Earlier this month, the California Senate took up consideration of SB 980, the Genetic Information Privacy Act (“GIPA”), which “would prohibit a direct-to-consumer genetic testing services company from disclosing a person’s genetic information to a third party without obtaining the person’s prior written consent.” As the bill itself acknowledges, the California Consumer Privacy Act of 2018 (the “CCPA”) already regulates the processing of biometric information, including DNA. Other laws such as the federal Genetic Information Nondiscrimination Act of 2008 (“GINA”) and its California counterpart (“CalGINA”) prohibit genetic discrimination. However, there are four key differences in how the GIPA would treat genetic information as compared to the CCPA: (1) the GIPA would create a requirement to obtain written opt-in consent for any disclosure of genetic information to a third party; (2) limit the use of genetic information to the purpose specifically authorized by the individual to whom it pertains; (3) require destruction of the information as soon as this purpose is achieved; and (4) depending on the circumstances, impose criminal as well as civil liability for violations.
In contrast to the broad scope of the CCPA, the GIPA would apply only to genetic information. “Genetic information” is defined by the Bill to include not only an individual’s genetic test results, but also those of the individual’s family members, genetic disease information, and the fact of participation in genetic testing or research. Before genetic information could be disclosed to a third party—whether or not that disclosure would constitute a “sale” under the CCPA—the company would have to obtain written consent from the individual. To obtain that consent, the testing company must disclose the nature of the genetic information involved, the purpose for which it is being disclosed, whether the genetic information will be stored, and if so, how. There is no deadline for an individual to return a signed authorization to the genetic testing company—instead, since the GIPA would create an opt-in regime, failure to sign or return the form would be treated as non-consent.
A separate authorization is required for each disclosure, and genetic information could only be used for the specific purpose authorized by the individual to whom it pertains. Additionally, once this purpose is fulfilled, DNA samples and the genetic information obtained from them must be destroyed.
Finally, the GIPA would impose civil and criminal penalties of varying amounts depending on whether the violation is willful or negligent, and whether it harms an individual. The GIPA also allows the recovery by individual plaintiffs of “all actual damages, including damages for economic, bodily, or emotional harm which is proximately caused” by an unauthorized disclosure. The penalties break-down as follows:
- A civil penalty of up to $1,000 for negligent violations;
- A civil penalty between $1,000 and $5,000 for willful violations;
- A criminal fine of up to $10,000 for willful or negligent violations resulting in economic, bodily, or emotional harm. Violations of this type would be classified as misdemeanors.
The penalties are cumulative based on each unauthorized disclosure. The GIPA provides for the payment of the civil penalties as well as court costs to the person to whom the genetic information pertains.
Especially given the significant penalties associated with the GIPA, companies involved in genetic testing should be prepared to comply with its requirements. Note that similar bills (also titled the California Genetic Information Privacy Act) failed to make their way through the California Senate in 2012 and 2014. However, with the momentum provided by passage of the CCPA, it seems the odds of the new GIPA becoming law have probably increased.