On May 16, 2024, Alabama enacted a genetic privacy bill (HB 21), which regulates consumer-facing genetic testing companies.  HB 21 continues the recent trend of states enacting genetic privacy legislation aimed at regulating direct-to-consumer (“DTC”) genetic testing companies, such as in Nebraska and Virginia, with more than 10 states now having similar laws on the books. 

Scope of HB 21

HB 21 regulates “genetic testing companies’” practices involving “genetic data.”  HB 21 defines a “genetic testing company” as “[a]ny person, other than a health care provider, that directly solicits a biological sample from a consumer for analysis in order to provide products or services to the consumer which include disclosure of information that may include, but is not limited to, the following:

  1. The genetic link of the consumer to certain population groups based on ethnicity, geography, or anthropology;
  2. The probable relationship of the consumer to other individuals based on matching DNA for purposes that include genealogical research; or
  3. Recommendations to the consumer for managing wellness which are based on physical or metabolic traits, lifestyle tendencies, or disease predispositions that are associated with genetic markers present in the consumer’s DNA.”

In turn, “genetic data” is defined as “[a]ny data derived from analysis of a biological sample which concerns a consumer’s genetic characteristics and which may include, but is not limited to, any of the following formats or sources:

  1. Raw data that results from sequencing all or a portion of a consumer’s extracted DNA;
  2. Genotypic and phenotypic information obtained from analyzing a consumer’s raw sequence data; or
  3. Health information self-reported by the consumer to a genetic testing company to be used by the company in connection with analyzing the consumer’s raw sequence data or for product development or scientific research.”

Obligations under HB 21

HB 21 imposes several requirements on an entity that falls within the meaning of a “genetic testing company,” many of which are similar to obligations imposed by other DTC genetic testing laws.  For example, HB 21 (i) requires genetic testing companies to provide notice to consumers regarding the company’s privacy practices and collection, use, and disclosure of genetic data (including the disclosure of de-identified genetic data to third parties for research), (ii) allows consumers the ability to access and delete the their genetic data, and (iii) provides consumers with the ability to revoke consent for the storage of the their biological sample or other consent previously provided under the law. 

HB 21 requires a genetic testing company to obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data and enumerates specific elements that this express consent must contain, including identifying who may have access to the consumer’s sample and data and obtaining permission to retain the biological sample and genetic data for future testing.  HB 21 also requires express consent “every time the company” (i) transfers the biological sample or genetic data to a third party for a reason other than the provision of the product or service ordered, (ii) uses the biological sample or genetic data for a purpose other than the ordered product or service, or (iii) markets to a consumer based on the consumer’s genetic data.

While HB 21 contains an exemption for research carried out by certain entities, discussed below, HB 21 requires that genetic testing companies obtain informed consent in compliance with 45 C.F.R. part 46 (the federal Common Rule) for transfers of the consumer’s biological samples or genetic data for (i) independent research by a third party or (ii) for research sponsored by the genetic testing company for the purpose of product or service research and development, scientific publication, or promotion of the company.

Exemptions

HB 21 contains four key exemptions.  First, by definition, “genetic data” does not include de-identified data, which must meet either one of two specific standards to be considered de-identified.  One of these standards is the de-identification standard in the Health Insurance Portability and Accountability Act, as amended and its implementing regulations (“HIPAA”). 

Second, HB 21 exempts covered entities and business associates under HIPAA. 

Third, HB 21 contains an exemption for certain research activities, specifically “the collection, use, or retention of biological samples or genetic data for noncommercial purposes, including for research and instruction, by a public or private institution of higher learning or any entity owned or operated by a public or private institution of higher learning.”  The scope of this research exemption is slightly different than that in several other states’ DTC genetic privacy laws, such as Virginia’s, which generally exempt research conducted in accordance with human subject research frameworks.

Finally, HB 21 does not apply to “biological samples or genetic data lawfully obtained by law enforcement pursuant to a criminal investigation.”

Enforcement and Effective Date

HB 21 will go into effect on October 1, 2024 and be enforced by the Consumer Division of the Office of the Attorney General.  Once in effect, consumers will be able to report a violation of HB 21 to that office—HB 21 does not contain a private right of action.  A violation of HB 21 could result in a civil penalty of up to $3,000 for each violation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an…

Elizabeth Brim is an associate in the firm’s Washington, DC office. She is a member of the firm’s Health Care and Data Privacy and Cybersecurity Practice Groups, advising clients on a broad range of regulatory and compliance issues. In addition, Elizabeth maintains an active pro bono practice.