IDC Names Securiti a Worldwide Leader in Data PrivacyView
Senate Bill 1087, a genetic data privacy law that applies to businesses that provide customer-initiated genetic testing products and services, was signed into law by Virginia Governor Glenn Youngkin on March 26, 2023. The law will go into effect from July 1, 2023.
Virginia isn’t the only US state interested in regulating companies that process genetic data. Following the enactment of similar genetic privacy laws in Arizona, California, and Utah in recent years, numerous other states, including Minnesota, Texas, Tennessee, and Vermont, have introduced similar bills during this legislative session.
Every direct-to-consumer genetic testing business (covered entity) engaged in offering genetic testing products or services to a natural person who resides in the Commonwealth (consumer) is subject to Senate Bill 1087.
A direct-to-consumer genetic testing company is an entity that:
The law excludes the following from the application of its provisions:
Consumer means a natural person who is a resident of the Commonwealth.
Affirmative Authorization means an action that demonstrates an intentional decision by a consumer.
A biological sample means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain DNA.
Genetic data is any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material, including deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations, or modifications to DNA or RNA, and single nucleotide polymorphisms (SNPs).
The genetic data also includes the uninterpreted data that results from the analysis of the biological sample and any information extrapolated, derived, or inferred therefrom; but does not include the following:
Deidentified data means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the direct-to-consumer genetic testing company:
Express consent means a consumer's affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose.
Genetic testing means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.
A service provider means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that is involved in:
The covered entities are required to make a disclosure to the consumers about the nature of the data collection,, use, maintenance, or disclosure and obtain separate and express consent by affirmative authorization from the consumer for each of the following:
The revocation of the consumer's express consent to store their biological sample must be honored by the covered entities as soon as practically possible, but in all cases within 30 days, and they must also destroy the consumer's biological sample within 30 days of receiving the consent revocation notice.
The covered entities must provide consumers with a privacy notice containing the following information:
The law mandates that the privacy notice shall be in simple language, delivered to consumers along with any genetic testing product provided to consumers, and posted in a form that is readily accessible to the public on any website maintained by the covered entity.
The law requires the covered entities to implement and maintain reasonable security procedures and practices to protect a consumers’ genetic data against unauthorized access, destruction, use, modification, or disclosure.
The covered entities must develop and implement procedures and practices that make it simple for consumers to exercise their legal rights, such as the right to access, the right to delete, and the right to revoke their consent.
The law requires the covered entities to use express contractual provisions that prohibit the service providers from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the consumer’s identity, including whether the consumer has requested or received genetic testing, as applicable, for any reason other than to perform the services specified in the contract with the covered entity.
The laws bars the covered entities from discriminating against consumers, on the ground that the consumer exercised any of his/her rights under this law, with regards to the following:
Without the consumer's express consent, the covered entities are barred from disclosing consumers' genetic information to organizations charged with managing or making decisions relating to health insurance, life insurance, long-term care insurance, disability insurance, or employment.
Consumers have a right to access their genetic data collected and maintained by a covered entity.
The consumers have a right to delete their genetic data maintained by a covered entity, except the data to be retained in compliance with the applicable laws.
The consumers have a right to revoke their express consent for storing their biological sample and request the destruction of such biological sample.
The Attorney General is the sole individual with authority to execute the law's provisions, including the right to issue civil investigative demands and to bring civil lawsuits against those who violate the law.
Violations of the law are subject to the following civil penalties:
The law does not affect the covered entities’ duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security. The law provides that where its provisions conflict with another law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall prevail.
Organizations can operationalize Virginia’s Genetic Data Privacy Law by:
Securiti’s Unified Data Controls framework enables organizations to comply with Virginia’s Genetic Data Privacy Law – Senate Bill 1087 by securing the organization’s data and enabling organizations to maximize data value and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
It’s a genetic data privacy law that applies to businesses that provide customer-initiated genetic testing products and services.
Yes, Virginia has enacted privacy laws, including the Virginia Consumer Data Protection Act (VCDPA), which regulates the processing of personal data of Virginia residents.
The Virginia privacy law, such as the VCDPA, applies to businesses that process the personal data of Virginia residents and meet certain threshold requirements.
The Virginia Consumer Data Protection Act (VCDPA) includes certain exemptions, such as entities and their business associates covered by and dealing with the protected health information that is collected, maintained, used, or disclosed in accordance with the provisions of HIPAA and HITECH Act; scientific research or educational activities conducted by a public or private nonprofit institution of higher education, etc.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
300 Santana Row
San Jose, CA 95128