New State Laws Relating To Genetic Data, Privacy & Security

AB 825: Adds "genetic data" to UC's breach notification requirements under California law. Specifically, it amends Section 1728.29 of the Civil Code to include "genetic data" among the types of personal subject to breach notification to California residents following discovery of breach of the security of the system. "Genetic data" means "any data, regardless of its format, that results from the analysis of a biological sample of an individual, or from another source enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, DNA, RNA, genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterrupted data that results from analysis of the biological sample or other source, and any information extrapolated, derived, or inferred therefrom. It will be effective Jan. 1, 2022.

SB 41: Establishes the Genetic Information Privacy Act, which will not directly apply to UC's patient care or research enterprise. Specifically, it requires direct-to-consumer genetic testing companies to provide a consumer with certain information regarding the company's policies and procedures for the collection, use, maintenance, and disclosure of genetic data, and to obtain a consumer's express consent for collection, use, or disclosure of the consumer's genetic data. This law is also effective Jan. 1.

  • A direct-to-consumer genetic testing company is defined as an entity that: (i) sells, markets, interprets, or otherwise offers genetic testing products or services directly to California residents, where such tests are initiated by the California resident (ii) analyzes genetic data obtained from consumer, except to the extent analysis is performed by a person licensing in the healing arts for diagnosis or treatment of a medical condition; or (iii) collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by the consumer.
  • "Genetic data" has the same definition as set forth above, in AB 825, but it also expressly does not include de-identified data (also defined in the law)
The law contains exemptions that protect both UC's patient care and research functions:
  • The law does not apply to information protected by CMIA or HIPAA, nor to health care providers or business associates governed by CMIA or HIPAA,
  • The law also does not apply to "scientific research or educational activities" defined as research or activities conducted by an educational institution that holds a federal assurance under 45 CFR Part 46, to the extent the research and activities comply with the Common Rule, FDA regulations, FERPA, and the California Medical Experimentation Act.
  • While the law requires direct-to-consumer genetic testing companies to obtain a consumer's express consent for collection, use, and disclosure of the consumer's genetic data and biological samples to "third parties," third parties expressly does not include educational institutions to the extent the genetic data or biological sample is disclosed to the educational institution for "scientific research or educational research," defined above.