California Governor Gavin Newsom signed SB 41, Genetic Information Privacy Act, into law on Wednesday, requiring direct-to-consumer genetic testing companies to provide information and obtain consumers’ express consent regarding the collection, use, and disclosure of genetic data.
“At-home DNA tests have provided people with the ability to seek meaningful connections to long-lost family or their own cultural and religious histories. Most people have no idea that this data can then legally be shared with third parties or potentially used against them in a variety of ways,” said Senator Tom Umberg, who authored the bill. “Genetic testing companies have, to date, gone largely unregulated by either state or national governments. This has led to breaches of sensitive private biological information.”
Under the Genetic Information Privacy Act, consumers have greater control over how their DNA will be used. Consumers have the right to revoke consent in accordance with certain procedures. If a consumer revokes consent, companies, such as 23AndMe Inc. and Ancestry.com Inc., are required to destroy the consumer’s biological sample within 30 days of the revocation of consent.
Direct-to-consumer genetic testing companies must maintain security procedures to protect consumers’ genetic data from unauthorized use. The companies must also develop procedures to allow consumers to access and delete their accounts and genetic data.
Moreover, authorization forms for third-party access must be more transparent for consumers. Genetic data from ancestry websites are a tool for law enforcement, and direct-to-consumer genetic testing companies must comply with all laws for disclosing genetic data to law enforcement without a consumer’s express consent. Umber, however, explained that the new law would not affect how ancestry websites are used as a tool in law enforcement investigations. “You can’t just sell or give out material without some sort of court authorization,” Umberg stated. The new law “codifies what most of the direct-to-consumer companies were doing.”
Companies that fail to comply with the new law will face civil penalties. The Genetic Information Privacy Act will take effect on January 1, 2022.