Proposed Pa. Genetic Information Privacy Act Advances Unanimously
A Pennsylvania genetic data privacy bill could soon get a House floor vote, amid increased interest in the topic this year following the 23andMe bankruptcy. The House Consumer Protection Committee voted 26-0 on Wednesday to clear HB-1530 by Chair Danilo Burgos (D), with members from both political parties joining hands to vote yes.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
“In recent years, tens of thousands of Pennsylvanians have purchased services and provided saliva samples to genetic data companies, such as Ancestry and 23andMe, to gain insight into their family history or health,” noted Burgos in a memo about the bill earlier this year. “However, there have been several instances where certain genetic testing companies have profited off consumer’s genetic data without their consent, most commonly by marketing and selling genetic data to third parties.”
“In response to this issue and other privacy concerns, twelve states have passed legislation to codify privacy protections for consumer genetic data, and I believe we must also take similar steps to address these concerns and provide greater privacy protections for our consumers using these services,” added Burgos.
Privacy experts predicted that the 23andMe bankruptcy earlier this year would likely lead to more privacy regulation and enforcement due to significant public awareness of the event (see 2504100033). Other states that passed genetic privacy laws this year include Texas, Florida and Indiana, while Montana updated its 2023 law (see 2508080054). However, Nevada Gov. Joe Lombardo (R) in June vetoed a Democratic bill on the subject (see 2506110024)
Pennsylvania’s proposed Genetic Information Privacy Act would apply to entities that offer direct-to-consumer genetic testing and “collects, uses or analyzes genetic data provided to the entity by a consumer” through that product or service, with researchers exempted, according to bill text. The Pennsylvania attorney general would enforce the law and courts would be able to impose civil penalties of $2,500 for each violation.
Covered entities would have to provide consumers with “clear and complete information regarding the company's policies and procedures for the collection, use or disclosure of genetic data” by making available a “high-level privacy policy overview that includes basic, essential information about the company's collection, use or disclosure of genetic data,” and a “prominent, publicly available privacy notice with information about the company's data collection, consent, use, access, disclosure, transfer, security and retention and deletion practices,” the bill says.
The covered company would have to get “a consumer's consent for the collection, use or disclosure of the consumer's genetic data,” including an initial express consent describing how the data is used and separate express consents for: (1) “transferring or disclosing the consumer's genetic data to a person other than the company's vendor or service provider or for using the consumer's genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses,” and for (2) “the retention of a biological sample provided by the consumer after completion of the initial testing service requested by the consumer.”
Additionally, the bill would require informed consent for transferring or disclosing genetic data “to a third-party person for research purposes or research conducted under the control of the company for the purpose of publication or generalizable knowledge.” And it would require express consent for marketing to a consumer based on their genetic data “or for marketing by a third-party person to the consumer based on the consumer having ordered or purchased a genetic testing product or service.”
Also, a direct-to-consumer genetic testing company may not, without written consent, disclose a consumer's genetic data to the consumer’s employer or health, life or long-term care insurance companies.
The proposed law would exempt protected health information governed by HIPAA and the Health Information Technology for Economic and Clinical Health Act, as well as “privacy, security and breach notification regulations” from the U.S. Department of Health and Human Services. Also, the bill carves out biological samples or genetic data lawfully obtained by law enforcement or which was obtained from a deceased individual for identification purposes. If enacted, HB-1530 would take effect 60 days later.