Last updated on 25 October 2021 by Stephen Titcombe (TermsFeed Legal writer)
Utah's Genetic Information Privacy Act (GIPA) is a newly-introduced law that regulates how direct-to-consumer (DTC) genetic testing companies obtain consumer consent to collect, use, and disclose their genetic data.
Consumers should also have the right to access and erase their genetic data from DTC companies as well as destroy any biological samples.
Recently signed into Utah's law, the GIPA requires you (a DTC genetic testing company) to evaluate your current Privacy Policies and practices on consumer's genetic data to ensure that they comply with the law.
Let's take a look at what the GIPA entails, how it works, and details for your compliance with the law.
The GIPA is a portion of the law with far-reaching implications. It was designed to protect the genetic data of Utah residents collected by DTC genetic testing companies.
It, therefore, applies to all companies operating in Utah regardless of where they are based.
The call for legislation to protect Genetic Information privacy arose due to the growing popularity of DTC genetic testing companies and their noteworthy power over consumers' genetic data.
Genetic information is data that relates to the inherited genetic features of a person, obtained through DNA analysis.
Generally, genetic information points to genetic traits that distinguish people, such as hair, skin, eye color, body type, height, susceptibility to certain diseases, and other related features.
Most businesses use genetic information for the following reasons:
The GIPA regulates how DTC genetic testing companies collect, use and disclose genetic information.
It recognizes genetics as one of the most sensitive types of personal information, hence the need to secure them properly. If negligent, your genetic information may be used and/or sold for proprietary or other gains.
As a genetic testing company, the GIPA provides rules about:
Before attempting to comply with the GIPA, you need to understand how the law defines certain terms.
A Biological sample refers to any human material known to contain DNA, such as:
A consumer (for purposes of GIPA) refers to an individual who is a resident of Utah.
Under the GIPA, genetic testing refers to any of the following:
Express Consent simply means a consumer's approving answer to a clear, meaningful, and prominent notice describing how you collect, use, or disclose genetic data for a specific purpose.
Utah's GIPA applies to "direct-to-consumer genetic testing companies" that obtain genetic data from residents of Utah.
Genetic data, according to the law, is "any data (regardless of format) that describes a consumer's genetic characteristics (excluding "de-identified data")."
Genetic data, therefore, includes the following:
Self-reported health information about a consumer's health conditions provided to you by the consumer to be used for:
Under the GIPA, "De-identified data" refers to:
For example, here's how the genetic testing company 23andMe explains and presents de-identified data to its customers:
The GIPA does not apply to the following:
As a direct-to-consumer genetic testing company, you must not disclose a consumer's genetic data without the consumer's written consent to:
Now that we understand what the law is and who it affects, let's see what Utah's GIPA requires of you as a DTC genetic testing company, as well as how you can comply.
Under the GIPA, you must operate with a high level of transparency and in good faith. This can be done by providing consumers clear and detailed information about how you collect, use, and disclose their genetic data.
Unless you have a warrant, court order, or subpoena instructing you to act otherwise, you must not provide access to or disclose a consumers' genetic information.
You may wish to separately address this requirement like 23andMe does in its Transparency Report regarding consumers' Personal and Genetic Information:
Helix also briefly explains its policy regarding consumers' Genetic Information in its Transparency Report as shown below:
The GIPA requires you to provide a prominent Privacy Notice that confirms your compliance with the law. If you already have one, you must update it to meet the requirements of the GIPA.
This notice must be publicly available through your company's website or other platforms.
One of our many testimonials:
In the Privacy Notice, you must provide clear information to consumers about the following:
This is likely to impose few new requirements if you already meet other U.S. (or EU) Privacy Notice legal obligations.
For example, Ancestry recently updated its Privacy Statement to meet the requirements of the GIPA.
Its updated policy on consumer consent, collection, and use of genetic information, as well as destruction of biological samples is briefly shown below:
Another essential requirement of the GIPA is for you to obtain initial express consent to collect, use, or disclose a consumer's genetic data.
Your request for a consumers' consent must contain the following:
If your service involves any of the following, you must seek separate express consent for:
Under the GIPA, you must also get express consent for direct or third-party marketing activities based on consumers' genetic data.
However, if you have a first-party relationship with your consumers, you may, without express consent, provide customized content or offers on your website or mobile app/service.
Finally, the law requires you to obtain consumers' consent for disclosing genetic data to third parties for research purposes. This is in accordance with the Federal Policy for the Protection of Human Subjects, 45 C.F.R. Part 46.
For example, 23andMe complies with the GIPA by requesting consumer consent for research purposes (which may be revoked by consumers whenever they wish), as shown below:
23andMe also separately requests Individual Data Sharing Consent from its consumers:
In compliance with the GIPA, you must develop, implement, and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure.
Here's how Ancestry shows its compliance to the Data Security requirement of the GIPA:
Finally, the GIPA requires you to provide consumers certain rights to their genetic information. This includes:
For example, here's how Ancestry presents the Rights and Choices of consumers in its Privacy Statement:
Now that you have an idea of what's required, let's take a look at what happens if you don't comply with the law.
Violating the GIPA can leave your company open to legal claims by the Utah State Attorney General. The law does not provide for a private cause of action.
If you fail to comply with the GIPA or violate any of its provisions, you may be liable for a civil enforcement action.
In such a case, the Utah State Attorney General may claim:
With the growing appetite for legislation in this area, other laws are likely to emerge, hence the need to be mindful and stay updated on the industry trends.
If you collect genetic information from Utah residents, or you're planning to do so, consider the following questions:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
25 October 2021