1     
GENETIC INFORMATION PRIVACY ACT

2     
2021 GENERAL SESSION

3     
STATE OF UTAH

4     
Chief Sponsor: Curtis S. Bramble

5     
House Sponsor: Mike Schultz

6     

7     LONG TITLE
8     General Description:
9          This bill enacts the Genetic Information Privacy Act.
10     Highlighted Provisions:
11          This bill:
12          ▸     defines terms;
13          ▸     requires a direct-to-consumer genetic testing company to:
14               •     provide a consumer clear information regarding the company's collection, use,
15     and disclosure of genetic data;
16               •     provide a consumer a publicly available privacy notice;
17               •     obtain a consumer's consent for certain collection, use, or disclosure of the
18     consumer's genetic data;
19               •     protect a consumer's genetic data;
20               •     allow a consumer to access and delete the consumer's genetic data; and
21               •     upon request, destroy a consumer's biological sample;
22          ▸     prohibits a direct-to-consumer genetic testing company from disclosing a
23     consumer's genetic data to certain persons; and
24          ▸     empowers the Office of the Attorney General to take enforcement action against
25     violators.
26     Money Appropriated in this Bill:
27          None
28     Other Special Clauses:
29          None

30     Utah Code Sections Affected:
31     ENACTS:
32          13-58-101, Utah Code Annotated 1953
33          13-58-102, Utah Code Annotated 1953
34          13-58-103, Utah Code Annotated 1953
35          13-58-201, Utah Code Annotated 1953
36          13-58-202, Utah Code Annotated 1953
37          13-58-301, Utah Code Annotated 1953
38     

39     Be it enacted by the Legislature of the state of Utah:
40          Section 1. Section 13-58-101 is enacted to read:
41     
CHAPTER 58. GENETIC INFORMATION PRIVACY ACT

42     
Part 1. General Provisions

43          13-58-101. Title.
44          This chapter is known as the "Genetic Information Privacy Act."
45          Section 2. Section 13-58-102 is enacted to read:
46          13-58-102. Definitions.
47          As used in this chapter:
48          (1) "Biological sample" means any human material known to contain DNA, including
49     tissue, blood, urine, or saliva.
50          (2) "Consumer" means an individual who is a resident of the state.
51          (3) "Deidentified data" means data that:
52          (a) cannot reasonably be linked to an identifiable individual; and
53          (b) possessed by a company that:
54          (i) takes administrative and technical measures to ensure that the data cannot be
55     associated with a particular consumer;
56          (ii) makes a public commitment to maintain and use data in deidentified form and not
57     attempt to reidentify data; and

58          (iii) enters into legally enforceable contractual obligation that prohibits a recipient of
59     the data from attempting to reidentify the data.
60          (4) "Direct-to-consumer genetic testing company" or "company" means an entity that:
61          (a) offers consumer genetic testing products or services directly to consumers; or
62          (b) collects, uses, or analyzes genetic data that a consumer provides to the entity.
63          (5) "DNA" means deoxyribonucleic acid.
64          (6) "Express consent" means a consumer's affirmative response to a clear, meaningful,
65     and prominent notice regarding the collection, use, or disclosure of genetic data for a specific
66     purpose.
67          (7) (a) "Genetic data" means any data, regardless of format, concerning a consumer's
68     genetic characteristics.
69          (b) "Genetic data" includes:
70          (i) raw sequence data that result from sequencing all or a portion of a consumer's
71     extracted DNA;
72          (ii) genotypic and phenotypic information obtained from analyzing a consumer's raw
73     sequence data; and
74          (iii) self-reported health information regarding a consumer's health conditions that the
75     consumer provides to a company that the company:
76          (A) uses for scientific research or product development; and
77          (B) analyzes in connection with the consumer's raw sequence data.
78          (c) "Genetic data" does not include deidentified data.
79          (8) "Genetic testing" means:
80          (a) a laboratory test of a consumer's complete DNA, regions of DNA, chromosomes,
81     genes, or gene products to determine the presence of genetic characteristics of the consumer; or
82          (b) an interpretation of a consumer's genetic data.
83          Section 3. Section 13-58-103 is enacted to read:
84          13-58-103. Limitations.
85          This chapter does not apply to:

86          (1) protected health information that is collected by a covered entity or business
87     associate as those terms are defined in 45 C.F.R. Parts 160 and 164;
88          (2) a public or private institution of higher education; or
89          (3) an entity owned or operated by a public or private institution of higher education.
90          Section 4. Section 13-58-201 is enacted to read:
91     
Part 2. Consumer Genetic Data

92          13-58-201. Consumer genetic information -- Privacy notice -- Consent -- Access --
93     Deletion -- Destruction.
94          (1) A direct-to-consumer genetic testing company shall:
95          (a) provide to a consumer:
96          (i) essential information about the company's collection, use, and disclosure of genetic
97     data; and
98          (ii) a prominent, publicly available privacy notice that includes information about the
99     company's data collection, consent, use, access, disclosure, transfer, security, retention, and
100     deletion practices;
101          (b) obtain a consumer's initial express consent for collection, use, or disclosure of the
102     consumer's genetic data that:
103          (i) clearly describes the company's use of the genetic data that the company collects
104     through the company's genetic testing product or service;
105          (ii) specifies who has access to test results; and
106          (iii) specifies how the company may share the genetic data;
107          (c) if the company engages in any of the following, obtain a consumer's:
108          (i) separate express consent for:
109          (A) the transfer or disclosure of the consumer's genetic data to any person other than
110     the company's vendors and service providers;
111          (B) the use of genetic data beyond the primary purpose of the company's genetic testing
112     product or service; or
113          (C) the company's retention of any biological sample provided by the consumer

114     following the company's completion of the initial testing service requested by the consumer;
115          (ii) informed consent in accordance with the Federal Policy for the Protection of
116     Human Subjects, 45 C.F.R. Part 46, for transfer or disclosure of the consumer's genetic data to
117     a third party for:
118          (A) research purposes; or
119          (B) research conducted under the control of the company for the purpose of publication
120     or generalizable knowledge; and
121          (iii) express consent for:
122          (A) marketing to a consumer based on the consumer's genetic data; or
123          (B) marketing by a third party person to a consumer based on the consumer having
124     ordered or purchased a genetic testing product or service;
125          (d) require valid legal process for the company's disclosure of a consumer's genetic
126     data to law enforcement or any government entity without the consumer's express written
127     consent;
128          (e) develop, implement, and maintain a comprehensive security program to protect a
129     consumer's genetic data against unauthorized access, use, or disclosure; and
130          (f) provide a process for a consumer to:
131          (i) access the consumer's genetic data;
132          (ii) delete the consumer's account and genetic data; and
133          (iii) destroy the consumer's biological sample.
134          (2) Notwithstanding Subsection (1)(c)(iii), a direct-to-consumer genetic testing
135     company with a first-party relationship to a consumer may, without obtaining the consumer's
136     express consent, provide customized content or offers on the company's website or through the
137     company's application or service.
138          Section 5. Section 13-58-202 is enacted to read:
139          13-58-202. Prohibited disclosures.
140          A direct-to-consumer genetic testing company may not disclose a consumer's genetic
141     data without the consumer's written consent to:

142          (1) an entity that offers health insurance, life insurance, or long-term care insurance; or
143          (2) an employer of the consumer.
144          Section 6. Section 13-58-301 is enacted to read:
145     
Part 3. Enforcement

146          13-58-301. Enforcement powers of the attorney general.
147          (1) The attorney general may enforce this chapter.
148          (2) The attorney general may initiate a civil enforcement action against a person for
149     violating this chapter.
150          (3) In an action to enforce this chapter, the attorney general may recover:
151          (a) actual damages to the consumer;
152          (b) costs;
153          (c) attorney fees; and
154          (d) $2,500 for each violation of this chapter.