2
3
4
5
6
7 LONG TITLE
8 General Description:
9 This bill enacts the Genetic Information Privacy Act.
10 Highlighted Provisions:
11 This bill:
12 ▸ defines terms;
13 ▸ requires a direct-to-consumer genetic testing company to:
14 • provide a consumer clear information regarding the company's collection, use,
15 and disclosure of genetic data;
16 • provide a consumer a publicly available privacy notice;
17 • obtain a consumer's consent for certain collection, use, or disclosure of the
18 consumer's genetic data;
19 • protect a consumer's genetic data;
20 • allow a consumer to access and delete the consumer's genetic data; and
21 • upon request, destroy a consumer's biological sample;
22 ▸ prohibits a direct-to-consumer genetic testing company from disclosing a
23 consumer's genetic data to certain persons; and
24 ▸ empowers the Office of the Attorney General to take enforcement action against
25 violators.
26 Money Appropriated in this Bill:
27 None
28 Other Special Clauses:
29 None
30 Utah Code Sections Affected:
31 ENACTS:
32 13-58-101, Utah Code Annotated 1953
33 13-58-102, Utah Code Annotated 1953
34 13-58-103, Utah Code Annotated 1953
35 13-58-201, Utah Code Annotated 1953
36 13-58-202, Utah Code Annotated 1953
37 13-58-301, Utah Code Annotated 1953
38
39 Be it enacted by the Legislature of the state of Utah:
40 Section 1. Section 13-58-101 is enacted to read:
41
42
43 13-58-101. Title.
44 This chapter is known as the "Genetic Information Privacy Act."
45 Section 2. Section 13-58-102 is enacted to read:
46 13-58-102. Definitions.
47 As used in this chapter:
48 (1) "Biological sample" means any human material known to contain DNA, including
49 tissue, blood, urine, or saliva.
50 (2) "Consumer" means an individual who is a resident of the state.
51 (3) "Deidentified data" means data that:
52 (a) cannot reasonably be linked to an identifiable individual; and
53 (b) possessed by a company that:
54 (i) takes administrative and technical measures to ensure that the data cannot be
55 associated with a particular consumer;
56 (ii) makes a public commitment to maintain and use data in deidentified form and not
57 attempt to reidentify data; and
58 (iii) enters into legally enforceable contractual obligation that prohibits a recipient of
59 the data from attempting to reidentify the data.
60 (4) "Direct-to-consumer genetic testing company" or "company" means an entity that:
61 (a) offers consumer genetic testing products or services directly to consumers; or
62 (b) collects, uses, or analyzes genetic data that a consumer provides to the entity.
63 (5) "DNA" means deoxyribonucleic acid.
64 (6) "Express consent" means a consumer's affirmative response to a clear, meaningful,
65 and prominent notice regarding the collection, use, or disclosure of genetic data for a specific
66 purpose.
67 (7) (a) "Genetic data" means any data, regardless of format, concerning a consumer's
68 genetic characteristics.
69 (b) "Genetic data" includes:
70 (i) raw sequence data that result from sequencing all or a portion of a consumer's
71 extracted DNA;
72 (ii) genotypic and phenotypic information obtained from analyzing a consumer's raw
73 sequence data; and
74 (iii) self-reported health information regarding a consumer's health conditions that the
75 consumer provides to a company that the company:
76 (A) uses for scientific research or product development; and
77 (B) analyzes in connection with the consumer's raw sequence data.
78 (c) "Genetic data" does not include deidentified data.
79 (8) "Genetic testing" means:
80 (a) a laboratory test of a consumer's complete DNA, regions of DNA, chromosomes,
81 genes, or gene products to determine the presence of genetic characteristics of the consumer; or
82 (b) an interpretation of a consumer's genetic data.
83 Section 3. Section 13-58-103 is enacted to read:
84 13-58-103. Limitations.
85 This chapter does not apply to:
86 (1) protected health information that is collected by a covered entity or business
87 associate as those terms are defined in 45 C.F.R. Parts 160 and 164;
88 (2) a public or private institution of higher education; or
89 (3) an entity owned or operated by a public or private institution of higher education.
90 Section 4. Section 13-58-201 is enacted to read:
91
92 13-58-201. Consumer genetic information -- Privacy notice -- Consent -- Access --
93 Deletion -- Destruction.
94 (1) A direct-to-consumer genetic testing company shall:
95 (a) provide to a consumer:
96 (i) essential information about the company's collection, use, and disclosure of genetic
97 data; and
98 (ii) a prominent, publicly available privacy notice that includes information about the
99 company's data collection, consent, use, access, disclosure, transfer, security, retention, and
100 deletion practices;
101 (b) obtain a consumer's initial express consent for collection, use, or disclosure of the
102 consumer's genetic data that:
103 (i) clearly describes the company's use of the genetic data that the company collects
104 through the company's genetic testing product or service;
105 (ii) specifies who has access to test results; and
106 (iii) specifies how the company may share the genetic data;
107 (c) if the company engages in any of the following, obtain a consumer's:
108 (i) separate express consent for:
109 (A) the transfer or disclosure of the consumer's genetic data to any person other than
110 the company's vendors and service providers;
111 (B) the use of genetic data beyond the primary purpose of the company's genetic testing
112 product or service; or
113 (C) the company's retention of any biological sample provided by the consumer
114 following the company's completion of the initial testing service requested by the consumer;
115 (ii) informed consent in accordance with the Federal Policy for the Protection of
116 Human Subjects, 45 C.F.R. Part 46, for transfer or disclosure of the consumer's genetic data to
117 a third party for:
118 (A) research purposes; or
119 (B) research conducted under the control of the company for the purpose of publication
120 or generalizable knowledge; and
121 (iii) express consent for:
122 (A) marketing to a consumer based on the consumer's genetic data; or
123 (B) marketing by a third party person to a consumer based on the consumer having
124 ordered or purchased a genetic testing product or service;
125 (d) require valid legal process for the company's disclosure of a consumer's genetic
126 data to law enforcement or any government entity without the consumer's express written
127 consent;
128 (e) develop, implement, and maintain a comprehensive security program to protect a
129 consumer's genetic data against unauthorized access, use, or disclosure; and
130 (f) provide a process for a consumer to:
131 (i) access the consumer's genetic data;
132 (ii) delete the consumer's account and genetic data; and
133 (iii) destroy the consumer's biological sample.
134 (2) Notwithstanding Subsection (1)(c)(iii), a direct-to-consumer genetic testing
135 company with a first-party relationship to a consumer may, without obtaining the consumer's
136 express consent, provide customized content or offers on the company's website or through the
137 company's application or service.
138 Section 5. Section 13-58-202 is enacted to read:
139 13-58-202. Prohibited disclosures.
140 A direct-to-consumer genetic testing company may not disclose a consumer's genetic
141 data without the consumer's written consent to:
142 (1) an entity that offers health insurance, life insurance, or long-term care insurance; or
143 (2) an employer of the consumer.
144 Section 6. Section 13-58-301 is enacted to read:
145
146 13-58-301. Enforcement powers of the attorney general.
147 (1) The attorney general may enforce this chapter.
148 (2) The attorney general may initiate a civil enforcement action against a person for
149 violating this chapter.
150 (3) In an action to enforce this chapter, the attorney general may recover:
151 (a) actual damages to the consumer;
152 (b) costs;
153 (c) attorney fees; and
154 (d) $2,500 for each violation of this chapter.