State Lawmakers Find Success with Genetic Privacy

With Americans spending so much of their time online - over 1,300 hours a year on social media alone - state lawmakers have increasingly focused on consumer data privacy in recent years. Much of their efforts have been channeled into comprehensive data privacy legislation. But they’ve actually had more success with measures specifically targeting the privacy of consumer genetic information collected by testing companies like 23andMe and Ancestry.com.

High Passage-Rate Issue in Growing Regulatory Area

In 2021, consumer data privacy legislation was introduced in 38 states, up from 30 in 2020 and 25 in 2019, according to the National Conference of State Legislatures.

Comprehensive data privacy bills - which have been coming in increasing numbers since the passage of the California Consumer Privacy Act (CCPA) in 2018 - were introduced last year in 25 states, two of which, Colorado [SB 190 (2021)] and Virginia [HB 2307 (2020)], enacted them.

NCSL defines comprehensive privacy bills as those “similar to the CCPA, i.e., broadly regulating the collection, use and disclosure of personal information and providing an express set of consumer rights with regard to collected data, such as the right to access, correct and delete personal information collected by businesses.”

Bills dealing specifically with the protection of consumer genetic information were introduced in only nine states last year. But they were enacted in seven of them, making genetic privacy bills the type of consumer data privacy legislation with the highest passage rate among the dozen categories tracked by NCSL.

One of the seven genetic privacy enactments last year was California’s Genetic Information Privacy Act (SB 41), signed by Gov. Gavin Newsom (D) in October. The law, which took effect in January, requires genetic testing companies to notify customers of their privacy policies and obtain customers’ consent before using their genetic data or sharing it with a third party.

The law also requires companies to provide an easy way for customers to opt-out of that consent authorization; prohibits companies from using deceptive practices to lure customers into providing consent, such as by employing popups; prohibits companies from disclosing customers’ data to insurers or the customers’ employers; and requires companies to provide customers a simple method of closing their accounts and having their DNA data deleted from the companies’ databases and their samples destroyed, which the companies must do within 30 days of receiving customer requests.

DNA Companies Say They Welcome Regulation

Ancestry and 23andMe welcomed the law’s passage, according to a report at the time by Wired.

“We think it’s very important for all consumers in California to be afforded the confidence that when they choose to participate in direct-to-consumer genetic testing that their data will be used and shared as they permit it,” Jacquie Cooke Haggarty, deputy general counsel, and privacy officer for 23andMe, told the publication. She also said 23andMe already provided its customers those protections.

Arizona and Utah enacted similar laws earlier in the year, HB 2069 (2021) and SB 227 (2021), respectively, addressing customer notification of privacy policies, customer consent for data use, and data deletion.

Supporters of the legislation say it’s needed because existing privacy laws don’t cover home DNA testing. The federal Health Insurance Portability and Accountability Act, better known as HIPAA, only protects genetic tests ordered by doctors, not those purchased from companies like 23andMe and Ancestry. When HIPAA was enacted in 1996, home genetic tests didn’t even exist. Now nearly 20 percent of Americans have used one, according to a national survey by Consumer Reports in 2020.

“This is really coming about because so much has changed in the marketplace and the technology,” Lee Tien, a senior staff attorney for the Electronic Frontier Foundation, a San Francisco-based nonprofit digital rights group, told Wired.

Consumer Data Privacy Legislative Trends Continue

The recent trends in consumer data privacy legislation appear to be continuing this year. Five months into 2022 at least 34 states have introduced or considered consumer data privacy bills, just four shy of the total for the entirety of 2021.

Comprehensive data privacy legislation has been considered in 25 states, matching last year’s total. Two of those states have enacted bills: Utah (SB 227) and Virginia (HB 381, HB 714/SB 534), although in the latter case the enactments were merely amendments to the comprehensive data privacy law the state passed last year [HB 2307 (2020)/SB 1392 (2020)].

The number of states that have considered genetic data privacy bills this year, at eight, lags last year’s total by just one. Three of the eight states, Kentucky (HB 502), Maryland (HB 866) and Wyoming (HB 86) have enacted measures.

All three bills require genetic testing companies to provide clear notice of their privacy policies; obtain customers’ consent before collecting, using, or disclosing their genetic data; maintain a comprehensive data security program; and allow customers to access their data and have their account and data deleted and their DNA sample destroyed.

The three bills would also prohibit testing companies from disclosing a customer’s genetic data to insurers or the customer’s employer without their consent and require a “valid legal process” for disclosing a customer’s data to law enforcement.

The Kentucky and Maryland bills go a step further. The former restricts law enforcement's use of DNA records voluntarily submitted to eliminate suspects. The latter requires testing companies to provide users “explicit notice” that the service might be used by law enforcement to investigate crimes, an acknowledgment of the fact that genealogy databases have been used in hundreds of criminal investigations, including the one that led to the identification of the Golden State Killer in 2018.

Another measure that is similar to the Kentucky, Maryland, and Wyoming bills has been passed by state lawmakers and awaits gubernatorial action in Hawaii (SB 2032), according to State Net’s legislative tracking system.

The bills actually share much of the same language because it was developed at the Council of State Governments’ Annual Meeting in September of last year and included in the organization’s annual shared state legislation volume, which is circulated among state lawmakers and staff.

Genetic privacy bills are still pending in three states. But the bills in two of those states - New Jersey AB 525 and Pennsylvania HB 2283, the latter of which includes a provision that would require testing companies to give customers 90 percent or more of the proceeds from the sale of their genetic material - haven’t moved since being introduced in January.

The third bill is pending carry over to next year’s session in Virginia (SB 419), which adjourned the first year of its two-year session cycle in March. And a genetic privacy measure has failed in Minnesota (SB 2817).

Still, genetic privacy bills have now been enacted or are near enactment in half of the states where they’ve been considered so far this year. The continuing success of such measures - and their relatively easy lift in comparison to comprehensive data privacy legislation - are likely to keep them coming as lawmakers pursue greater protection of consumers’ online privacy.

-- By KOREY CLARK

Genetic Privacy Continues to Be Active Issue in Statehouses

So far this year, at least eight states have considered legislation dealing with the privacy of consumer genetic information collected by testing companies like 23andMe and Ancestry.com, according to analysis by the National Conference of State Legislatures and State Net. Two of those states, Kentucky and Wyoming, have enacted measures. In 2021 genetic privacy bills were considered in nine states, seven of which enacted them.