Data Security Rules Tightening for Consumer Genetic Testing Companies

Gov. Signs S.B. 41, the Genetic Information Privacy Act

California genetic testing companies collecting biometric, genetic, health, or medical information directly from consumers must soon implement new data storage and security procedures to protect individuals from unauthorized access, use, modification, destruction, or disclosure of personal information. With the enactment of informed consent rules related to “genetic data,” consumers will be able to request destruction of biological samples and termination of related accounts without discrimination or other retaliatory violation of their individual rights.

Signed into law by Gov. Gavin Newsom on Sept. 9, 2021, the Genetic Information Privacy Act (GIPA) amends Part 2.6 of Division 1 of the state’s Civil Code. Effective Jan. 1, 2022, the law advances the Consumer Information Privacy Act (CMIA) enforcing state regulation of direct-to-consumer biometric and genetic testing companies not regulated by the federal Health Insurance Portability and Accountability Act (HIPAA). GIPA is consistent with the rules of disclosure implemented by the federal Confidentiality of Medical Information Act (CIMA) under HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH). (Read the full text of S.B. 41.)

California’s GIPA defines “genetic data” as samples collected from biological or equivalent sources such as alleles (any one of two or more genes arising from mutation that may occur alternatively at a given site on a chromosome), chromosomes, DNA, genes, genomes, RNA (ribonucleic acid), SNPs (single nucleotide polymorphisms), and alterations or modifications of molecular composites. The definition of genetic data within the state’s privacy legislation does not include data derived from de-identified genetic samples or genetic data collected solely for purposes of scientific research.

Like HIPAA’s informed consent rules guiding healthcare providers, GIPA rules guiding direct-to-consumer genetic testing companies require informed consent from the persons from whom genetic data is derived. Consumers will have the right to revoke consent, request destruction of accounts, and opt-out of the sale of data to third parties. Companies must maintain records of written authorization to ensure the privacy, confidentiality, integrity, and security of biometric and genetic data. Express consent must be obtained from the person from whom the biological sample was collected for external use by a company or authorized third party.

GIPA allows for penalties of $1,000 but not more than $10,000, plus court costs depending on the violation. While the law does not provide a private right of action, penalties recovered are intended for the injured parties.

California’s GIPA was enacted to address instances like the January 2020 theft of the personal identifiable information and personal health information of more than 230,000 customers of Ambry Genetics Corp. and Konica Minolta Precision Medicine, Inc. In a proposed class action, plaintiffs allege that the companies lacked sufficient data protections, and that they failed to report the breach to the proper government agencies before March 2020, and to the consumers themselves before April 2020 (Consolidated Ambry Genetics Cases, Case No. 8:20-cv-00791 [C.D. Calif.]). The original complaint was dismissed in the case in April 2021 when U.S. Judge Cormac J. Carney determined plaintiffs had not shown a connection between the stolen information and the harms alleged. The court allowed the plaintiffs to file a second amended complaint, which they did later the same month. The defendants have moved to dismiss that complaint as well. A hearing was scheduled to take place on Oct. 18, 2021, before Judge Carney.


If you have questions about this or other data privacy laws, contact Jennifer Oliver at MoginRubin.

Sign up to view this Whitepaper