On March 26, 2023, Virginia enacted a genetic privacy law (SB 1087) aimed at regulating the practices of direct-to-consumer (“DTC”) genetic testing companies.  Virginia is not the only state interested in regulating these companies—numerous other states, including Minnesota, Texas, Tennessee, and Vermont, have introduced similar bills during this legislative session, following the enactment of similar genetic privacy laws in Arizona, California, and Utah in recent years.  Virginia’s SB 1087, effective July 1, 2023, adds to the growing net of state genetic privacy protections.

Virginia’s DTC Genetic Privacy Law

SB 1087 imposes several requirements on DTC genetic testing companies, such as (i) providing notice to consumers related to the company’s privacy practices and collection, use, and disclosure of genetic data (including the disclosure of deidentified genetic data to third parties for research), (ii) implementing security processes to protect genetic data, and (iii) providing consumers with the ability to access and delete the consumer’s genetic data and revoke consent for the storage of the consumer’s biological sample.  SB 1087 requires a DTC genetic testing company to obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data, and enumerates specific elements that this express consent must contain (e.g., “[e]ach use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses”). 

SB 1087 applies to a wide class of DTC genetic testing companies, which is an entity “that (i) offers consumer-initiated genetic testing products or services directly to a consumer or (ii) collects, uses, or analyzes genetic data that is collected or derived from a [DTC] genetic testing product or service and is directly provided by a consumer.”  SB 1087 similarly broadly defines “genetic data,” to include “any data that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material,” including uninterpreted data and any information “extrapolated, derived, or inferred therefrom.”  However, “genetic data” does not include deidentified data.  SB 1087 contains a specific standard that genetic data must meet to be considered deidentified.

Notably, SB 1087 contains numerous exemptions for research and certain health-related entities and information.  For example, the definition of “[DTC] genetic testing company” excludes an entity that is “only engaged in collecting, using, or analyzing genetic data or biological samples in the context of research conducted in accordance with” the federal Common Rule, International Conference on Harmonization  Good Clinical Practice (“ICH GCP”) Guideline, or the Food and Drug Administration (“FDA”) Policy for the Protection of Human Subjects.  Similarly, an entity that is a covered entity or business associate subject to the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (“HIPAA”) are exempt from SB 1087, so long as the covered entity or business associate “maintains, uses, and discloses genetic data” in the same manner as protected health information (“PHI”).  There are additional exemptions to SB 1087 for tests conducted to diagnose whether an individual has a specific disease as well as scientific research or educational activities conducted by a public or private nonprofit institution of higher education that holds an assurance with the U.S. Department of Health and Human Services (“HHS”) pursuant to the federal Common Rule.

Other State DTC Genetic Privacy Laws & Proposals

SB 1087 is largely similar (though not identical) to other state DTC genetic testing bills introduced during this legislative session and those enacted in other states.  For example, Minnesota’s HF 1520, which has been working its way through the Minnesota legislature, contains a substantially similar definition of DTC genetic testing company, including the exception in the definition for research conducted in compliance with the federal Common Rule, ICH GCP Guideline, or FDA Policy for the Protection of Human Subjects.  While HF 1520 has similar types of exemptions to SB 1087, the exemptions are not identical—for example, HF 1520 contains only a data-level exemption for PHI held by a covered entity or business associate, rather than the entity-level exemption contained in SB 1087, and HF 1520 broadly exempts all public and private institutions and all entities owned or operated by those institutions where SB 1087 exempts only institutions that hold assurances with HHS pursuant to the federal Common Rule.  HF 1520 similarly does not apply to deidentified information, and includes a substantially similar deidentification standard to that in SB 1087, including the requirement to enter into legally enforceable contractual obligations that prohibit any recipients of the data from attempting to reidentify the data.  DTC genetic companies would be subject to similar notice, consent, and access and deletion obligations under HF 1520 as contained in SB 1087.

As we have previously discussed, Arizona, California, and Utah have enacted DTC genetic privacy laws, which contain similar, but not identical provisions to Virginia’s SB 1087 and Minnesota’s HF 1520.  These laws also contain exemptions related to clinical research and for PHI collected by a covered entity or business associate subject to HIPAA, and similarly exempt deidentified data, though we note the scope of each state laws’ exemptions are not identical.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Elizabeth Brim Elizabeth Brim

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and…

Elizabeth Brim is an associate in the firm’s Washington, DC office, where she is a member of the Data Privacy and Cybersecurity and Health Care Practice Groups and advises clients on a broad range of regulatory and compliance issues related to privacy and health care.

Elizabeth’s practice includes counseling clients on compliance with the complex web of health information privacy laws and regulations, such as HIPAA, the FTC’s Health Breach Notification Rule, and state medical and consumer health privacy laws as well as state consumer privacy and genetic privacy laws. She also advises clients on health care compliance issues, such as fraud and abuse, market access, and pricing and reimbursement activities.

Elizabeth routinely advises on regulatory compliance as part of transactions, clinical trial programs, collaborations and other activities that involve genetic data, and the development and operation of digital health products. As part of her practice, Elizabeth routinely counsels clients on drafting and negotiating privacy and health care terms with vendors and third parties and developing privacy notices and consent forms. In addition, Elizabeth maintains an active pro bono practice.

Elizabeth is an author of the American Health Law Association treatise, Pricing, Market Access, and Reimbursement Principles: Drugs, Biologicals and Medical Devices and the U.S. chapter of the Global Legal Insights treatise, Pricing & Reimbursement Laws and Regulations.