California Passes the Genetic Privacy Information Act

Sep 14, 2020 Published Article

With the focus of personal privacy increasing, it is unsurprising that additional laws are being proposed to increase privacy rights, including the California Privacy Rights Act initiative on the ballot this upcoming November. More immediately, the California legislature passed, and Governor Newsom is expected to sign, the Genetic Information Privacy Act ("GIPA"). GIPA specifically targets biometric information, due to the increase of genetic tracing services, like 23andMe and Ancestry.com. This law pertains to adding more protections to genetic privacy.  Many questions arise following the passage of GIPA, such as what businesses are affected? What, if any, penalties or causes of action exist under this new law?  How does this law work alongside the CCPA?

WHAT IS IN THE LAW?

The law requires notices and actual, express consent from consumers for direct-to-consumer genetic testing companies, and any other company that collects, uses, maintains, or discloses information collected from biometric samples, or from any other element concerning genetic material (i.e. genes).  Regarding the express consent provision in particular, this requires that consent is provided for: (1) the use of data through the genetic testing product being provided, for those specific purposes; (2) the storage of the consumer's biometric sample after testing is complete; (3) each use of the genetic data or sample beyond what was originally intended; (4) each transfer or disclosure to a third party other than service providers, including that third party's name; and (5) any marketing based on the genetic data.  In essence, unless a consumer explicitly opts in, these companies cannot store, use, or market based on the genetic information.

WHAT ARE THE PENALTIES?

The penalties for not following GIPA are akin to those for the CCPA, with a $1,000 fine, plus court costs for negligent violations, and $10,000 for willful violations.  Furthermore, unlike the CCPA, this law does include a private right of action, as it allows a person who has suffered injury in fact, or has lost money or property, as a result of a violation.  In essence, this increases the damages for a company which fails to reasonably secure genetic information from data breaches, though plaintiffs may have difficulty showing that money or property was lost due to the exposure of their genetic information, unlike the CCPA, which implements statutory damages just for the breach occurring.

HOW DOES THIS INTERACT WITH THE CCPA?

Regarding the CCPA, both laws will be in effect, and these companies would be obliged to provide additional notices in addition to those required under the CCPA.  Furthermore, they both would protect the same information, as the CCPA does protect biometric data, which would largely overlap with the protections of the genetic information under GIPA.  GIPA and the CCPA also both require that reasonable security is utilized to protect the consumer's genetic information.  However, GIPA also goes further, in requiring that reasonable security is taken to prevent unauthorized destruction as well.  Furthermore, it is noteworthy that GIPA relies on the same "reasonable security" language as the CCPA.

Ultimately, GIPA places stricter requirements on genetic testing companies, such that they will have to be more transparent with consumers, and it may serve as a model for future changes to the CCPA.  For instance, GIPA will require more click-wrap agreements and additional changes to items like Terms of Use agreements, to ensure that users agree to each use of the genetic data.

WHAT SHOULD A BUSINESS DO?

For businesses subject to GIPA, reviewing, adjusting and implementing additional consent measures to a website should be paramount, as well as reviewing and updating the privacy policy once more in order to make sure that all notices are present.  Furthermore, reviewing current security measures and processes is equally important, due to the more stringent requirements on the restrictions against unauthorized destruction of information.

Ultimately, the biggest change to genetic testing companies under GIPA may be an increased reliance on consumer accounts permitting consumers to login, see, and manage their data in order to give the individualized consents, an increased reliance on click-wrap agreements requiring that consumers scroll through, read, and accept actions by the company before the company takes them, or a combination of the two.

For other businesses, GIPA provides an opportunity to implement and utilize stricter privacy guidelines, and implement them as a potential benefit to consumers, as GIPA requirements largely surpass those under the CCPA.

HOW NEWMEYER DILLION CAN HELP

Newmeyer Dillion can provide advice on existing CCPA compliance policies, help implement new cybersecurity policies to comply with GIPA, and provide updates to CCPA required notices and privacy policies.  California has a history of being at the forefront of policy developments that expand internally and spread to other states, therefore, GIPA may serve as a template for similar laws in other states, or adjustments to the CCPA.