Current through the 2024 Legislative Session.
Section 56.181 - Duties of direct-to-consumer genetic testing company(a) To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, a direct-to-consumer genetic testing company shall do both of the following: (1) Provide clear and complete information regarding the company's policies and procedures for the collection, use, maintenance, and disclosure, as applicable, of genetic data by making available to a consumer all of the following:(A) A summary of its privacy practices, written in plain language, that includes information about the company's collection, use, maintenance, and disclosure, as applicable, of genetic data.(B) A prominent and easily accessible privacy notice that includes, at a minimum, complete information about the company's data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and information that clearly describes how to file a complaint alleging a violation of this chapter, pursuant to subdivision (c) of Section 56.182.(C) A notice that the consumer's deidentified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes in accordance with Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations.(2) Obtain a consumer's express consent for collection, use, and disclosure of the consumer's genetic data, including, at a minimum, separate and express consent for each of the following:(A) The use of the genetic data collected through the genetic testing product or service offered to the consumer, including who has access to genetic data, and how genetic data may be shared, and the specific purposes for which it will be collected, used, and disclosed.(B) The storage of a consumer's biological sample after the initial testing requested by the consumer has been fulfilled.(C) Each use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses.(D) Each transfer or disclosure of the consumer's genetic data or biological sample to a third party other than to a service provider, including the name of the third party to which the consumer's genetic data or biological sample will be transferred or disclosed.(E)(i) The marketing or facilitation of marketing to a consumer based on the consumer's genetic data or the marketing or facilitation of marketing by a third party based upon the consumer having ordered, purchased, received, or used a genetic testing product or service.(ii) This subparagraph does not require a direct-to-consumer genetic testing company to obtain a consumer's express consent to market to the consumer on the company's own website or mobile application based upon the consumer having ordered, purchased, received, or used a genetic testing product or service from that company if the content of the advertisement does not depend upon any information specific to that consumer, except for the product or service that the consumer ordered, purchased, received, or used, and the placement of the advertisement is not intended to result in disparate exposure to advertising content on the basis of any characteristic specified in Section 51. Nothing in this subparagraph alters, limits, or negates the requirements of any other antidiscrimination law or targeted advertising law.(iii) Any advertisement of a third-party product or service presented to a consumer pursuant to either clause (i) or (ii) shall be prominently labeled as advertising content and be accompanied by the name of any third party that has contributed to the placement of the advertising. If applicable, the advertisement also shall clearly indicate that the advertised product or service, and any associated claims, have not been vetted or endorsed by the direct-to-consumer genetic testing company. (F) For the purpose of this paragraph, "third party" does not include a public or private nonprofit postsecondary educational institution to the extent that the consumer's genetic data or biological sample is disclosed to a public or private nonprofit postsecondary educational institution for the purpose of scientific research or educational activities as described in paragraph (4) of subdivision (b) of Section 56.184.(b) A company that is subject to the requirements described in paragraph (2) of subdivision (a) shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke their consent after it is given, at least one of which utilizes the primary medium through which the company communicates with consumers.(c) If a consumer revokes the consent that they provided pursuant to paragraph (2) of subdivision (a), the company shall honor the consumer's consent revocation as soon as practicable, but not later than 30 days after the individual revokes consent, in accordance with both of the following:(1) Revocation of consent under this section shall comply with Part 46 of Title 45 of the Code of Federal Regulations.(2) The company shall destroy a consumer's biological sample within 30 days of receipt of revocation of consent to store the sample.(d) The direct-to-consumer genetic testing company shall do both of the following: (1) Implement and maintain reasonable security procedures and practices to protect a consumer's genetic data against unauthorized access, destruction, use, modification, or disclosure.(2) Develop procedures and practices to enable a consumer to easily do any of the following:(A) Access the consumer's genetic data.(B) Delete the consumer's account and genetic data, except for genetic data that is required to be retained by the company to comply with applicable legal and regulatory requirements.(C) Have the consumer's biological sample destroyed.(e) A person or public entity shall not discriminate against a consumer because the consumer exercised any of the consumer's rights under this chapter by doing any of the following, including, but not limited to:(1) Denying goods, services, or benefits to the customer.(2) Charging different prices or rates for goods or services, including through the use of discounts or other incentives or imposing penalties.(3) Providing a different level or quality of goods, services, or benefits to the consumer.(4) Suggesting that the consumer will receive a different price or rate for goods, services, or benefits, or a different level or quality of goods, services, or benefits.(5) Considering the consumer's exercise of rights under this chapter as a basis for suspicion of criminal wrongdoing or unlawful conduct.(f)(1) Notwithstanding any other provision in this section, and except as provided in paragraph (2), a direct-to-consumer genetic testing company shall not disclose a consumer's genetic data to any entity that is responsible for administering or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to any entity that provides advice to an entity that is responsible for performing those functions.(2) A direct-to-consumer genetic testing company may disclose a consumer's genetic data or biological sample to an entity described in paragraph (1) if all of the following are true:(A) The entity is not primarily engaged in administering health insurance, life insurance, long-term care insurance, disability insurance, or employment.(B) The consumer's genetic data or biological sample is not disclosed to the entity in that entity's capacity as a party that is responsible for administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment.(C) Any agent or division of the entity that is involved in administering, advising, or making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment is prohibited from accessing the consumer's genetic data or biological sample.Added by Stats 2021 ch 596 (SB 41),s 2, eff. 1/1/2022.