TX
Texas Senate Bill SB1544

Texas 2023 - 88th Regular

Texas Senate Bill SB1544 Compare Versions

OldNewDifferences
11 88R13807 JES-F
22 By: Johnson S.B. No. 1544
33
44
55 A BILL TO BE ENTITLED
66 AN ACT
77 relating to the use of an individual's genetic data by certain
88 genetic testing companies for commercial purposes; authorizing a
99 civil penalty.
1010 BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
1111 SECTION 1. Subtitle A, Title 11, Business & Commerce Code,
1212 is amended by adding Chapter 503A to read as follows:
1313 CHAPTER 503A. DIRECT-TO-INDIVIDUAL GENETIC TESTING COMPANIES
1414 Sec. 503A.001. DEFINITIONS. In this chapter:
1515 (1) "Biological sample" means a material part of the
1616 human body, or a discharge or derivative part of the body, including
1717 tissue, blood, urine, or saliva that is known to contain DNA.
1818 (2) "Deidentified data" means data not reasonably
1919 linked to and that cannot reasonably be used to infer information
2020 about an identifiable individual.
2121 (3) "Direct-to-individual genetic testing company"
2222 means an entity that:
2323 (A) offers genetic testing products or services
2424 directly to individuals; or
2525 (B) collects, uses, or analyzes genetic data that
2626 results from a direct-to-individual genetic testing product or
2727 service and that an individual provides to the entity.
2828 (4) "DNA" means deoxyribonucleic acid.
2929 (5) "Express consent" means an individual's
3030 affirmative response to a clear and meaningful notice regarding the
3131 collection, use, or disclosure of genetic data for a specific
3232 purpose.
3333 (6) "Genetic data" means any data, regardless of
3434 format, concerning an individual's genetic characteristics. The
3535 term:
3636 (A) includes:
3737 (i) raw sequence data derived from
3838 sequencing all or a portion of an individual's extracted DNA;
3939 (ii) genotypic and phenotypic information
4040 obtained from analyzing an individual's raw sequence data; and
4141 (iii) health information regarding the
4242 health conditions that an individual self-reports to a company and
4343 that the company:
4444 (a) uses for scientific research or
4545 product development; and
4646 (b) analyzes in connection with the
4747 individual's raw sequence data; and
4848 (B) does not include deidentified data.
4949 (7) "Genetic testing" means a laboratory test of an
5050 individual's complete DNA, regions of DNA, chromosomes, genes, or
5151 gene products to determine the presence of the individual's genetic
5252 characteristics.
5353 (8) "Person" means an individual, partnership,
5454 corporation, association, business, or business trust or the legal
5555 representative of an organization.
5656 Sec. 503A.002. APPLICABILITY. (a) This chapter applies to
5757 a direct-to-individual genetic testing company that:
5858 (1) offers its products or services to individuals who
5959 are residents of this state; or
6060 (2) collects, uses, or analyzes genetic data that
6161 results from the company's products or services and was provided to
6262 the company by an individual who is a resident of this state.
6363 (b) This chapter does not apply to:
6464 (1) an entity only when they are engaged in
6565 collecting, using, or analyzing genetic data or biological samples
6666 in the context of research, as defined by 45 C.F.R. Section 164.501,
6767 that is conducted in accordance with:
6868 (A) the federal policy for the protection of
6969 human subjects (45 C.F.R. Part 46);
7070 (B) the good clinical practice guidelines issued
7171 by the International Council for Harmonisation of Technical
7272 Requirements for Pharmaceuticals for Human Use (ICH); or
7373 (C) the United States Food and Drug
7474 Administration policy for the protection of human subjects (21
7575 C.F.R. Parts 50 and 56); or
7676 (2) genetic data that is protected health information
7777 collected by a covered entity or business associate, as defined by
7878 45 C.F.R. Part 160, subject to the privacy, security, and breach
7979 notification rules under the Health Insurance Portability and
8080 Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.).
8181 Sec. 503A.003. REQUIREMENTS FOR CERTAIN USES OF
8282 DEIDENTIFIED DATA. (a) Except as otherwise provided by this
8383 chapter or other law, a direct-to-individual genetic testing
8484 company that possesses an individual's deidentified data shall:
8585 (1) implement administrative and technical measures
8686 to ensure the data is not associated with a particular individual;
8787 and
8888 (2) publicly commit to maintaining and using data in
8989 deidentified form and refraining from making any attempt to
9090 identify an individual using the individual's deidentified data.
9191 (b) If a direct-to-individual genetic testing company
9292 shares an individual's deidentified data with another person, the
9393 company shall enter into a legally enforceable contractual
9494 obligation prohibiting the person from attempting to identify an
9595 individual using the individual's deidentified data.
9696 Sec. 503A.004. REQUIREMENTS FOR CERTAIN USES OR DISCLOSURE
9797 OF GENETIC DATA AND BIOLOGICAL SAMPLE. (a) A direct-to-individual
9898 genetic testing company shall:
9999 (1) develop, implement, and maintain a comprehensive
100100 security program to protect an individual's genetic data against
101101 unauthorized access, use, or disclosure; and
102102 (2) make publicly available:
103103 (A) a high-level privacy policy overview that
104104 includes basic, essential information about the company's
105105 collection, use, or disclosure of genetic data; and
106106 (B) a prominent privacy notice that includes
107107 information about the company's data collection, consent, use,
108108 access, disclosure, transfer, security, retention, and deletion
109109 practices.
110110 (b) Before collecting, using, or disclosing an individual's
111111 genetic data, a direct-to-individual genetic testing company shall
112112 provide to the individual information about the company's
113113 collection, use, and disclosure of genetic data the company
114114 collects through a genetic testing product or service, including
115115 information that:
116116 (1) clearly describes the company's use of the genetic
117117 data;
118118 (2) specifies the persons who have access to test
119119 results; and
120120 (3) specifies the manner in which the company may
121121 share the genetic data.
122122 (c) A direct-to-individual genetic testing company shall
123123 provide a process for an individual to:
124124 (1) access the individual's genetic data;
125125 (2) delete the individual's account and genetic data;
126126 and
127127 (3) destroy or require the destruction of the
128128 individual's biological sample.
129129 Sec. 503A.005. REQUIRED CONSENT. (a) A
130130 direct-to-individual genetic testing company engaging in any of the
131131 following activities must obtain:
132132 (1) an individual's separate express consent for:
133133 (A) the transfer or disclosure of the
134134 individual's genetic data to any person other than the company's
135135 vendors and service providers;
136136 (B) the use of genetic data for a purpose other
137137 than the primary purpose of the company's genetic testing product
138138 or service; or
139139 (C) the retention of any biological sample
140140 provided by the individual following the company's completion of
141141 the initial testing service requested by the individual;
142142 (2) an individual's informed consent in accordance
143143 with guidelines for the protection of human subjects issued under
144144 45 C.F.R. Part 46, for transfer or disclosure of the individual's
145145 genetic data to a third party for:
146146 (A) research purposes; or
147147 (B) research conducted under the control of the
148148 company for the purpose of publication or generalizable knowledge;
149149 and
150150 (3) an individual's express consent for:
151151 (A) marketing by the company to the individual
152152 based on the individual's genetic data; or
153153 (B) marketing by a third party to the individual
154154 based on the individual's ordering or purchasing of a genetic
155155 testing product or service.
156156 (b) For purposes of Subsection (a), "marketing" does not
157157 include providing customized content or offers to an individual
158158 with whom a direct-to-individual genetic testing company has a
159159 first-party relationship on the company's Internet website or
160160 through an application or service provided by the company to the
161161 individual.
162162 Sec. 503A.006. PROHIBITED DISCLOSURES. (a) A
163163 direct-to-individual genetic testing company may not disclose an
164164 individual's genetic data to a law enforcement entity or other
165165 governmental body unless:
166166 (1) the company first obtains the individual's express
167167 written consent; or
168168 (2) the entity or body obtains a warrant or complies
169169 with another valid legal process required by the company.
170170 (b) A direct-to-individual genetic testing company may not
171171 disclose, without first obtaining an individual's written consent,
172172 the individual's genetic data to:
173173 (1) an entity that offers health insurance, life
174174 insurance, or long-term care insurance; or
175175 (2) an employer of the individual.
176176 Sec. 503A.007. CIVIL PENALTY. (a) A direct-to-individual
177177 genetic testing company that violates this chapter is liable to
178178 this state for a civil penalty in an amount not to exceed $2,500 for
179179 each violation.
180180 (b) The attorney general or a district attorney may bring an
181181 action to recover a civil penalty imposed under Subsection (a) and
182182 to restrain and enjoin a violation of this chapter. The attorney
183183 general or a district attorney may recover reasonable attorney's
184184 fees and court costs incurred in bringing the action.
185185 SECTION 2. The changes in law made by this Act apply only to
186186 genetic information obtained by a direct-to-individual genetic
187187 testing company on or after the effective date of this Act.
188188 SECTION 3. This Act takes effect September 1, 2023.