Bill Text: VA SB1087 | 2023 | Regular Session | Engrossed
Bill Title: Genetic data privacy; civil penalty.
Spectrum: Partisan Bill (Democrat 1-0)
Status: (Passed) 2023-03-26 - Governor: Acts of Assembly Chapter text (CHAP0526) [SB1087 Detail]
Download: Virginia-2023-SB1087-Engrossed.html
Be it enacted by the General Assembly of Virginia:
1. That the Code of Virginia is amended by adding in Title 59.1 a chapter numbered 56, consisting of sections numbered 59.1-593 through 59.1-602, as follows:
§59.1-593. Definitions.
As used in this chapter, unless the context requires a different meaning:
"Affirmative authorization" means an action that demonstrates an intentional decision by a consumer.
"Biological sample" means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).
"Consumer" means a natural person who is a resident of the Commonwealth.
"Deidentified data" means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the direct-to-consumer genetic testing company (i) takes reasonable measures to ensure that such information cannot be associated with a consumer or household; (ii) publicly commits to maintain and use such information only in deidentified form and not to attempt to reidentify the information, except that the direct-to-consumer genetic testing company may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this clause, provided that the direct-to-consumer genetic testing company does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment; and (iii) contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.
"Direct-to-consumer genetic testing company" means an entity that (i) offers consumer-initiated genetic testing products or services directly to a consumer or (ii) collects, uses, or analyzes genetic data that is collected or derived from a direct-to-consumer genetic testing product or service and is directly provided by a consumer. "Direct-to-consumer genetic testing company" does not include an entity when such entity is only engaged in collecting, using, or analyzing genetic data or biological samples in the context of research conducted in accordance with the (a) federal Common Rule, 45 C.F.R. Part 46; (b) International Conference on Harmonization Good Clinical Practice Guideline; or (c) U.S. Food and Drug Administration Policy for the Protection of Human Subjects, 21 C.F.R. Parts 50 and 56.
"Express consent" means a consumer's affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose.
"Genetic data" means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations, or modifications to DNA or RNA, and single nucleotide polymorphisms (SNPs). "Genetic data" includes uninterpreted data that results from the analysis of the biological sample and any information extrapolated, derived, or inferred therefrom. "Genetic data" does not include (i) deidentified data or (ii) data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the U.S. Department of Health and Human Services pursuant to 45 C.F.R. Part 46, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including the Common Rule pursuant to 45 C.F.R. Part 46, U.S. Food and Drug Administration regulations pursuant to 21 C.F.R. Parts 50 and 56, and the federal Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
"Genetic testing" means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.
"Service provider" means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that is involved in (i) the collection, transportation, and analysis of the consumer's biological sample or extracted genetic material (a) on behalf of the direct-to-consumer genetic testing company or (b) on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service or directly provided by a consumer or (ii) the delivery of the results of the analysis of the biological sample or genetic material.
§59.1-594. Exclusions.
This chapter shall not apply to any of the following:
1. Protected health information that is collected, maintained, used, or disclosed by a covered entity or business associate governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009, P.L. 111-5;
2. A covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established pursuant to the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009, P.L. 111-5, to the extent that the covered entity maintains, uses, and discloses genetic data in the same manner as protected health information, as described in subdivision 1;
3. A business associate of a covered entity governed by the privacy, security, and data breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, and the federal Health Information Technology for Economic and Clinical Health Act, Title XIII of the federal American Recovery and Reinvestment Act of 2009, P.L. 111-5, to the extent that the business associate maintains, uses, and discloses genetic data in the same manner as protected health information, as described in subdivision 1;
4. Scientific research or educational activities conducted by a public or private nonprofit institution of higher education that holds an assurance with the U.S. Department of Health and Human Services pursuant to 45 C.F.R. Part 46, to the extent that such scientific research and educational activities comply with all applicable federal and state laws and regulations for the protection of human subjects in research, including the Common Rule pursuant to 45 C.F.R. Part 46, U.S. Food and Drug Administration regulations pursuant to 21 C.F.R. Parts 50 and 56, and the federal Family Educational Rights and Privacy Act, 20 U.S.C. §1232g;
5. The newborn screening program established pursuant to Article 7 (§32.1-65 et seq.) of Chapter 2 of Title 32.1;
6. Tests conducted exclusively to diagnose whether an individual has a specific disease, to the extent that all persons involved in the conduct of the test maintain, use, and disclose genetic data in the same manner as protected health information, as described in subdivision 1; or
7. Genetic data used or maintained by an employer, or disclosed by an employee to an employer, to the extent that the use, maintenance, or disclosure of such data is necessary to comply with a local, state, or federal workplace health and safety ordinance, law, or regulation.
§59.1-595. Information to be made available to consumers.
A. Every direct-to-consumer genetic testing company shall provide to consumers:
1. A summary of the company's (i) policies and procedures related to the collection, use, maintenance, retention, disclosure, transfer, deletion, and security of and access to genetic data and (ii) privacy practices;
2. Information regarding the requirement for express consent for the collection, use, and disclosure of genetic data and the process for revoking express consent pursuant to §59.1-596;
3. Notice that a consumer's deidentified genetic or phenotypic data may be shared with or disclosed to third parties for research purposes in accordance with 45 C.F.R. Part 46; and
4. Information about the process by which a consumer may file a complaint alleging a violation of this chapter.
B. Information required to be made available pursuant to subsection A shall be written in plain language and shall be provided to consumers together with any genetic testing product provided to consumers. Such information shall also be included on any website maintained by the direct-to-consumer genetic testing company in a manner that is easily accessible by the public.
§59.1-596. Express consent required; revocation of express consent.
A. Express consent required pursuant to this chapter
requires a statement of the nature of the data collection, use, maintenance, or
disclosure for which express consent is sought in plain and prominent language
that an ordinary consumer would notice and understand and an affirmative
authorization by the consumer granting permission in response to such
statement. Express consent shall not be inferred from inaction.
B. Every direct-to-consumer genetic testing company shall obtain a consumer's express consent for the collection, use, and disclosure of the consumer's genetic data, including, at a minimum, separate and express consent for each of the following:
1. The use of genetic data collected through the genetic testing product or service offered to the consumer. Express consent for such use of genetic data shall include a statement describing who will receive access to the genetic data, how such genetic data will be shared, and the purposes for which such data shall be collected, used, and disclosed;
2. The storage of a consumer's biological sample after the initial testing required by the consumer has been completed;
3. Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses;
4. Each transfer or disclosure of the consumer's genetic data or biological sample to a third party other than a service provider, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed; and
5. Any marketing or facilitation of marketing to a consumer based on the consumer's genetic data or marketing or facilitation of marketing by a third party based on the consumer's having ordered, purchased, received, or used a genetic testing product or service, except that a direct-to-consumer genetic testing company shall not be required to obtain a consumer's express consent to marketing to the consumer on the company's own website or mobile application based on the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if (i) the advertisement does not depend on any information specific to that consumer other than information regarding the product or service that the consumer ordered, purchased, received, or used; (ii) the placement of the advertisement does not result in disparate exposure to advertising content on the basis of the sex, race, color, religion, ancestry, national origin, disability, medical condition, genetic data, marital status, sexual orientation, citizenship, primary language, or immigration status of the consumer; and (iii) the advertisement of a third-party product or service is clearly labeled as advertising content, is accompanied by the name of the third party that has contributed to the placement of the advertisement, and, if applicable, indicates that the advertised product or service and claims regarding the product or service have not been vetted or endorsed by the direct-to-consumer genetic testing company.
C. Every direct-to-consumer genetic testing company shall provide a mechanism by which a consumer may revoke express consent required pursuant to subsection B, which shall include an option for revocation of express consent through the primary medium through which the company communicates with consumers.
D. Revocation of express consent by a consumer shall comply with the requirements of 45 C.F.R. Part 46. Upon revocation of express consent required pursuant to subsection B by a consumer, a direct-to-consumer genetic testing company shall (i) honor such revocation of express consent as soon as is practicable but in all cases within 30 days of receipt of such revocation and (ii) destroy the consumer's biological sample within 30 days of receipt of revocation of the consumer's express consent to store such sample.
§59.1-597. Other requirements applicable to direct-to-consumer genetic testing companies.
Every direct-to-consumer genetic testing company shall:
1. Implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use, modification, or disclosure; and
2. Develop procedures and practices to allow a consumer to easily (i) access the consumer's genetic data; (ii) delete the consumer's genetic data, except any data required by state or federal law to be retained by the direct-to-consumer genetic testing company and any account the consumer may have created with the direct-to-consumer genetic testing company; and (iii) revoke express consent to storage of the consumer's biological sample and request destruction of such biological sample.
§59.1-598. Contracts with service providers.
A. Every direct-to-consumer genetic testing company that enters into a contract with a service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether the consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract with the service provider for the business.
B. Every contract between a direct-to-consumer genetic testing company and a service provider shall include:
1. A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether the consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the service provider with the business; and
2. A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether the consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or has collected from its own interaction with consumers or as required by law.
§59.1-599. Certain disclosures of genetic data prohibited.
[ A. Except as provided in subsection B, no No
] direct-to-consumer genetic testing company shall disclose a consumer's
genetic data to any entity that is responsible for administering or making
decisions regarding health insurance, life insurance, long-term care insurance,
disability insurance, or employment or any entity that provides advice to such
an entity [ without the consumer's express consent ] .
[ B. A direct-to-consumer genetic testing company may
disclose a consumer's genetic data or biological sample to an entity described
in subsection A if:
1. The entity is not primarily engaged in administering
or making decisions regarding health insurance, life insurance, long-term care
insurance, disability insurance, or employment;
2. The consumer's genetic data or biological sample is
not disclosed to the entity in that entity's capacity as a party that is
responsible for administering or advising or making decisions regarding health
insurance, life insurance, long-term care insurance, disability insurance, or
employment; and
3. Any agent or division of the entity that is involved
in administering or advising or making decisions regarding health insurance,
life insurance, long-term care insurance, disability insurance, or employment
is prohibited from accessing the consumer's genetic data or biological sample.
]
§59.1-600. Discrimination prohibited.
No person or public entity shall discriminate against a consumer on the grounds that the consumer has exercised any of the rights granted by this chapter with regard to:
1. Providing or denying any good, service, or benefit to the consumer;
2. Charging any different price or rate for any good or service provided to the consumer, including through the use of discounts or other incentives or imposition of penalties;
3. Providing a different level or quality of goods, services, or benefits to the consumer;
4. Suggesting that the consumer will receive a different price or rate for goods, services, or benefits or a different level or quality of goods, services, or benefits; or
5. Considering the consumer's exercise of rights pursuant to this chapter as a basis or suspicion of criminal wrongdoing or unlawful conduct.
§59.1-601. Enforcement; civil penalty.
A. The Attorney General shall have exclusive authority to enforce the provisions of this chapter.
B. Any person who negligently violates the provisions of this chapter shall be subject to a civil penalty in an amount not to exceed $1,000 plus court costs, as determined by the court. Any person who willfully violates the provisions of this chapter shall be subject to a civil penalty in an amount not less than $1,000 and not more than $10,000 plus court costs, as determined by the court. Such civil penalties shall be paid into the Literary Fund.
C. Each violation of this chapter shall constitute a separate violation and shall be subject to any civil penalties imposed under this subsection.
§59.1-602. Limitations.
A. The provisions of this chapter shall not reduce a direct-to-consumer genetic testing company's duties, obligations, requirements, or standards under any applicable state and federal laws for the protection of privacy and security.
B. In the event of a conflict between the provisions of this chapter and any other provision of law, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.
C. Nothing in this chapter shall be construed to affect access to information made available to the public by the consumer.