Securiti Launches Industry’s First Solution To Automate Compliance
View
Listen to the content
As the name suggests, genetic information privacy laws are associated with protecting individuals’ genetic data, giving them more transparency and control over how or who can access this sensitive data.
This tracker contains a list of genetic data privacy laws around the world.
The Genetic Information Privacy Act (GIPA) was introduced as a California Senate Bill 41, which later went into effect on January 1, 2022.
GIPA applies to direct-to-consumer genetic testing companies that do any of the following:
The law also applies to any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service or is directly provided by a consumer.
Under the GIPA, the consumers have the right to revoke their consent, request access to their genetic data, request direct-to-consumer genetic testing companies to delete the consumer’s account and genetic data, or request to destroy the consumer’s biological sample.
The direct-to-consumer genetic testing companies must maintain a prominent and easily accessible privacy notice. Privacy notices must be maintained in a prominent and easily accessible manner. The privacy notice must include information about the company’s data collection, consent, privacy rights, transfer, retention, and deletion practices written in plain language.
Consent must be obtained for the collection, use, or disclosure of consumers’ genetic data. Moreover, separate and express consent must be collected from the consumer for the use of genetic data for genetic product testing, for the storage of a biological sample, for the use of biological samples other than the primary reason it was initially collected, and for disclosing the consumer’s genetic data to a third party.
A separate and expressed consent from a consumer must be obtained for the transfer or disclosure of genetic information.
GIPA requires direct-to-consumer genetic testing companies to implement reasonable security measures to safeguard consumers’ genetic data against unauthorized access, modification, disclosure, and destruction.
The Attorney General of the state of California, the district attorneys, the county attorney, and, in some cases, city attorneys can enforce the GIPA.
Violators may be fined up to $1000 per incident for negligent violation along with the court costs. A fine ranging from $1,000 to $10,000 may be imposed in case of willful violation, plus court costs.
The Arizona House Bill 2069, also known as the Arizona Genetic Information Privacy Act, went into effect on September 29, 2021, after receiving the approval of the State Governor on April 20, 2021.
The law applies to a direct-to-consumer genetic testing company that collects and processes DNA, chromosomes, genes, or gene products.
Under the law, a direct-to-consumer genetic testing company must allow consumers to exercise their right to access the consumers’ genetic data, delete the consumers’ accounts and genetic data, and request the destruction of consumers’ biological samples.
Direct-to-consumer genetic testing companies must maintain prominent and publicly available privacy policies or notices, including clear and complete information related to the company’s data collection and processing policies or practices, consent, consumers’ rights, and data disclosure or transfer, security, and retention/deletion practices.
The direct-to-consumer genetic testing companies are required to obtain consumers’ consent for collecting, using, or disclosing consumer’s genetic data. The consent must describe the consumers' use of their genetic data and how it is shared.
Separate express consent must be obtained from the consumer for marketing based on the consumer’s genetic data or by a third party to a consumer or purchase of a genetic testing product or service.
The direct-to-consumer genetic testing companies must design, implement, and maintain a comprehensive security program to protect the consumers’ genetic data against unauthorized disclosure, access, or use.
The Attorney General of Arizona is responsible for enforcing the provisions of the law and imposing penalties for violations.
The Attorney General can impose a civil penalty of up to $2,500 for each violation along with the damages, costs, and attorney fees of the Attorney General.
The Utah Genetic Information Privacy Act came into effect on May 05, 2021.
The law applies to direct-to-consumer genetic testing companies that collect, use, or analyze consumers’ genetic data or offer consumer genetic testing products or services directly to consumers in the state of Utah.
The law requires regulated entities to provide consumers with the rights to access and delete their genetic data, request the destruction of their biological samples, and prohibit the disclosure of their genetic data.
The direct-to-consumer genetic testing companies must create and maintain a prominent and publicly available privacy notice to communicate to consumers the company’s practices associated with data collection, consent, transfer, disclosure, retention, use, access, and deletion of consumers’ genetic data.
The law requires direct-to-consumer genetic testing companies to obtain the consumer’s initial express consent for the collection, use, or disclosure of the consumer’s genetic data. A separate consent is required to transfer or disclose a consumer’s genetic data to any person other than the company’s vendors and service providers, the use of genetic data beyond the primary purpose of the company's genetic testing product or service, and the company's retention of any biological sample provided by the consumer following the company's completion of the initial testing service requested by the consumer.
The direct-to-consumer genetic testing companies are prohibited from disclosing or sharing the genetic data of a consumer with their employer or health and life insurance company without the consumer's written consent.
A comprehensive security framework must be developed, implemented, and maintained to protect the consumers’ genetic data from unauthorized data, use, or disclosure.
The Attorney General of the state of Utah is responsible for enforcing this law and any civil penalties against entities violating its provisions.
A penalty of $2,500 may be imposed on violators, along with the actual damage, costs, and attorney’s fees for each violation.
The Protecting DNA Privacy Act went into effect on October 1, 2021, in Florida.
The law applies to individuals or entities involved in analyzing a person’s DNA only if the DNA sample is collected in Florida.
A person performing DNA analysis or receiving results of DNA analysis must provide the person tested with a privacy notice containing information about the DNA analysis. The notice must also contain whether the information was used in any decision related to insurance, employment, mortgage, or educational opportunity.
The law requires the regulated entities to seek the express consent of a person before analyzing their DNA. Further, the regulated entities must also seek the express consent of the person tested before disclosing the result of their DNA analysis.
Consent is required for the disclosure, selling, or transferring of a person’s DNA sample or results of a DNA analysis.
The law doesn't define any provisions for this section.
The law does not define any provisions for this section.
Each instance of violation, whether it involves collection, retention, submission, analysis, or disclosure, is considered a separate violation, and each is subject to a distinct penalty. For instance, violating the prohibition on unlawful collection or retention is classified as a misdemeanor of the first degree. If an individual intentionally discloses someone else's DNA analysis results to a third party without explicit consent, it constitutes a felony as per the law.
The Kentucky House Bill 502, also known as the Genetic Information Privacy Act, was signed into law in April 2022 and later went into effect on 1 June 2022. The law provides increased control to consumers over their genetic information.
The law applies to direct-to-consumer genetic testing companies that offer genetic testing products or services to consumers or collect, use, or analyze the genetic information of a consumer residing in Kentucky.
The law provides consumers with the right to access their genetic information collected, used, or disclosed by a company, delete their account and genetic data, and request to obtain or destroy their biological sample.
The law requires direct-to-consumer genetic testing companies to maintain a prominent and publicly available privacy notice that, at a minimum, provides details regarding consumers’ genetic data or the company’s practices associated with the collection, consent, use, transfer, security, destruction, or disclosure of consumer’s genetic data.
As per the law, direct-to-consumer genetic testing companies must obtain the initial consent of the consumer describing the uses of genetic data collected and must specify who has access to test results and how the data will be shared. Moreover, separate consent is required for cases like biological sample retention, compliance with federal policy for the protection of human research subjects for research purposes, research conducted under the company’s control for publication or generalizable knowledge, or marketing based on consumers’ genetic data. In addition, it requires a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer’s express written consent.
The direct-to-consumer testing companies must obtain separate consent from the consumers for the disclosure or transfer of their genetic data to any person other than the company’s vendors and service providers and expressed consent for using the genetic data for marketing purposes. In addition, direct-to-consumer genetic testing companies may disclose a consumer’s genetic data to any entity offering health insurance, life insurance, or long-term care insurance or to any employer of the consumer without the consumer’s written consent.
For security measures, the law establishes that regulated entities must develop and maintain a comprehensive security program to protect consumers’ genetic data against unauthorized access, use, or disclosure.
The law grants the Attorney General of Kentucky the right to implement and enforce its provisions.
The Kentucky Attorney General is responsible for enforcing a civil penalty of $2,500 for each violation of this law, along with the damages, costs, and attorney’s fees.
Wyoming’s Governor signed House Bill 86, the Genetic Data Privacy Law, in March 2022, which came into effect on 1 July 2022. The law is directed toward businesses collecting or testing consumers' genetic data.
The law governs direct-to-consumer genetic testing companies that offer consumer genetic testing products or services to consumers or collect, use, or analyze Wyongmin’s consumers’ genetic data.
The direct-to-consumer genetic testing companies must provide a process for the consumers to access their genetic data, delete their account and genetic data, and request to obtain or destroy their biological sample.
The direct-to-consumer genetic testing companies must create and maintain a prominent and publicly available privacy notice that provides details regarding the data collection, use, access, disclosure, transfer, retention, and security practices.
The direct-to-consumer genetic testing companies must obtain the consumer’s express consent for the collection, use, or disclosure of genetic data and specify who shall have access to test results. Also, separate consent is required for cases like biological sample retention, compliance with federal policy for the protection of human research subjects for research purposes or research conducted under the company’s control for publication or generalizable knowledge, or transfer for research purposes, or marketing based on consumers’ genetic data. Moreover, it requires a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer’s express written consent.
The direct-to-consumer genetic testing companies must obtain separate consent from the consumer for sharing or disclosing their genetic data to third parties.
Under the law, the security obligations require the direct-to-consumer genetic testing companies to develop, maintain, and implement a security program to safeguard consumers’ genetic data against unauthorized access, use, or disclosure.
The law grants the state's Attorney General power to implement and enforce its provisions.
The Attorney General may impose a civil penalty of up to $2,500 for each violation, along with the actual damages, costs, and attorney’s fees.
The state governor of South Dakota signed Senate Bill 178 on March 21, 2021, which prohibits certain life and long-term care insurers from using genetic information. The law took effect on January 01, 2022.
The law broadly applies to any company providing genetic testing services to consumers.
The law does not define any provisions for this section.
The law does not define any provisions for this section.
Written consent must be acquired by companies offering direct-to-consumer genetic testing companies for sharing or disclosing genetic tests or information with health carriers, life insurers, or long-term care insurers. However, there is an exception allowing communication between the genetic testing company and a health carrier for purposes such as payment, coordination of medical treatment, or patient care, provided that this communication must comply with the Health Insurance Portability and Accountability Act (HIPAA) and can only be used for specified purposes.
Health carriers, life insurers, and long-term care insurers are prohibited from requiring individuals to take genetic tests.
The law does not define any provisions for this section.
The law does not define any provisions for this section.
The law does not define any provisions for this section.
Senate Bill 1087, also known as Virginia Genetic Data Privacy Law, was signed into law on 26 March 2023 and took effect on 1 July 2023.
The law applies to businesses that provide direct-to-consumer genetic testing products or services to a consumer and are involved in collecting, using, or analyzing consumers’ genetic information.
Under the law, consumers can access their genetic information, request to delete the data, and revoke consent.
The covered entities must provide consumers with a clear privacy notice providing details regarding the collection, disclosure, transfer, selling, and deletion of their genetic data.
Consent must be required to collect, use, and disclose genetic data. An express and separate consent must be obtained for the following:
Separate consent must be obtained for transferring, sharing, or disclosing consumers’ genetic data.
Regulated companies must maintain reasonable security measures to protect genetic data against unauthorized access, use, and disclosure.
The Attorney General is responsible for implementing and enforcing the law or imposing civil penalties in case of violations.
In the event of violations, the Attorney General can impose a civil penalty of up to $1,000 for non-willful violations or a fine of not less than $1,000 up to $10,000 for each willful violation. It may also include the attorney’s fees, charges, and court costs.
Tennessee House Bill 1310 for the Genetic Information Privacy Act was signed into law by the Tennessee Governor on April 28, 2023. It came into effect on July 01, 2023.
The law applies to entities that offer genetic testing products or services directly to consumers and collect, use, or analyze provided genetic data. However, the law does not apply to:
Under this law, consumers have the right to access their genetic data or request the deletion of their account and genetic data, as well as the destruction of their biological samples.
A prominent and publicly available privacy notice must be made available for consumers communicating the collection, consent, use, testing, disclosure, security, retention, and transfer practices of consumers’ genetic information.
Express consent must be obtained from the consumer, communicating to them how their genetic data is collected, who accesses the test results, and how the data is shared. Moreover, informed consent must be obtained in accordance with the Federal Policy for the Protection of Human Subjects to transfer or disclose consumers' genetic data to a third party for research purposes or research conducted under the company's control for publication or generalizable knowledge
The regulated entities must obtain separate express consent for sharing or disclosing the data to third parties except their vendors and service providers, using it beyond the primary purpose, retaining consumers’ biological samples, or marketing purposes.
Reasonable security measures and programs must be implemented to protect consumers’ genetic data against unauthorized access, use, or disclosure.
The division of consumer affairs in the office of the attorney general and reporter shall enforce this law.
The law does not define any provisions for this section.
Montana’s Governor signed Senate Bill 351, also known as the Genetic Information Privacy Act, on June 7, 2023. This law took effect on October 1, 2023.
The law applies to entities, such as corporations, partnerships, or associations, that provide genetic testing products or services directly to consumers or collect, use, or analyze their genetic information.
Under this law, consumers have the right to access their genetic data, revoke their consent, obtain or request the destruction of their biological samples, or request the deletion of their genetic data.
To safeguard the privacy, clear and complete information regarding the entity's policies and procedures for the collection, use, or disclosure of genetic data by making it available to a consumer. A high-level privacy policy overview that includes basic, essential information about the entity's collection, use, or disclosure of genetic data. Moreover, a prominent and publicly available privacy notice must be made available to consumers containing information about the entity’s data collection, use, analysis, transfer, security, retention, and disclosure of consumer’s genetic data.
An initial express consent must be obtained from the consumer whose data is collected, used, analyzed, or disclosed. The request for consent must also describe the entity’s use of genetic data and specify the individuals who can access the genetic data.
Separate express consent must be obtained from consumers for the purpose of transferring or disclosing their genetic data or biological samples, using it other than the initial primary purpose, or retention of biological samples or marketing.
Reasonable security measures must be in place to protect consumers’ genetic data against unauthorized access, use, or disclosure.
The Attorney General is solely responsible for enforcing the genetic data law in Montana.
The Attorney General of Montana can impose a civil fine of up to $2,500 for each violation, along with the actual damages, costs, and attorney’s fees.
Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.
Watch the demoGet all the latest information, law updates and more delivered to your inbox
April 4, 2024 knowledge-center
Introduction China, being one of the most populous countries in the world, is considered a highly attractive data source. However, its cross-border data transfer...
April 3, 2024 knowledge-center
The Service Organization Control (SOC) 2 compliance checklist aims to cater to users seeking detailed information and assurance regarding the controls implemented in a...
March 26, 2024 knowledge-center
The Health Insurance Portability and Accounting Act (HIPAA) is a healthcare-related regulation in the US. Before HIPAA, there were no central standards, mechanisms, or...
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2024 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128
