Bill Text


PDF |Add To My Favorites |Track Bill | print page

SB-980 Privacy: DNA testing companies.(2019-2020)

SHARE THIS:share this bill in Facebookshare this bill in Twitter
Date Published: 03/17/2020 09:00 PM
SB980:v98#DOCUMENT

Amended  IN  Senate  March 17, 2020

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Senate Bill
No. 980


Introduced by Senator Umberg
(Coauthor: Senator Allen)

February 11, 2020


An act to add Chapter 2.6 (commencing with Section 56.18) to Part 2.6 of Division 1 of the Civil Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 980, as amended, Umberg. Privacy: DNA testing companies.
Existing law, the California Consumer Privacy Act of 2018, provides various protections to a consumer with respect to a business that collects the consumer’s personal information, including biometric information such as the consumer’s deoxyribonucleic acid (DNA). The act requires a business that collects a consumer’s personal information to, at or before the point of collection, inform the consumer as to the categories of personal information to be collected and the purposes for which the information will be used, and grants to a consumer the right to opt-out of the sale of the consumer’s personal information by the business to a third party.
Existing law also prohibits the disclosure by a health care service plan of the results of a test for a genetic characteristic to a third party in a manner that identifies or provides identifying characteristics of the person to whom the tests results apply, except pursuant to a written authorization.
This bill would establish the Genetic Information Privacy Act, which would prohibit a direct-to-consumer genetic testing services company from disclosing a person’s genetic information to a third party without obtaining the person’s prior written consent, as specified. The bill would impose civil and criminal penalties for a violation of the bill’s those provisions, as specified. By
This bill would also require a direct-to-consumer genetic testing services company to verify genetic data files that are downloaded from its databases before they are transferred or uploaded to another direct-to-consumer genetic testing services company’s database and impose upon a direct-to-consumer genetic testing services company that violates this provision, or that knowingly receives or downloads to its databases a genetic testing file that has not been verified, a fine not to exceed $10,000, imprisonment in a county jail for a period not exceeding 6 months, or by both that fine and imprisonment. By creating a new crime, new crimes, the bill would impose a state-mandated local program.
The California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
This bill would provide that no reimbursement is required by this act for a specified reason.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: YES  

The people of the State of California do enact as follows:


SECTION 1.

 Chapter 2.6 (commencing with Section 56.18) is added to Part 2.6 of Division 1 of the Civil Code, to read:
CHAPTER  2.6. Genetic Privacy

56.18.
 The Legislature finds and declares all of the following:
(a) Direct-to-consumer genetic testing services are largely unregulated and could expose personal and genetic information, and potentially create unintended security consequences and increased risk.
(b) There is growing concern in the scientific community that outside parties are exploiting the use of genetic data for questionable purposes, including mass surveillance and the ability to track individuals without their authorization.
(c) Genomic data is highly distinguishable. There is a confirmation that a sequence of 30 to 80 single nucleotide polymorphisms could uniquely identify an individual. Genomic data is also very stable. It undergoes little change over the lifetime of an individual and thus has a long-lived value, as opposed to other biometric data such as blood tests, which have expiry dates.
(d) The potential information hidden within genomic data is cause for significant concern. As our knowledge in genomics evolves, so will our view on the sensitivity of genomic data.

56.18. 56.19.
 (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.
(b) For purposes of this chapter, the following definitions apply:
(1) “Anonymized” means data from which an individual’s identifying information has been removed.
(2) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, if a business that uses deidentified information complies with all of the following:
(A) Implements technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
(B) Implements business processes that specifically prohibit reidentification of the information.
(C) Implements business processes to prevent inadvertent release of deidentified information.
(D) Makes no attempt to reidentify the information.

(2)

(3) “DNA sample” means any human biological specimen that is obtained or retained for the purpose of extracting and analyzing deoxyribonucleic acid (DNA) to perform a genetic test.

(3)

(4) “Genetic characteristic” includes a gene, chromosome, or alteration thereof that may be tested to determine the existence or risk of a disease, disorder, trait, propensity, or syndrome, or to identify an individual or a blood relative.
(5) “Genetic data” means any data that, regardless of its format, concerns information about an individual’s inherited or acquired genetic characteristics that also includes an individual’s raw data, a report of analyzed data, and self-reported health data.
(6) “Genetic data file” means a file that contains raw genetic data results.

(4)

(7) “Genetic information” means, with respect to an individual, information obtained from the genetic tests of the individual, the genetic tests of the individual’s family members, and the manifestation of a disease or disorder in family members of the individual. The term includes a request for, or receipt of, genetic services, or participation in clinical research that includes genetic services, by the individual or a family member of the individual. Genetic information includes a DNA sample.

(5)

(8) “Genetic service” means a genetic test, genetic education, or genetic counseling, including obtaining, interpreting, or assessing genetic information.

(6)

(9) “Genetic test” means a test for determining the presence or absence of genetic characteristics in an individual or the individual’s blood relatives, including tests of nucleic acids such as DNA, ribonucleic acid (RNA), and mitochondrial DNA, chromosomes, or proteins in order to diagnose or determine a genetic characteristic.

(7)

(10) “Person” means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.
(11) (A) “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, any of the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:
(i) Identifiers, including, but not limited to, a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
(ii) Any categories of personal information described in subdivision (e) of Section 1798.80.
(iii) Characteristics of protected classifications under California or federal law.
(iv) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(v) Biometric information.
(vi) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
(vii) Geolocation data.
(viii) Audio, electronic, visual, thermal, olfactory, or similar information.
(ix) Professional or employment-related information.
(x) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g).
(xi) Inferences drawn from any of the information identified in this subparagraph to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
(B) “Personal information” does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge.
(C) “Personal information” does not include consumer information that is deidentified or aggregate consumer information.

56.19. 56.20.
 (a) A direct-to-consumer genetic testing services company company, or contractor or other service provider, that obtains a DNA sample of an individual shall not disclose any of the individual’s genetic information information, whether or not it is deidentified, to a third party without obtaining the prior written consent of the individual. A separate written authorization is required for each separate disclosure of an individual’s genetic information.
(b) Any person who negligently violates subdivision (a) shall be assessed a civil penalty in an amount not to exceed one thousand dollars ($1,000) plus court costs, as determined by the court, which penalty and costs shall be paid to the individual to whom the genetic information pertains.
(c) Any person who willfully violates subdivision (a) shall be assessed a civil penalty in an amount not less than one thousand dollars ($1,000) and not more than five thousand dollars ($5,000) plus court costs, as determined by the court, which penalty and costs shall be paid to the individual to whom the genetic information pertains.
(d) Any person who willfully or negligently violates subdivision (a) and the violation results in economic, bodily, or emotional harm to the individual to whom the genetic information pertains is guilty of a misdemeanor punishable by a fine not to exceed ten thousand dollars ($10,000). ($10,000), imprisonment in a county jail for a period not exceeding six months, or by both that fine and imprisonment.
(e) Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction by the Attorney General or a district attorney or by a county counsel authorized by agreement with the district attorney in actions involving violation of a county ordinance, or by a city attorney of a city having a population in excess of 750,000, or by a city attorney in a city and county or, with the consent of the district attorney, by a city prosecutor in a city having a full-time city prosecutor in the name of the people of the State of California upon their own complaint or upon the complaint of a board, officer, person, corporation, or association, or by a person who has suffered injury in fact and has lost money or property as a result of the violation of this chapter.

(e)In addition to the penalties listed in subdivisions (b) and (c), a person who commits an act described in subdivision (b) or (c) shall be liable to the person to whom the genetic information pertains for all actual damages, including damages for economic, bodily, or emotional harm which is proximately caused by the act.

(f) Each violation of this section is a separate and actionable offense.
(g) A direct-to-consumer genetic testing services company that provides a person genetic test results shall also, at the same time, provide the person with a written or electronic form with which the person can opt out of any further use of their genetic information for any purpose.

(g)

(h) (1) The written authorization required by this section shall satisfy all of the following requirements:
(A) The written authorization shall be written in plain language and be in a typeface no smaller than 14-point type.
(B) The written authorization shall be dated and signed by the individual to whom the information pertains or a person authorized to act on behalf of the individual.
(C) The written authorization shall be a separate document, not attached to any other document, and shall not be more than one page.
(2) Any person who obtains, analyzes, retains, or discloses the genetic information of an individual shall use the following written form form, to the extent that the form is applicable to the services it provides, to obtain the authorization of the individual to whom the information pertains as required by subdivision (a) so that the individual may make a decision and provide direction regarding the use of their genetic information:

Important Privacy Choices
You have the right to control the use of your genetic information that you give to us. Please read the following information carefully before you make your choices below.

Important Information Regarding Your Genetic Information:
• The following types of people are authorized to obtain, analyze,
retain, or disclose your genetic information:_____________
• The following is the nature of the genetic information that you
are authorizing to be obtained, analyzed, retained, or disclosed:
___________________________________
• The following is the name of the person(s) authorized to obtain,
analyze, retain, or disclose your genetic information and their
function:____________________
• Your genetic information is being collected for the following
purpose:___________________________________
 Unless you say otherwise as indicated below, your genetic
information may not be used for any other purpose.
• This authorization shall remain valid for as long as it takes to
carry out the purpose indicated above.
• The genetic information you give us will remain (____) identifiable or (____)
will be made nonidentifiable.
• If we retain your genetic information, the following is the
manner in which it will be stored:______________________

Your Rights Regarding Your Genetic Information:
• You have the right to limit the purposes for which your genetic
information is used.
• Once we fulfill the purpose(s) you have authorized in this form,
we are required by law to destroy the genetic information and
sample that you provide us.
• You are permitted to limit access to your genetic information
to a certain person or persons.
• The chance that deidentified genetic data can be reidentified is very high.
• You are permitted to revoke this authorization at any time.
• You have a right to a copy of this authorization.

Your Choices Regarding Your Genetic Information:
(_) I authorize my deidentified genetic information to be used for research purposes.
(_) I authorize my deidentified genetic information to be used for commercial purposes.
(_) In addition to the purpose noted above, I authorize my
genetic information to be used for research purposes.
(_) In addition to the purpose noted above, I authorize my
genetic information to be used for commercial purposes.
(_) I would like to limit the purpose for which my genetic
information is authorized to be used in the following
way:___________
(_) I would like to limit access to my genetic information to the following person
or persons:_______________________
(_) I would like to receive a copy of this authorization.
(_) I would like to revoke this authorization.

(h)

(i) Any person who obtains, analyzes, retains, or discloses the genetic information of an individual shall comply with all of the following:
(1) The person may shall not obtain, analyze, retain, or disclose the genetic information for any purpose other than the purpose authorized by the individual to whom the information pertains.
(2) Once the specific purpose authorized by the individual to whom the genetic information pertains has been fulfilled, the individual’s genetic information and DNA sample shall be destroyed.
(3) The person shall permit an individual to limit access to their genetic information to a certain person or persons.
(4) The person shall permit an individual to revoke an authorization signed pursuant to subdivision (g) at any time.
(5) The person shall provide an individual who has signed an authorization pursuant to subdivision (g) with a copy of that authorization upon request.

56.21.
 (a) A direct-to-consumer genetic testing services company shall verify genetic data files that are downloaded from its databases before they are transferred or uploaded to another direct-to-consumer genetic testing services company’s database.
(b) A direct-to-consumer genetic testing services company that violates subdivision (a), and a direct-to-consumer genetic testing services company that knowingly receives or downloads to its databases a genetic testing file that violates subdivision (a), is guilty of a misdemeanor punishable by a fine not to exceed ten thousand dollars ($10,000), imprisonment in a county jail for a period not exceeding six months, or by both that fine and imprisonment.

56.20. 56.22.
 The disclosure of genetic information pursuant to this chapter shall comply with all state and federal laws for the protection of privacy and security. This chapter shall not apply to protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services (Parts Regulations) 160 and 164 of Title 45 of the Code of Federal Services (Parts Regulations) established pursuant to the federal Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the federal Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).

SEC. 2.

 No reimbursement is required by this act pursuant to Section 6 of Article XIII B of the California Constitution because the only costs that may be incurred by a local agency or school district will be incurred because this act creates a new crime or infraction, eliminates a crime or infraction, or changes the penalty for a crime or infraction, within the meaning of Section 17556 of the Government Code, or changes the definition of a crime within the meaning of Section 6 of Article XIII B of the California Constitution.