On March 26, 2023, Virginia enacted a genetic privacy law (SB 1087) aimed at regulating the practices of direct-to-consumer (“DTC”) genetic testing companies. Virginia is not the only state interested in regulating these companies—numerous other states, including Minnesota, Texas, Tennessee, and Vermont, have introduced similar bills during this legislative session, following the enactment of similar genetic privacy laws in Arizona, California, and Utah in recent years. Virginia’s SB 1087, effective July 1, 2023, adds to the growing net of state genetic privacy protections.
Virginia’s DTC Genetic Privacy Law
SB 1087 imposes several requirements on DTC genetic testing companies, such as (i) providing notice to consumers related to the company’s privacy practices and collection, use, and disclosure of genetic data (including the disclosure of deidentified genetic data to third parties for research), (ii) implementing security processes to protect genetic data, and (iii) providing consumers with the ability to access and delete the consumer’s genetic data and revoke consent for the storage of the consumer’s biological sample. SB 1087 requires a DTC genetic testing company to obtain a consumer’s express consent for the collection, use, and disclosure of the consumer’s genetic data, and enumerates specific elements that this express consent must contain (e.g., “[e]ach use of genetic data or the biological sample beyond the primary purpose of the genetic testing or service and inherent contextual uses”).
SB 1087 applies to a wide class of DTC genetic testing companies, which is an entity “that (i) offers consumer-initiated genetic testing products or services directly to a consumer or (ii) collects, uses, or analyzes genetic data that is collected or derived from a [DTC] genetic testing product or service and is directly provided by a consumer.” SB 1087 similarly broadly defines “genetic data,” to include “any data that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material,” including uninterpreted data and any information “extrapolated, derived, or inferred therefrom.” However, “genetic data” does not include deidentified data. SB 1087 contains a specific standard that genetic data must meet to be considered deidentified.
Notably, SB 1087 contains numerous exemptions for research and certain health-related entities and information. For example, the definition of “[DTC] genetic testing company” excludes an entity that is “only engaged in collecting, using, or analyzing genetic data or biological samples in the context of research conducted in accordance with” the federal Common Rule, International Conference on Harmonization Good Clinical Practice (“ICH GCP”) Guideline, or the Food and Drug Administration (“FDA”) Policy for the Protection of Human Subjects. Similarly, an entity that is a covered entity or business associate subject to the Health Insurance Portability and Accountability Act, as amended, and its implementing regulations (“HIPAA”) are exempt from SB 1087, so long as the covered entity or business associate “maintains, uses, and discloses genetic data” in the same manner as protected health information (“PHI”). There are additional exemptions to SB 1087 for tests conducted to diagnose whether an individual has a specific disease as well as scientific research or educational activities conducted by a public or private nonprofit institution of higher education that holds an assurance with the U.S. Department of Health and Human Services (“HHS”) pursuant to the federal Common Rule.
Other State DTC Genetic Privacy Laws & Proposals
SB 1087 is largely similar (though not identical) to other state DTC genetic testing bills introduced during this legislative session and those enacted in other states. For example, Minnesota’s HF 1520, which has been working its way through the Minnesota legislature, contains a substantially similar definition of DTC genetic testing company, including the exception in the definition for research conducted in compliance with the federal Common Rule, ICH GCP Guideline, or FDA Policy for the Protection of Human Subjects. While HF 1520 has similar types of exemptions to SB 1087, the exemptions are not identical—for example, HF 1520 contains only a data-level exemption for PHI held by a covered entity or business associate, rather than the entity-level exemption contained in SB 1087, and HF 1520 broadly exempts all public and private institutions and all entities owned or operated by those institutions where SB 1087 exempts only institutions that hold assurances with HHS pursuant to the federal Common Rule. HF 1520 similarly does not apply to deidentified information, and includes a substantially similar deidentification standard to that in SB 1087, including the requirement to enter into legally enforceable contractual obligations that prohibit any recipients of the data from attempting to reidentify the data. DTC genetic companies would be subject to similar notice, consent, and access and deletion obligations under HF 1520 as contained in SB 1087.
As we have previously discussed, Arizona, California, and Utah have enacted DTC genetic privacy laws, which contain similar, but not identical provisions to Virginia’s SB 1087 and Minnesota’s HF 1520. These laws also contain exemptions related to clinical research and for PHI collected by a covered entity or business associate subject to HIPAA, and similarly exempt deidentified data, though we note the scope of each state laws’ exemptions are not identical.