GIPA: The Genetic Information Privacy Act

The Genetic Information Privacy Act (GIPA) was signed into law on October 6, 2021 by California Governor Gavin Newsom.  Although it isn’t an amendment of the California Consumer Privacy Act (CCPA), it was signed alongside two amendments to the CCPA and is also focused on consumer privacy.  The GIPA is more focused than the CCPA.  The CCPA can be described as a comprehensive privacy law, whereas the GIPA is a law focused on maintaining the privacy of genetic information.

Under the CCPA, a business that collects a consumer’s personal information, such as biometric information, including deoxyribonucleic acid (DNA), has to inform the consumer that they are collecting that type of information and what purpose they intend to use the information for, all of which, they need to do prior to collecting the information.  The consumer also has the right to opt-out of the sale of their personal information by the business to a third party.

Under other laws, a health care service plan is prohibited from disclosing the results of a test for genetic characteristics to third parties in any manner that identifies or provides identifying characteristics of the person to whom the test results apply, unless they have been authorized to do so in writing.

The GIPA will specifically regulate direct-to-consumer-genetic testing companies.  A direct-to-consumer genetic testing company is defined as a company that:

• Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.
• Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.
• Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.

The California legislature found that genomic data is highly distinguishable, a sequence of 30 to 80 single nucleotide polymorphisms could uniquely identify an individual.  They also found that genomic data is highly stable with very little if any change over the course of an individual’s lifetime.  Putting the two together, genomic data is an identifier that sticks with someone.

Additionally, the legislature found that genomic data may contain very sensitive data, particularly as our understanding of it improves.  This led the legislature to find that largely unregulated genetic testing services could potentially create unintended security and privacy consequences.

Accordingly, the GIPA requires that direct-to-consumer genetic testing companies must be transparent: Provide clear and complete information regarding the company’s policies and procedures about the company’s collection, use, maintenance, and disclosure of genetic data.  To do so, they need to have a written, plain language summary of their privacy practices regarding genetic data.  They must have a prominent and accessible privacy notice that includes information about the company’s data collection, consent, use, access, disclosure, maintenance, transfer, security, and retention and deletion practices, and instructions in how to file a complaint if a consumer believes the company has violated the GIPA.  The company must also provide notice that the consumer’s deidentified genetic or phenotypic information may be shared with third parties for research purposes under federal regulations.

The GIPA requires that direct-to-consumer genetic testing companies must obtain authorization.  The regulated companies must obtain separate and express consent for: the primary use of the genetic data, the storage of consumers’ biological samples, uses of the genetic data other than the primary use, disclosures of the genetic data, and subsequent directed facilitation of marketing or marketing at the consumer based on their order, purchase, reception or use of a genetic testing product or service.

Such authorization must be easily revocable, and revocation must be honored within 30 days of the revocation.

As a baseline, the direct-to-consumer genetic testing companies must implement and maintain security procedures to protect consumer genetic data against unauthorized access, destruction, use, modification, or disclosure.  At the same time, they need to make it easy for consumers to access their genetic data, delete their account and genetic data, and have their biological samples destroyed.

Neither persons nor public entities may discriminate against consumers who exercise any of their rights in the GIPA.

As a specific prohibition, direct-to-consumer genetic testing companies may not disclose a consumer’s genetic data to any entity that is responsible for making decisions regarding health insurance, life insurance, long-term care insurance, disability insurance, or employment or to entities that advise such companies.  The only circumstance in which a direct-to-consumer genetic testing company may overcome this prohibition is if the entity is not primarily engaged in administering the listed insurances or employment AND the consumer’s genetic data is not disclosed to the entity in that entity’s capacity as a party that is responsible for such administration AND any agent of the entity that is involved in administration is prohibited from accessing the consumer’s genetic data.

Violations of the GIPA can lead to fines up to $1,000 per violation. 

Willful violations of the GIPA result in fines between $1,000 and $10,000.  Enforcement will be permitted by the California Attorney General, district attorneys, and in some circumstances county attorneys, city attorneys, or city prosecutors.  Each violation of the GIPA counts as a separate, actionable violation.

If your organization is or may be a direct-to-consumer genetic testing company, Clarip can help.  We help our clients with transparency with simplified privacy policies and layered privacy notices.  We provide a consent management platform to ensure that any genetic data collected, used, maintained, or disclosed has the proper consent/authorization.  We perform data risk intelligence scans to reduce the unintentional sharing of data, which is all the more important with sensitive data, such as genetic data.  If you’d like more information, visit us at www.clarip.com or call us at 1-888-252-5653.