Utah's Genetic Information Privacy Act (GIPA)

Utah's Genetic Information Privacy Act (GIPA) is a newly-introduced law that regulates how direct-to-consumer (DTC) genetic testing companies obtain consumer consent to collect, use, and disclose their genetic data.

Consumers should also have the right to access and erase their genetic data from DTC companies as well as destroy any biological samples.

Recently signed into Utah's law, the GIPA requires you (a DTC genetic testing company) to evaluate your current Privacy Policies and practices on consumer's genetic data to ensure that they comply with the law.

Let's take a look at what the GIPA entails, how it works, and details for your compliance with the law.

What is Utah's Genetic Information Privacy Act (GIPA)?

The GIPA is a portion of the law with far-reaching implications. It was designed to protect the genetic data of Utah residents collected by DTC genetic testing companies.

It, therefore, applies to all companies operating in Utah regardless of where they are based.

The call for legislation to protect Genetic Information privacy arose due to the growing popularity of DTC genetic testing companies and their noteworthy power over consumers' genetic data.

What is Genetic Information?

Genetic information is data that relates to the inherited genetic features of a person, obtained through DNA analysis.

Generally, genetic information points to genetic traits that distinguish people, such as hair, skin, eye color, body type, height, susceptibility to certain diseases, and other related features.

Most businesses use genetic information for the following reasons:

• Detecting a genetic disorder - Genetic information can be used to identify hereditary medical issues and the tendency for other illnesses.
• Identifying genetic relationships - For example, using genetic data to identify ethnic origins and match family members.
• Tracking locations - If a database links a person's genetic information to a name or address, it can be used to track that individual.

What is the Purpose of the Genetic Information Privacy Act (GIPA)?

The GIPA regulates how DTC genetic testing companies collect, use and disclose genetic information.

It recognizes genetics as one of the most sensitive types of personal information, hence the need to secure them properly. If negligent, your genetic information may be used and/or sold for proprietary or other gains.

As a genetic testing company, the GIPA provides rules about:

• How you should properly display genetic information privacy information
• The conditions under which you may disclose genetic information
• The extent to which you must keep genetic information secure
• The penalties for violating or not complying with the law

GIPA Definitions

Before attempting to comply with the GIPA, you need to understand how the law defines certain terms.

1. Biological Sample

   A Biological sample refers to any human material known to contain DNA, such as:

   • Tissue
   • Blood
   • Urine
   • Saliva

2. Consumer

   A consumer (for purposes of GIPA) refers to an individual who is a resident of Utah.

3. Genetic Testing

   Under the GIPA, genetic testing refers to any of the following:

   • A lab test of a consumer's complete DNA, sections of DNA, chromosomes, genes, or gene products to discover the genetic features of the consumer
   • An interpretation of a consumer's genetic data

4. Express Consent

   Express Consent simply means a consumer's approving answer to a clear, meaningful, and prominent notice describing how you collect, use, or disclose genetic data for a specific purpose.

Who is Subject to the Genetic Information Privacy Act (GIPA)?

Utah's GIPA applies to "direct-to-consumer genetic testing companies" that obtain genetic data from residents of Utah.

Genetic data, according to the law, is "any data (regardless of format) that describes a consumer's genetic characteristics (excluding "de-identified data")."

Genetic data, therefore, includes the following:

1. Unprocessed sequence data obtained from sequencing all or part of a consumer's extracted DNA
2. Genotypic and phenotypic information acquired from analyzing a consumer's raw sequence data

3. Self-reported health information about a consumer's health conditions provided to you by the consumer to be used for:

   • Scientific research or product development
   • Analysis in connection to the consumer's raw sequence data

Under the GIPA, "De-identified data" refers to:

• Any data you cannot reasonably link to a particular consumer
• Any data you've taken measures to ensure cannot be identified with any consumer
• Any data for which you've made a public commitment to manage in a de-identified form without trying to re-identify it
• Any data guarded by a legally enforceable contractual obligation that prohibits you from attempting to re-identify it

For example, here's how the genetic testing company 23andMe explains and presents de-identified data to its customers:

Who the GIPA Doesn't Apply to

The GIPA does not apply to the following:

• Protected health information collected by a covered entity or business associate as those terms are defined in 45 C.F.R. Parts 160 and 164
• A private or public institution of higher education
• An entity owned or operated by a private or public institution of higher education

Prohibited Disclosures

As a direct-to-consumer genetic testing company, you must not disclose a consumer's genetic data without the consumer's written consent to:

• An entity that offers life insurance, health insurance, or long-term care insurance
• An employer of the consumer

Requirements of the Genetic Information Privacy Act (GIPA)

Now that we understand what the law is and who it affects, let's see what Utah's GIPA requires of you as a DTC genetic testing company, as well as how you can comply.

Transparency

Under the GIPA, you must operate with a high level of transparency and in good faith. This can be done by providing consumers clear and detailed information about how you collect, use, and disclose their genetic data.

Unless you have a warrant, court order, or subpoena instructing you to act otherwise, you must not provide access to or disclose a consumers' genetic information.

You may wish to separately address this requirement like 23andMe does in its Transparency Report regarding consumers' Personal and Genetic Information:

Helix also briefly explains its policy regarding consumers' Genetic Information in its Transparency Report as shown below:

Providing a Privacy Notice (aka a Privacy Policy)

The GIPA requires you to provide a prominent Privacy Notice that confirms your compliance with the law. If you already have one, you must update it to meet the requirements of the GIPA.

This notice must be publicly available through your company's website or other platforms.

In the Privacy Notice, you must provide clear information to consumers about the following:

• Data collection
• Consumer consent
• Use of data
• Access to data
• Disclosure of data
• Transfer of data
• Data security
• Retention of data
• Deletion of data

This is likely to impose few new requirements if you already meet other U.S. (or EU) Privacy Notice legal obligations.

For example, Ancestry recently updated its Privacy Statement to meet the requirements of the GIPA.

Its updated policy on consumer consent, collection, and use of genetic information, as well as destruction of biological samples is briefly shown below:

Obtaining Consent

Another essential requirement of the GIPA is for you to obtain initial express consent to collect, use, or disclose a consumer's genetic data.

Your request for a consumers' consent must contain the following:

• How you use the genetic data obtained through your company's genetic testing product or service
• Who has access to test results
• How you may share the genetic data

If your service involves any of the following, you must seek separate express consent for:

• Disclosing or transferring a consumers' genetic data to anyone (other than your vendors and service providers)
• Using the genetic data beyond the primary purpose of your genetic testing product or service
• Retaining any biological sample of a consumer after completing the initial testing service requested by the consumer

Under the GIPA, you must also get express consent for direct or third-party marketing activities based on consumers' genetic data.

However, if you have a first-party relationship with your consumers, you may, without express consent, provide customized content or offers on your website or mobile app/service.

Finally, the law requires you to obtain consumers' consent for disclosing genetic data to third parties for research purposes. This is in accordance with the Federal Policy for the Protection of Human Subjects, 45 C.F.R. Part 46.

For example, 23andMe complies with the GIPA by requesting consumer consent for research purposes (which may be revoked by consumers whenever they wish), as shown below:

23andMe also separately requests Individual Data Sharing Consent from its consumers:

Protecting Genetic Data

In compliance with the GIPA, you must develop, implement, and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure.

Here's how Ancestry shows its compliance to the Data Security requirement of the GIPA:

Granting Individual Rights

Finally, the GIPA requires you to provide consumers certain rights to their genetic information. This includes:

• Giving consumers access to their genetic data
• Allowing consumers to delete their account on your platform as well as their Genetic Information
• Destroying consumers' biological samples at their request

For example, here's how Ancestry presents the Rights and Choices of consumers in its Privacy Statement:

Now that you have an idea of what's required, let's take a look at what happens if you don't comply with the law.

Consequences of Violating the Genetic Information Privacy Act (GIPA)

Violating the GIPA can leave your company open to legal claims by the Utah State Attorney General. The law does not provide for a private cause of action.

If you fail to comply with the GIPA or violate any of its provisions, you may be liable for a civil enforcement action.

In such a case, the Utah State Attorney General may claim:

• Actual damages to the consumer (i.e. Any actual amount of money lost due to your actions). For example, if you carelessly handle a consumers' biological sample, and someone uses it in a way that causes the consumer financial or material loss, you may be liable for any money or valuables that gets stolen.
• Costs
• Attorney fees
• Damages of $2,500 for each violation

GIPA Compliance Checklist

As an entity subject to this law, you need to treat the genetic information of your consumers with high regard. You should also review your existing Privacy Policy on your website or app to ensure absolute compliance with the law.

With the growing appetite for legislation in this area, other laws are likely to emerge, hence the need to be mindful and stay updated on the industry trends.

If you collect genetic information from Utah residents, or you're planning to do so, consider the following questions:

• Are you a DTC genetic testing company?
• Does the information you collect fall within the GIPA's definition of genetic data?
• Have you created or updated your publicly available Privacy Notice as required by the law?
• Have you obtained written express consent from the consumer?
• Will you share consumers' genetic information only within the GIPA's rules?
• Will you ensure the protection of genetic information up to the standards required by the law?
• Are you willing to grant consumers rights to access and delete their genetic information as well as destroy their biological samples?