California continues to be at the forefront of data privacy in the United States. Two new laws (AB 825 and SB 41) were signed in October, expanding California residents’ rights to their genetic information and imposing additional obligations on companies that collect such information. We guess you could say data privacy is in California’s DNA. (See what we did there?)

These new laws go into effect on January 1, 2022. Here is a rundown of what you should know.

Overview of the New California Laws

  • AB 825: On October 5, 2021, California passed AB 825. This law expands the definition of “personal information” to include “genetic data,” regardless of the data’s format under three existing California laws (collectively the “Existing CA Laws”). These laws include:
    • The Information Practices Act of 1977;
    • California’s Data Security Law (Cal. Civil Code 1798.81.5); and
    • California’s Data Breach Notification Law (Cal. Civil Code 1798.82).
  • SB 41: On October 6, 2021, Governor Newsom signed the Generic Information Privacy Act (GIPA). This law requires companies engaged in direct-to-consumer genetic testing to provide California residents (“consumers” as defined under GIPA) with information about the collection, use, maintenance, and disclosure of their genetic data.
    • Under GIPA, genetic testing means “any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.”

What is Genetic Data?

Under both laws, “Genetic data” means any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to:

    • Deoxyribonucleic acids (DNA),
    • Ribonucleic acids (RNA),
    • Genes,
    • Chromosomes,
    • Alleles,
    • Genomes,
    • Alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom.

Exemptions

  • AB 825: The same personal information exemptions under the Existing CA Laws apply. Such exemptions include, but are not limited to, the following:
    • Publicly available information (i.e., information available under California’s Public Records Act); and
    • Encrypted information.
  • SB 41: Notably, the following individuals, entities and information are exempt from GIPA:
    • Health care providers governed by the California Confidentiality of Medical Information Act (CMIA);
    • Covered entities or business associates governed by HIPAA;
    • Medical information governed by CMIA or protected health information (PHI) governed by HIPAA;
    • Scientific research or educational activities conducted by certain educational institutions;
    • The California Newborn Screening Program;
    • Tests conducted exclusively to diagnose whether an individual has a specific disease (subject to certain conditions);
    • Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent necessary to comply with applicable law (this likely includes COVID-19 related information required for disclosure under applicable federal, state and local laws);
    • Data made available to the public by the consumer; and
    • Deidentified data (that meets the requirements for deidentification under GIPA).

Who Must Comply?

  • AB: 825: As stated above, AB 825 expands the definition of personal information under three existing California privacy laws. These three laws currently apply to the following:
    • The Information Practices Act of 1977 applies to any state agency that owns or licenses computerized data that includes personal information.
    • California’s Data Security Law (Cal. Civil Code 1798.81.5) applies to businesses (private entities) that own, license or maintain personal information about a California resident.
    • California’s Data Breach Notification Law (Cal. Civil Code 1798.82) applies to a person or business that (i) conducts business in California, (ii) owns or licenses computerized data that include personal information, and (iii) experiences a data breach that compromises the personal information of more than 500 California residents as a result of a single breach of the company’s or individual’s security system.
  • SB 41: GIPA applies to Direct-to-consumer genetic testing companies (“DTC Companies”). Under this law, DTC Companies include any entity that engages in any of the following:
    • Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers;
    • Analyzes genetic data obtained from a consumer, unless the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition; or
    • Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.

What are Covered Entities Obligations under these New Laws?

  • AB 825:
    • Obligations under the Information Practices Act of 1977. Under the new amendment, state agencies will need to ensure that they report security system data breaches following the discovery or notification of any breach that exposes any California residents’ unencrypted genetic data.
    • Data Security. As required under the existing California Data Security Law, the amended law requires that genetic data be “reasonably protected.” This means that companies must ensure they have reasonable safeguards in place to mitigate the risk of unauthorized users accessing genetic data.
      • Please note that an unauthorized user is more than a malicious threat actor. This term may include former employees, company personnel or contractors who are prohibited from accessing genetic information.
    • Breach Notification. Under AB 825, entities will also be responsible for complying with breach notification laws in the event of unauthorized disclosure of or access to genetic information.
  • SB 41: GIPA imposes various obligations on DTC Companies which include:
    • Consent. DTC Companies must obtain a consumer’s express consent to collect, use, or disclose an individual’s genetic data. Express consent is required for each of the following actions:
      • The use of genetic data collected through a genetic testing product or service offered by the DTC Company. The consent must describe:
        • Who has access to genetic data;
        • How genetic data may be shared, and
        • The specific purposes for which the genetic data will be collected, used, and disclosed.
      • The storage of a consumer’s biological sample after the consumer’s initial testing has been completed;
      • Each use of the consumer’s genetic data or biological sample beyond uses associated with the primary purpose of the genetic testing or service;
      • Each transfer or disclosure of the consumer’s genetic data or biological sample to a third party other than to a service provider (as defined in GIPA);
        • The consent must include the name of the third party to which the consumer’s genetic data or biological sample will be transferred or disclosed.
      • Marketing directed towards a consumer based on the consumer’s genetic data, or the company’s facilitation of marketing by a third party based on the consumer’s order, purchase, or use of a DTC Company’s genetic testing product or service.
        • However, express consent is NOT needed to market to consumers on a DTC Company’s own website or app.
    • Revocation of Consent/Deletion. Under GIPA, DTC Companies must honor a California resident’s revocation of consent and destroy the individual’s biological sample within 30 days after the consent has been revoked.
    • Notice. GIPA also requires DTC Companies to provide the following:
      • A summary of its privacy practices, written in plain language, that includes information about the company’s collection, use, maintenance, and disclosure of genetic data.
      • A Privacy Policy. A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of GIPA; and
      • Research Disclosure. A notice that the consumer’s deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes.
    • Execute Data Processing Agreement/ Service Provider Contracts. As with other forms of personal information, GIPA requires that entities enter into a separate agreement with third-party contractors (“service providers” as defined under GIPA) when these contractors are hired to process genetic data on the company’s behalf. Much like the California Consumer Privacy Act of 2018 (CCPA) requirements, GIPA requires DTC Companies and service providers to enter into a contract that clearly prohibits the service provider from:
      • Retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the California resident, including whether that individual has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business; and
      • Associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the California resident, including whether that individual has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with these individuals or as required by law.

Consumer Rights

  • AB 825: See consumer rights to personal information under the Existing CA Laws.
  • SB 41: GIPA provides California residents with the following rights:
    • Access. DTC Companies must provide California residents access to their own genetic data;
    • Deletion. California residents can delete their account and genetic data maintained by a DTC Company, except for genetic data that must be retained under legal or regulatory requirements; and
    • Destruction of Biological Samples. California residents may request DTC Companies destroy the individual’s biological sample.
    • Non-Discrimination. California residents cannot be treated differently by DTC Companies (e.g., denied goods or services, charged differently for goods or services, or given a different level of quality of goods or services) for exercising their rights under GIPA.

What are the Penalties Under these Laws?

  • AB 825: The civil penalties remain the same under the Existing CA Laws.
  • SB 41: The California Attorney General may prosecute violations of GIPA, which may result in civil penalties ranging from $1,000 to $10,000 plus court costs.

Business Considerations

As we stated before, so goes California, so goes the rest of the country. We predict that these new California laws will spark a trend amongst other states to include “genetic data” in the definition of personal information or enact laws specific to genetic information similar to GIPA.

With personal information now extending to genetic data, companies must be mindful of the information they collect from individuals and how that information will be shared, used and disclosed. We encourage businesses to consider the following questions:  

  • Does the company collect personal information from California residents?
  • Does this information include “genetic data” as defined above?
  • Is the company currently meeting California’s security and breach notification requirements under the Existing CA Laws?
  • Is the company a “DTC Company” as defined above?

Taft is here to help you navigate your compliance questions concerning these new California laws. For more information on these laws, or other privacy matters, please contact Taft’s Privacy and Data Security team.