENTIFIED DATA. (a) Except as otherwise provided by this
chapter or other law, a direct-to-individual genetic testing
company that possesses an individual's deidentified data shall:
(1) implement administrative and technical measures
to ensure the data is not associated with a particular individual;
and
(2) publicly commit to maintaining and using data in
deidentified form and refraining from making any attempt to
identify an individual using the individual's deidentified data.
(b) If a direct-to-individual genetic testing company
shares an individual's deidentified data with another person, the
company shall enter into a legally enforceable contractual
obligation prohibiting the person from attempting to identify an
individual using the individual's deidentified data.
Sec. 503A.004. REQUIREMENTS FOR CERTAIN USES OR DISCLOSURE
OF GENETIC DATA AND BIOLOGICAL SAMPLE. (a) A direct-to-individual
genetic testing company shall:
(1) develop, implement, and maintain a comprehensive
security program to protect an individual's genetic data against
unauthorized access, use, or disclosure; and
(2) make publicly available:
(A) a high-level privacy policy overview that
includes basic, essential information about the company's
collection, use, or disclosure of genetic data; and
(B) a prominent privacy notice that includes
information about the company's data collection, consent, use,
access, disclosure, transfer, security, retention, and deletion
practices.
(b) Before collecting, using, or disclosing an individual's
genetic data, a direct-to-individual genetic testing company shall
provide to the individual information about the company's
collection, use, and disclosure of genetic data the company
collects through a genetic testing product or service, including
information that:
(1) clearly describes the company's use of the genetic
data;
(2) specifies the persons who have access to test
results; and
(3) specifies the manner in which the company may
share the genetic data.
(c) A direct-to-individual genetic testing company shall
provide a process for an individual to:
(1) access the individual's genetic data;
(2) delete the individual's account and genetic data;
and
(3) destroy or require the destruction of the
individual's biological sample.
Sec. 503A.005. REQUIRED CONSENT. (a) A
direct-to-individual genetic testing company engaging in any of the
following activities must obtain:
(1) an individual's separate express consent for:
(A) the transfer or disclosure of the
individual's genetic data to any person other than the company's
vendors and service providers;
(B) the use of genetic data for a purpose other
than the primary purpose of the company's genetic testing product
or service; or
(C) the retention of any biological sample
provided by the individual following the company's completion of
the initial testing service requested by the individual;
(2) an individual's informed consent in accordance
with guidelines for the protection of human subjects issued under
45 C.F.R. Part 46, for transfer or disclosure of the individual's
genetic data to a third party for:
(A) research purposes; or
(B) research conducted under the control of the
company for the purpose of publication or generalizable knowledge;
and
(3) an individual's express consent for:
(A) marketing by the company to the individual
based on the individual's genetic data; or
(B) marketing by a third party to the individual
based on the individual's ordering or purchasing of a genetic
testing product or service.
(b) For purposes of Subsection (a), "marketing" does not
include providing customized content or offers to an individual
with whom a direct-to-individual genetic testing company has a
first-party relationship on the company's Internet website or
through an application or service provided by the company to the
individual.
Sec. 503A.006. PROHIBITED DISCLOSURES. (a) A
direct-to-individual genetic testing company may not disclose an
individual's genetic data to a law enforcement entity or other
governmental body unless:
(1) the company first obtains the individual's express
written consent; or
(2) the entity or body obtains a warrant or complies
with another valid legal process required by the company.
(b) A direct-to-individual genetic testing company may not
disclose, without first obtaining an individual's written consent,
the individual's genetic data to:
(1) an entity that offers health insurance, life
insurance, or long-term care insurance; or
(2) an employer of the individual.
Sec. 503A.007. CIVIL PENALTY. (a) A direct-to-individual
genetic testing company that violates this chapter is liable to
this state for a civil penalty in an amount not to exceed $2,500 for
each violation.
(b) The attorney general or a district attorney may bring an
action to recover a civil penalty imposed under Subsection (a) and
to restrain and enjoin a violation of this chapter. The attorney
general or a district attorney may recover reasonable attorney's
fees and court costs incurred in bringing the action.
SECTION 2. The changes in law made by this Act apply only to
genetic information obtained by a direct-to-individual genetic
testing company on or after the effective date of this Act.
SECTION 3. This Act takes effect September 1, 2023.