On February 14, 2024, Nebraska enacted a genetic privacy law (LB 308) regulating direct-to-consumer (“DTC”) genetic testing companies. The law is one of a flurry of bills regarding DTC genetic testing that have been introduced in several states since the beginning of 2024, following the enactment of several DTC genetic testing laws in 2023, such as in Virginia.

Nebraska’s DTC Genetic Privacy Law

LB 308 applies to companies that meet the definition of a DTC genetic testing company, which is defined as “an entity that (a) offers consumer genetic testing products or services directly to a consumer, or (b) collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing product or service and was provided to the company by a consumer.”

Such companies will be required to comply with various obligations similar to those in other DTC genetic privacy laws, including (a) providing a written public privacy about the company’s collection, use, and disclosure of genetic data; (b) obtaining consent for collection, use, and disclosure of genetic data, including for initial testing, transferring genetic data, and non-exempt research; (c) obtaining consent to retain the consumer’s biological sample; and (d) providing certain data subject rights (e.g., access, deletion) to consumers, among other requirements.

The law exempts certain types of data and activities from its purview. The definition of “genetic data” in LB 308 exempts de-identified data that meets a statutory standard. Protected health information (“PHI”) collected by a covered entity or business associate subject to Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations (collectively, “HIPAA”) is also exempt. Additionally, under LB 308 the definition of a DTC genetic testing company does not include an entity “solely engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined in [HIPAA], conducted in accordance with” the federal Common Rule, International Conference on Harmonization Good Clinical Practice (“ICH GCP”) Guideline, or 21 C.F.R. parts 50 and 56.

A violation of LB 308 is subject to a civil penalty of $2,500 per violation “in addition to actual damages incurred by the consumer” and costs and fees incurred by the Attorney General. LB 308 is expected to go into effect July 18, 2024.

DTC Genetic Privacy Bills Introduced in Other States This Session

DTC genetic testing bills have been introduced in several other states this session, including SB 284 in Indiana, HB 5110 in West Virginia, and HB 21 in Alabama. While these laws are similar to LB 308, they are not identical. Like LB 308, each of these bills does not apply to de-identified genetic data and contains exemptions for certain research activities, HIPAA regulated entities, and/or PHI held by a HIPAA-regulated entity. Also like LB 308, these bills would require genetic testing companies to (a) provide access to its privacy policy; (b) obtain consent for certain uses of consumers’ genetic data; and (c) obtain consent for retention of any biological sample, among other requirements.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws.

Libbie Canter represents a wide variety of multinational companies on managing privacy, cyber security, and artificial intelligence risks, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with U.S. and global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state laws, including the California Consumer Privacy Act, the Colorado AI Act, and other state laws. As part of her practice, she also regularly represents clients in strategic transactions involving personal data, cybersecurity, and artificial intelligence risk and represents clients in enforcement and litigation postures.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations. 

Chambers USA 2024 ranks Libbie in Band 3 Nationwide for both Privacy & Data Security: Privacy and Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.

Photo of Aubrey Stoddard Aubrey Stoddard

Aubrey Stoddard is an associate in the firm’s Washington, DC office, where she is a member of the Health Care Practice Group. Aubrey advises pharmaceutical, biotechnology, and medical device clients on a broad range of policy and regulatory issues.

Aubrey also maintains an…

Aubrey Stoddard is an associate in the firm’s Washington, DC office, where she is a member of the Health Care Practice Group. Aubrey advises pharmaceutical, biotechnology, and medical device clients on a broad range of policy and regulatory issues.

Aubrey also maintains an active pro bono practice centered on reproductive health.