California is poised to lead the way again on privacy protection if Governor Gavin Newsom signs SB 41, a bill that requires direct-to-consumer (DTC) genetic testing companies to obtain consumers’ permission before disclosing their genetic data to third parties and limits the ways this sensitive information can be used without their consent.
As Consumer Federation of America noted in the report we released last year, Marketing Direct-to-Consumer Genetic Testing: Are Consumers Getting What They Think They Are?, DTC genetic testing companies aren’t covered by privacy requirements that apply to healthcare providers, and federal law only limits access and use of individuals’ genetic information by employers and health insurers. So DTC genetic testing companies are generally free to use and share consumers’ personal information, including their genetic data, for marketing and other purposes. They may also allow law enforcement agencies to obtain consumers’ data from them without a warrant. Some DTC genetic testing companies say they won’t use or share particularly sensitive information about individuals, such as their genetic data, without their explicit consent and that they will only provide information to law enforcement in certain circumstances (see the charts in our report). But companies’ practices vary widely, and in some cases their privacy policies are so difficult to read and understand that it’s impossible to know exactly what they do with people’s data. While a few states have privacy laws, California will be the first in the nation to enact specific privacy and security requirements for DTC genetic testing companies.
The Genetic Information Privacy Act will require these companies to provide clear and complete information regarding their policies and procedures for collecting, using, maintaining and disclosing consumers’ genetic data. This includes making a summary of their privacy practices available in plain language, as well as providing the details in a prominent and easy-to-access privacy notice. If they share “deidentifed” genetic data with others for certain research purposes, which is allowed without consumers’ consent, they must say so.
DTC genetic testing companies will be required to ask consumers for separate, express consent to:
- Use the genetic data collected through their testing products or services for the purposes they specified.
- Store the biological sample after the initial testing consumers requested has been done.
- Use the genetic data or the biological sample for something other than the primary purpose of the genetic testing or service.
- Transfer or disclose the genetic data or biological sample to someone else (other than to a service provider, such as an outside lab that conducts the tests), who must be identified.
- Market or help market products and services to customers based on their genetic data.
- Enable other companies to market to customers based on their having ordered, purchased, received, or used the companies’ genetic testing product or service.
Our study showed that some DTC genetic testing companies engage heavily in upselling – advertising additional products and services to existing customers. The law will allows the companies to use their websites and apps for that that type of marketing without the customers’ express consent as long as it’s not based on information about them beyond the fact that they purchased or used certain products or services and doesn’t have a discriminatory effect.
In another first, the law would bar the use of “dark patterns” – user interfaces that are designed to subvert or impair consumers’ ability to make choices in their own best interests, to obtain express consent.
DTC genetic testing companies will have to clearly label the advertisements they provide on behalf of other companies as advertisements, identify those companies, and state that they haven’t checked on the validity or endorsed the claims made for those products and services, if that is the case. They will be required to keep consumers’ genetic data reasonably secure and provide simple ways for consumers to access their genetic data, request that their accounts and genetic data be deleted, and have their biological samples destroyed.
Consumers can’t be denied services, charged more or otherwise be discriminated against for exercising their rights under the law. Finally, consumers’ genetic data can’t be accessed or used for making decisions related to health insurance, life insurance, long-term care insurance, disability insurance, or employment.
While consumers won’t be able to bring their own lawsuits to enforce their rights, the state Attorney General, district attorneys, and city attorneys will have the power to seek penalties (which will go to the affected consumers) for violations as well as reimbursement for their court costs.
Last year Governor Newsom vetoed a similar bill, citing public health authorities’ concerns that the law could interfere with their ability to request samples from individuals to track diseases. That has been addressed this time by specifically excluding tests conducted exclusively to diagnose whether an individual has a specific disease, as long as those involved in conducting the tests maintain, use, and disclose genetic information in the same manner as medical information or protected health information under federal law.
Consumer Federation of America and other groups are urging Governor Newsom to sign the bill as soon as possible to protect Californians’ genetic privacy and provide a model for other states to follow.