On October 6, 2021, California Governor Gavin Newsom signed into law the Genetic Information Privacy Act (S.B. 41) (“GIPA”). The law requires direct-to-consumer genetic testing companies to obtain informed consent from consumers regarding the collection, use and disclosure of their genetic testing. It applies to any company that:
(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.
(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.
(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.”
Companies providing commercial genetic testing services will be required to destroy a consumers’ genetic data within 30 days of that consumer revoking consent. In addition to the law’s consent and deletion requirements, genetic testing companies will also be required to “implement and maintain reasonable security procedures and practices to protect a consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure, and develop procedures and practices to enable a consumer to access their genetic data, and to delete their account and genetic data, as specified.”
GIPA will become effective January 1, 2022. Companies that negligently violate the law may face penalties not to exceed $1,000, with willful violations between $1,000 and $10,000. As each violation of the law is actionable, companies that fail to comply may face significant penalties. The law will be enforced by the California Attorney General, a district attorney, a city counsel authorized by a district attorney, or a qualified city attorney.