An Overview of Virginia’s Genetic Data Privacy Law

I. Introduction

Senate Bill 1087, a genetic data privacy law that applies to businesses that provide customer-initiated genetic testing products and services, was signed into law by Virginia Governor Glenn Youngkin on March 26, 2023. The law went into effect on July 1, 2023.

Virginia isn’t the only US state interested in regulating companies that process genetic data. Following the enactment of similar genetic privacy laws in Arizona, California, and Utah in recent years, numerous other states, including Minnesota, Texas, Tennessee, and Vermont, have introduced similar bills during that legislative session.

II. Who Needs to Comply with Virginia’s Genetic Data Privacy Law

a) Material Scope

Every direct-to-consumer genetic testing business (covered entity) engaged in offering genetic testing products or services to a natural person who resides in the Commonwealth (consumer) is subject to Senate Bill 1087.

A direct-to-consumer genetic testing company is an entity that:

• offers consumer-initiated genetic testing products or services directly to a consumer; or
• collects, uses, or analyzes genetic data that is collected or derived from a direct-to-consumer genetic testing product or service and is directly provided by a consumer.

b) Exemptions

The law excludes the following from the application of its provisions:

• The entities and their business associates covered by, and dealing with the protected health information that is collected, maintained, used, or disclosed in accordance with, the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act);
• Scientific research or educational activities conducted by a public or private nonprofit institution of higher education that complies with all applicable federal and state laws and regulations for the protection of human subjects in research, including the Common Rule, U.S. Food and Drug Administration regulations, and the federal Family Educational Rights and Privacy Act;
• The newborn screening program (§ 32.1-65 et seq.);
• Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic data in the same manner as protected health information under the provisions of HIPAA and HITECH Act; and
• Genetic data used or maintained by an employer that is necessary to comply with workplace health and safety laws.

III. Definitions of Key Terms

a) Consumer

Consumer means a natural person who is a resident of the Commonwealth.

b) Affirmative Authorization

Affirmative Authorization means an action that demonstrates an intentional decision by a consumer.

c) Biological Sample

A biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain DNA.

d) Genetic Data

Genetic data is any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations, or modifications to DNA or RNA, and single nucleotide polymorphisms (SNPs).

The genetic data also includes the uninterpreted data that results from the analysis of the biological sample and any information extrapolated, derived, or inferred therefrom; but does not include the following:

• de-identified data; or
• data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted in compliance with applicable federal and state laws.

e) Deidentified data

Deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the direct-to-consumer genetic testing company:

1. takes reasonable measures to ensure that such information cannot be associated with a consumer or household;
2. publicly commits to maintain and use such information only in de-identified form and not to attempt to re-identify the information, except that the direct-to-consumer genetic testing company may attempt to re-identify the information solely for the purpose of determining whether its de-identification processes satisfy the requirements of this clause, provided that the direct-to-consumer genetic testing company does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment; and
3. contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in de-identified form and not to re-identify the information.

f)  Express Consent

Express consent means a consumer's affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose.

g) Genetic Testing

Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.

h) Service Provider

A service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that is involved in:

• the collection, transportation, and analysis of the consumer's biological sample or extracted genetic material:
  • on behalf of the direct-to-consumer genetic testing company; or
  • on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service or directly provided by a consumer; or
• the delivery of the results of the analysis of the biological sample or genetic material.

IV. Obligations for Organizations Under Virginia’s Genetic Data Privacy Law

A. Consent Requirements

The covered entities are required to make a disclosure to the consumers about the nature of the data collection,, use, maintenance, or disclosure and obtain separate and express consent by affirmative authorization from the consumer for each of the following:

• the use of genetic data collected through the genetic testing product or service offered to the consumer; including details on who will have access to the data, how it will be shared, and the goals for which it will be collected, utilized, and disclosed;
• the storage of a consumer's biological sample following completion of the initial testing the consumer requested;
• each use of genetic data or a biological sample that goes beyond the intended use of the test or service and any naturally occurring context-based uses;
• each transfer or disclosure of the customer's genetic data or biological sample to a party other than a service provider, along with the name of the recipient/third party of the genetic data or biological sample; and
• any marketing to consumers or facilitation of marketing to consumers based on genetic information.

The revocation of the consumer's express consent to store their biological sample must be honored by the covered entities as soon as practically possible, but in all cases within 30 days, and they must also destroy the consumer's biological sample within 30 days of receiving the consent revocation notice.

B. Privacy Notice Requirements

The covered entities must provide consumers with a privacy notice containing the following information:

• policies and procedures about the collection, use, maintenance, retention, disclosure, transfer, deletion, and security of genetic data as well as the entity's privacy practices;
• information regarding the requirement for express consent for the collection, use, and disclosure of genetic data and the process for revoking express consent;
• a statement stating, in line with the present law, de-identified genetic or phenotypic data about a consumer may be shared with or provided to third parties for study; and
• information about the process by which a consumer may file a complaint alleging a violation of the law.

The law mandates that the privacy notice shall be in simple language, delivered to consumers along with any genetic testing product provided to consumers, and posted in a form that is readily accessible to the public on any website maintained by the covered entity.

C. Data Security Requirements

The law requires the covered entities to implement and maintain reasonable security procedures and practices to protect a consumers’ genetic data against unauthorized access, destruction, use, modification, or disclosure.

D. Fulfillment of Consumer Requests Requirements

The covered entities must develop and implement procedures and practices that make it simple for consumers to exercise their legal rights, such as the right to access, the right to delete, and the right to revoke their consent.

E. Contracts with Service Providers Requirements

The law requires the covered entities to use express contractual provisions that prohibit the service providers from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the consumer’s identity, including whether the consumer has requested or received genetic testing, as applicable, for any reason other than to perform the services specified in the contract with the covered entity.

F. Non-Discrimination Requirements

The laws bars the covered entities from discriminating against consumers, on the ground that the consumer exercised any of his/her rights under this law, with regards to the following:

• Providing or denying any good, service, or benefit to the consumer;
• Charging any different price or rate for any good or service provided to the consumer, including through the use of discounts or other incentives or imposition of penalties;
• Providing a different level or quality of goods, services, or benefits to the consumer;
• Suggesting that the consumer will receive a different price or rate for goods, services, or benefits or a different level or quality of goods, services, or benefits; or
• Considering the consumer's exercise of rights pursuant to the law as a basis or suspicion of criminal wrongdoing or unlawful conduct.

G. Prohibition on Certain Disclosures of Genetic Data

Without the consumer's express consent, the covered entities are barred from disclosing consumers' genetic information to organizations charged with managing or making decisions relating to health insurance, life insurance, long-term care insurance, disability insurance, or employment.

V. Data Subject Rights

A. Right to Access

Consumers have a right to access their genetic data collected and maintained by a covered entity.

B. Right to Delete

The consumers have a right to delete their genetic data maintained by a covered entity, except the data to be retained in compliance with the applicable laws.

C. Right to Revoke Consent

The consumers have a right to revoke their express consent for storing their biological sample and request the destruction of such biological sample.

VI. Regulatory Authority

The Attorney General is the sole individual with authority to execute the law's provisions, including the right to issue civil investigative demands and to bring civil lawsuits against those who violate the law.

VII. Penalties for Non-compliance

Violations of the law are subject to the following civil penalties:

• For a non-willful violation, a fine of not more than $1,000 plus reasonable costs for an attorney, expenses, and court costs;
• For a willful violation, a fine of not less than $1,000 up to $10,000, including reasonable attorney fees, charges, and court costs, for a willful violation.

VIII. Limitations of the Law

The law does not affect the covered entities’ duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security. The law provides that where its provisions conflict with another law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall prevail.

IX. How an Organization Can Operationalize Virginia’s Genetic Data Privacy Law

Organizations can operationalize Virginia’s Genetic Data Privacy Law by:

• Establishing policies and procedures for handling genetic data in compliance with the requirements of the law;
• Developing clear and accessible privacy notice laying out policies and procedures for collection, use, disclosure, retention, and deletion of genetic data;
• Obtaining informed consent from individuals before collecting, using, or sharing their genetic data;
• Implementing appropriate security measures such as data encryption, access controls, and audit logs to protect the confidentiality and integrity of the consumers’ genetic data;
• Developing a robust framework for receiving and processing data requests and complaints from consumers; and
• Train employees who handle genetic data on the organization's policies and procedures, as well as the requirements of the law.

X. How Can Securiti Help

Securiti’s Data Command Center framework enables organizations to comply with Virginia’s Genetic Data Privacy Law – Senate Bill 1087 by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.