Wyoming's Genetic Data Privacy Act

Wyoming's Genetic Data Privacy Act was signed into law by Governor Mark Gordon on March 8th, 2022, and goes into effect on July 1st, 2022.

This act was passed to help protect genetic data as it can be used to identify individuals and their family members and can contain their private health information.

This article will dive deep into what this act aims to accomplish, what it requires and how you can comply with it, with practical steps and guidance.

What is Wyoming's Genetic Data Privacy Act?

Wyoming's Genetic Data Privacy Act was created to help keep individuals' sensitive genetic information private.

It calls for genetic testing companies to let people know how they collect genetic data, what they plan to use it for, and who they share it with, as well as how they store it. The act improves upon existing genetic data privacy laws by updating definitions to match those of other states.

This act details the rights individuals have concerning their genetic data. It outlines how genetic data should be treated by genetic testing companies, and what those companies need to let consumers know before collecting their data. It also gives the attorney general the power to bring action against genetic testing companies that are in violation of the act.

What is Genetic Data and Why is it Important?

Genetic data is any information that contains an individual's genetic characteristics.

When people think about genetic data, genetic testing is probably the first thing to come to mind. Genetic testing is used to determine heritable diseases as well as to help individuals research their geographical ancestry.

While genetic data can be used for positive purposes, such as to help scientists figure out the cause of and treatment for certain diseases and forge new developments in neuroscience, it can also be misused.

Genetic data contains sensitive health information about individuals that can lead to discrimination or be used to identify or track individuals and their family members without their knowledge.

Examples of Genetic Data

According to the act, genetic data includes raw sequencing data, genotypic and phenotypic information, and health information that is connected to an individual's raw sequence data.

Raw Sequencing Data

Raw sequencing data is information that comes from an individual's extracted deoxyribonucleic acid (DNA).

Genotypic and Phenotypic Information

A genotype is the genetic makeup of an organism. A phenotype is the physical traits that make up an individual, such as eye and hair color or blood type. A genotype contributes genetically to the formation of a phenotype. Genotypic or phenotypic data can be used to identify family members of an individual, rendering it sensitive information.

Raw sequencing data can result in genotypic or phenotypic information, which is considered genetic data under the act.

Health Information

Companies that use health information for research or product development should pay special attention to any health information that an individual reports to them, as it may be considered genetic data under the act.

Any self-reported health information that is used in connection with the individual's raw sequence data is treated as genetic data and protected under the act.

The language of Wyoming's Genetic Data Privacy Act makes it clear what constitutes genetic data:

1. Raw sequence data that result from sequencing of an individual's complete extracted or a portion of the extracted DNA;
2. Genotypic and phenotypic information that results from analyzing the raw sequence data, including any familial inferences therefrom; and
3. Self reported health information that an individual submits to a company regarding the individual's health conditions and that is used for scientific research or product development and analyzed in connection with the individual's raw sequence data.

Now that you understand what genetic data is, let's look at who the act applies to.

Who Wyoming's Genetic Data Privacy Act Applies to

Any genetic testing company that gathers genetic data from individuals falls under the jurisdiction of the Genetic Data Privacy Act.

Exceptions to the Law

The act does not apply to any covered entities or their business associates that collect protected health information as per HIPAA guidelines. This kind of protected health information might include data that is related to an individual's current, previous, or future physical or mental health conditions, treatments, or payment for care.

Protected health information covered by HIPAA must undergo a de-identification process that removes certain attributes so that the information cannot be used to identify individuals, their family or household members, or their employers.

Protected health information that must be de-identified includes:

• Names
• Addresses
• Birth and death dates
• Phone numbers
• Email addresses
• IP addresses
• Social security numbers
• Financial account numbers
• License plate numbers
• Website URLs
• Face photos
• Fingerprints
• Voice prints
• Retinal images

Once this data has been de-identified, it no longer qualifies as personal health information, and can be used for other purposes, such as research.

Companies that offer data transmitting or storage services to businesses involved with genetic testing do not need to obtain informed consent from individuals prior to handling their genetic data.

Next we will cover what the act requires of businesses that collect genetic data.

What Wyoming's Genetic Data Privacy Act Requires

Wyoming's Genetic Data Privacy Act requires businesses that collect genetic data to inform individuals before they gather data as to how they collect and use the information, and whether they share it with any third parties.

The act also requires businesses to get express consent from individuals before collecting their data. Express consent in the context of collecting genetic data is defined as an individual voluntarily agreeing to allow a business to use their data for purposes that are clearly outlined.

The act defines express consent as "a consumer's affirmative response to a clear, meaningful and prominent notice regarding the collection, use or disclosure of the consumer's genetic data for a specific purpose."

When individuals share their genetic data with public genealogy databases, they are also sharing their relatives' information, with or without their consent. This act makes it clear that it is necessary to get the consent of anyone whose genetic data is being used and to respect consumers' wishes for anonymity when applicable.

The act gives people the legal right to request that businesses get rid of their genetic data after it has been used for the purpose it was collected. The act also gives individuals the right to bring civil action against any business or entity that violates the law.

How to Comply With Wyoming's Genetic Data Privacy Act

To ensure that you are in compliance with the Genetic Data Privacy Act, there are a few steps you should follow to make sure that people know the process you use for collecting their genetic data, how you use their data, and who you share their data with.

These are the steps you should take in order to be in compliance with the act if you are a company that provides genetic testing services directly to individuals.

1. Create a Detailed Privacy Policy

Your Privacy Policy should be available to the public and should contain information as to how you collect genetic data and for what purposes. It should also inform consumers as to how you get consent for collecting genetic data, how you transport and securely store the data, and how you delete data when you are done using it.

BillionToOne's Privacy Policy details how its genetic data is physically collected, what happens to the data once it is extracted, and how the data is then stored and what purposes it may be used for. It also lets users know that it will de-identify data until it is destroyed.

Along with creating and maintaining a comprehensive Privacy Policy, you will also want to make sure you obtain express and informed consent from anyone you are gathering genetic data from.

2. Get Consent

You will need to get express consent from anyone you collect genetic data from. You will need individuals to agree to how you use their genetic data, and who you share that data with.

You will want to get separate express consent for how you transfer, disclose, and retain the data. You will need express consent if you use the data for anything other than your primary purpose.

You will need to get informed consent if you are transferring or disclosing the genetic data you collect to third parties for research that will be published. Informed consent is when a consumer is informed of and agrees to the risks and benefits associated with a procedure.

You will also need to get separate express consent if you are using the data for any marketing purposes.

Consent should be voluntary, informed, and made by an individual who has the capacity to understand the consequences of their actions. You can get consent by having individuals sign a contract stating that they have read and agree to the terms of your genetic data collection process.

ARUP Laboratories' Informed Consent For Genetic Testing form details information about the testing process, results, storage, and privacy. It states that the signature of the individual undergoing the genetic testing is an agreement that they understand the risks and benefits of the test. It further requires the signature of a Physician or a Genetic Counselor stating that they have fully explained the genetic testing process to the individual:

There are certain circumstances where you are legally required to disclose the genetic data you've collected, which you should let people know about.

3. Let Users Know When You Are Required to Share Their Data

The act also calls for businesses to have a legitimate process in place for disclosing consumers' genetic data to law enforcement or other governmental agencies.

23andMe's Privacy Policy lets users know that it will not share their personal information with any third parties without their consent unless it is legally required to do so:

The act requires businesses to keep the genetic data they collect secure. Genetic testing companies also need to have a process for consumers to access and delete their data, and a system in place for individuals to request that any of their biological samples be destroyed.

MyHeritage uses its Privacy Policy to inform users how they can delete their DNA results and reports and how they can request that their DNA sample be destroyed. MyHeritage also provides an email where consumers can contact the company with any questions, which is a smart way to ensure compliance with the act:

There are financial consequences for violating Wyoming's Genetic Data Privacy Act, which we will cover next.

Penalties for Non-Compliance

The Attorney General of Wyoming enforces the act, and has the authority to penalize businesses with fines for not complying. Each violation of the act carries a penalty of $2,500, and companies are also responsible for paying for any damages individuals may incur, as well as attorney fees.

Individuals can bring a civil action against any business that violates the act, but must first inform the business in writing about the suspected violation. The company then has 60 days to remedy the situation, after which the individual can no longer file a suit against it. If the company fails to cure the violation, the individual can still bring a civil action.

Summary

Wyoming's Genetic Data Privacy Act was created to protect consumers' sensitive genetic data from misuse. The act requires that businesses that gather genetic data let individuals know how they collect, use, and store it, how they keep it safe, and whether they share it with any third parties.

Examples of what constitutes genetic data include raw sequencing data, genotype and phenotype information that results from raw sequencing data, and self-reported health information that can be analyzed along with raw sequencing data.

The act does not apply to covered entities and business associates that collect HIPAA-protected personal health information. Third parties that transmit or store genetic data for the businesses that collect it do not need to obtain informed consent from the individuals the data comes from.

In order to be in compliance with this law, businesses that collect genetic data can take the following steps:

1. Create a detailed Privacy Policy that tells individuals how they collect, use, and share genetic data
2. Get express and informed consent from your consumers
3. Inform users as to when you are legally required to disclose genetic data to third parties

If a business violates the act, it can be held responsible for damages and attorney fees and fined $2,500 per violation.