Ala. Code § 22-NEW

Current through the 2024 Regular Session.
Section 22-NEW - [Newly enacted section not yet numbered] Genetic testing companies required to protect genetic information; confidentiality; customer consent for uses of genetic information
(a)
(1) A genetic testing company shall prominently display to a consumer complete information regarding the company's policies and procedures governing the collection, use, maintenance, and disclosure of genetic data in plain language which includes all of the following:
a. A privacy policy overview that includes basic information about the company's collection, use, or disclosure of genetic data.
b. A privacy policy notice that sets forth the complete text of the company's collection, consent, use, access, disclosure, transfer, security, retention, and deletion policies or practices.
c. A clear and complete notice that the consumer's genetic data may be included in deidentified data shared or disclosed by the company to a third party for research in compliance with the U.S. Department of Health and Human Services policy for the protection of human subjects, 45 C.F.R. Part 46.
d. A clear description of how to file a complaint alleging a violation of this act.
(2) A genetic testing company shall obtain the consumer's initial express consent for all of the following:
a. Use of the biological sample and resulting genetic data to provide the product or service ordered by the consumer.
b. Identification of who may have access to the biological sample, genetic data, and test results, including a contractor, in order to fulfill the consumer's order.
c. Permission to retain the biological sample and genetic data for future testing for other products or services offered by the company.
d. Acknowledgment that the company may seek express consent in the future to transfer the biological sample or disclose the genetic data to a third party other than a contractor for a reason other than fulfillment of an order for the company's products or services.
(3) A genetic testing company shall obtain the consumer's express consent every time the company does any of the following:
a. Transferring the biological sample or disclosing the genetic data to a third party other than a contractor for a reason other than fulfillment of an order for the company's products or services.
b. Using the biological sample or genetic data for a purpose other than the company's products or services ordered by the consumer.
c. Marketing to a consumer based on the consumer's genetic data, or marketing to a consumer by a third party based on the consumer having ordered or purchased a genetic testing product or service. Marketing does not include the provision of customized content or offers on websites or through the applications or services provided by the direct-to-consumer genetic testing company with the first-party relationship to the consumer.
(4) A genetic testing company shall obtain the consumer's informed consent to transfer the biological sample or disclose the consumer's genetic data in compliance with 45 C.F.R. Part 46, in the following cases:
a. For independent research conducted by a third party.
b. For research conducted under the sponsorship of the genetic testing company for the purpose of product or service research and development, scientific publication, or promotion of the company.
(5)
a. A genetic testing company shall provide a process for the consumer to do all of the following:
1. Access the consumer's genetic data.
2. Delete the consumer's account.
3. Request the destruction of the consumer's biological sample and genetic data.
4. Revoke any express or informed consent given.
b.
1. If the consumer requests the destruction of the consumer's biological sample and genetic data, the company shall comply with the request as soon as reasonably possible, but no more than 30 days after the request is made.
2. If the consumer revokes any express or informed consent given that resulted in the transfer of the consumer's biological sample or disclosure of the consumer's genetic data to a third party, the company shall secure the return of the biological sample and the genetic data as soon as reasonably possible, but no more than 60 days after the revocation is tendered.
(b) A genetic testing company may disclose a consumer's genetic data to any law enforcement agency pursuant to a valid legal process. When a law enforcement agency requests data from a genetic testing company, the company shall not disclose the existence of the valid legal process or the fact of the company's compliance specifically to the party to whom the valid legal process pertains. Nothing in this subsection shall prevent a company from publishing a transparency report that details the number and types of law enforcement requests received and the number of times categories of information are shared, nor prevent a company from complying with other laws or policies, including a company's privacy policy.
(c) A genetic testing company may not do any of the following without a consumer's express written consent:
(1) Disclose a consumer's genetic data to any person issuing health, life, disability, or long-term care insurance.
(2) Disclose a consumer's genetic data to any employer or prospective employer of the consumer.

Ala. Code § 22-NEW (1975)

Added by Act 2024-384,§ 3, eff. 10/1/2024.