Direct-to-consumer genetic companies (“Company”) have largely remained outside the scope of state and federal laws that safeguard an individual’s genetic data. On June 17, 2023, Texas enacted a new law that obligates direct-to-consumer genetic companies to strengthen their privacy and security practices and give an individual exclusive control of their genetic data and biological samples (e.g., saliva).
House Bill 2545 (H.B. 2545), which became effective on September 1, 2023, is applicable to commercial genetic testing companies that offer genetic testing products or services directly to consumers. The applicability of the statute extends to a Company that stores, uses, and analyzes genetic data derived from a consumer’s biological samples. To provide the broadest protections, the new law contemplates two different types of data: genetic data and deidentified (genetic) data. Deidentified data means any data that is not reasonably linked to and that cannot reasonably be used to identify or infer information about a particular individual. H.B. 2545 defines “genetic data” as any data related to an individual’s genetic characteristics. Genetic data also includes raw sequence data, genotypic or phenotypic information, and heath information pertaining to an individual’s health conditions that a Company uses and analyzes for research or product development. A brief summary of the protections for each type of data follows.
Deidentified Data
The new law strikes a balance between supporting ongoing research efforts with deidentified data and protecting an individual consumer’s privacy. H.B. 2545 stops short of prohibiting the storage, use, and sharing of deidentified data for research purposes. A Company that is in possession of an individual’s deidentified data must implement technical and administrative measures (e.g., encryption) to prevent the deidentified data from being linked to a particular individual. These measures would evidence a newly required public commitment to maintain and use the deidentified data in its deidentified form. If a Company shares the deidentified data with a third party, then the company must contractually prohibit the third party from attempting to reidentify an individual using the deidentified data.
Genetic Data
Under H.B. 2545, an individual has a property right in genetic data, the results of genetic testing and analysis, and the biological samples that an individual provides to- and is used by the Company. An individual, therefore, retains exclusive control over the same. The individual’s property right anchors the legislation’s restrictions on a Company’s ability to use, analyze, store, and share the individual’s genetic data with third parties.
A Company subject to the requirements of H.B. 2545 must fulfill certain requirements that prevents the unauthorized access, use and disclosure of an individual’s genetic data:
- Develop, implement, and maintain a comprehensive security program to protect an individual’s genetic data.
- Make available a high-level privacy policy and a public privacy notice that provides certain information about the Company’s collection, consent, use, access, disclosure transfer, security, retention, and deletion practices.
- Provide certain information to an individual consumer that describes the Company’s use of genetic data, identifies who has access to test results, and specifies the Company’s processes for sharing genetic data with third parties.
- Create processes that permit an individual consumer to access the individual’s genetic data, delete the individual’s account and genetic data, and require the destruction of the individual’s genetic data.
- Meet certain consent requirements when a Company seeks to use, store, disclose, or transfer genetic data for research purposes. Companies must also obtain an individual’s consent for the Company’s or third parties’ marketing of genetic testing products and services.
Most notably, a Company is prohibited from disclosing an individual’s genetic data to law enforcement agencies or governmental bodies unless the individual has consented to the disclosure, or the Company’s disclosure is pursuant to a warrant. An individual must also provide express consent for the Company’s disclosure of the individual’s genetic data to an employer or a commercial entity that offers health insurance, long-term care insurance, or life insurance.
Penalties
A Company that is noncompliant with the requirements of H.B. 2545 risk liability for a civil penalty up to $2,5000 per violation. The Attorney General has the authority to bring an action to recover civil penalties and enjoin Company any practices that are noncompliant the new law’s requirements.
We are available to consult with you about your bringing your existing company into compliance with H.B. 2545 or ensuring that the development of a new direct-to-consumer genetic testing company meets the law’s requirements.