Last Friday, October 1, the Protecting DNA Privacy Act (HB 833), a new genetic privacy law, went into effect in the state of Florida establishing four new crimes related to the unlawful use of another person’s DNA.  While the criminal penalties in HB 833 are notable, Florida is not alone in its focus on increased genetic privacy protections.  A growing number of states, including Utah, Arizona, and California, have begun developing a net of genetic privacy protections to fill gaps in federal and other state legislation, often focused on the privacy practices of direct-to-consumer (“DTC”) genetic testing companies.  While some processing of genetic information is covered by federal law, the existing patchwork of federal genetic privacy protections do not clearly cover all forms of genetic testing, including DTC genetic tests.

Florida’s Protecting DNA Privacy Act

HB 833 was introduced in the Florida House of Representatives in February 2021 and signed by the governor in June.  HB 833 applies to DNA samples collected from a person in Florida, and regulates any person’s use, retention, disclosure, or transfer of another person’s DNA samples or analysis.  HB 833 amended Florida’s previous genetic privacy law, s. 760.40, F.S., to require that a person from whom the DNA is extracted gives “express consent” for a specified use of their genetic information.  Under the previous law, analyzing a person’s DNA without their informed consent was a first degree misdemeanor; however, under HB 833, unlawful use may be a felony, depending on the provision of the law violated.  Additionally, HB 833 states that the genetic information of the person from whom it is extracted is the “exclusive property” of that person to control.  While HB 833 does impose notable criminal penalties for those that violate it, there are a number of exceptions (e.g., criminal prosecution or other legal processes, medical diagnosis or treatment, or conducting or preparing research subject to federal law, including the Common Rule and the Health Insurance Portability and Accountability Act (“HIPAA”)).

HB 833 is not the only change to genetic privacy protections recently made in Florida.  In July 2020, Florida enacted HB 1189 that extended existing protections barring health insurers’ use of genetic information to long-term care and life insurers, including those that issue policies with disability insurance.  Specifically, HB 1189 prohibits these insurers from canceling, limiting, denying, or differing premium rates based on genetic information.  Further, HB 1189 bars the insurers from requiring or soliciting genetic information or test results, or using a consumer’s decision as to whether to take any actions related to genetic testing “for any insurance purpose.”

Additional DTC Genetic Privacy Laws and Bills

Earlier this year, Utah enacted SB 227, the Genetic Information Privacy Act, which imposes restrictions on DTC genetic testing companies, requiring specific privacy notices, security processes to protect consumer data, and the ability of a consumer to access and delete their own personal genetic data.  Similar to Florida’s HB 833, Utah’s SB 227 contains a requirement that DTC genetic testing companies obtain express consent for the collection, use, or disclosure of consumer genetic data.  Additionally, SB 227 specifically creates data de-identification requirements, including that the company in possession of the data impose specific measures to ensure data cannot be re-identified and “enters into legally enforceable contractual obligation that prohibits a recipient of the data from attempting to reidentify the data.”

Arizona also recently enacted HB 2069, the Genetic Information Privacy Act, which became effective last week on September 29.  HB 2069 also focuses on DTC genetic testing companies and is similar to Utah’s SB 227 in many respects (e.g., initial consent must be obtained to collect and use genetic data, followed by certain separate express consents for purposes beyond the initial use), but not all (e.g., the standard de-identifying genetic data).

The California state legislature has passed SB 41, its own Genetic Information Privacy Act, which has many of the same consent, privacy, and security mechanisms present in the Utah and Arizona laws.  The bill is currently sitting on the governor’s desk for signature.  SB 41 creates its own de-identification standard similar to that created in Utah’s SB 227.  Additionally, SB 41 requires a DTC genetic testing company to comply with a consumer’s revocation of consent and to destroy a consumer’s biological sample within 30 days of that revocation.  SB 41 is almost identical to a bill vetoed by the Governor last year due to concerns over interference with COVID-19 test result reporting to public health authorities.  However, SB 41 attempts to address the governor’s concerns by providing a carve-out for tests to diagnose a specific disease as long as genetic information obtained through this diagnostic test is treated as medical or protected health information.

Federal Genetic Privacy Landscape and Efforts

Current federal genetic privacy protections stem from several laws, including HIPAA, the Genetic Information Nondiscrimination Act of 2008, and the Federal Trade Commission’s ability to bring actions against “unfair” or “deceptive” business practices.  However, these laws do not cover all forms of genetic testing that a consumer may engage with, including DTC genetic tests.  There have been recent attempts to pass federal legislation to protect American’s personal health data.  In January 2021, Senators Amy Klobuchar and Lisa Murkowski introduced S.24, the Protecting Personal Health Data Act, which aims to broadly protect personal health data not covered by HIPAA.  Under S.24, “personal health data” includes “genetic information . . . that relates to past, present, or future physical or mental health or condition of an individual that identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual” and states that DTC genetic testing services are covered as “services” under the bill.  However, to date, since being introduced, S.24 has been referred to the U.S. Senate Committee on Health, Education, Labor, and Pensions, but it has not otherwise moved.

Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.