California has enacted the Genetic Information Privacy Act (GIPA), the nation's first privacy law specifically targeting the use of genetic information. The law targets direct-to-consumer genetic testing companies to provide—prior to collection of the sample—certain information about the types of data to be collected and how the information will be used. The law also gives consumers rights including the right to opt out of the sale of the personal information to a third party.

GIPA defines a "direct-to-consumer genetic testing company" as any entity that sells, markets, interprets, or offers consumer-initiated genetic testing products directly to consumers; an entity that analyzes genetic data obtained from a consumer unless that analysis is performed by an individual "licensed in the healing arts" and the analysis is for the diagnosis or treatment of a medical condition; and an entity that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer. The law tailored the definition to these three categories to ensure the regulation does not impact the usual practice of medicine with genetic information. The law does not cover genetic tests that an individual may receive in a doctor's office in the normal course of medical care.

A significant provision is the ability of a consumer to revoke consent. GIPA specifies that companies must provide mechanisms "without any unnecessary steps" to allow for this revocation of consent, and that at least one of those mechanisms must be provided through the "primary medium through which the company communicates with consumers." This mimics a recent shift in regulations that companies should not be able to make opting into an agreement as easy as a simple click but make opting out so burdensome that consumers who wish to opt back out may try and fail or become confused with the process. Consumer revocation must be enacted within 30 days and, depending on the nature of the revocation, may require a company to destroy the biological sample.

The law also requires direct-to-consumer genetic testing companies to allow consumers to "easily" access the consumer's genetic data, delete the genetic data, or have the biological sample destroyed. Companies are also precluded form sharing individualized information with insurance companies and related companies. However, the restrictions in this law generally apply to "genetic data," which is not defined to include de-identified data. Accordingly, it seems that while the direct-to-consumer genetic testing companies must destroy all "genetic data" upon revocation of consent, they may be permitted to retain de-identified data.

TIP: Companies should monitor developing privacy laws, ensure accurate notice of data collection and use, and update consumer request response processes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.