Kentucky: Genetic Information Privacy Act - What you need to know
On 8 April 2022, the Kentucky Governor signed into law House Bill ('HB') 502 for the Genetic Information Privacy Act ('the Act'). In particular, the Act grants consumers greater control over their genetic materials by regulating the collection, use, and disclosure of genetic data, among others. The Act will go into effect on 1 June 2022. As such, OneTrust DataGuidance highlights some of its key provisions, focusing on areas such as consumer rights, business obligations, and what to expect with regard to enforcement.
Scope of application
Firstly, the Act aims to safeguard the privacy, confidentiality, security, and integrity of the genetic data of consumers, who are defined as 'any individual who is a resident of Kentucky'. To this end, the Act applies to direct-to-consumer genetic testing companies, which are defined as any entity 'that offers genetic testing products or services directly to a consumer, or collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing product or service and was provided to the company by a consumer'. Additionally, the Act defines genetic testing as 'any laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics of a consumer'.
In this respect, the Act applies to the following categories of data:
- biological sample: which is 'any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain DNA'; and
- genetic data: which is 'any data, regardless of its format, that concerns a consumer's genetic characteristics', including but not limited to:
- 'raw sequence data that result from a sequencing of a consumer's complete extracted or a portion of the extracted DNA;
- genotypic and phenotypic information that results from analyzing the raw sequence data; and
- self-reported health information that a consumer submits to a company regarding the consumer's health conditions and that is used for scientific research or product development and analyzed in connection with the consumer's raw sequence data'.
The Act does not apply to the collection of protected health information under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') and the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH').
With regard to consumer rights, the Act outlines them among the direct-to-consumer genetic testing companies' obligations. In particular, such companies are required to provide consumers with a process to exercise the statutory rights enshrined in the Act, and specifically the rights to:
access their genetic data;
- delete their account and genetic data; and
- request and obtain the destruction of their biological sample.
There are two main areas where the Act sets out obligations for direct-to-consumer genetic testing companies:
information duties towards consumers; and
- rules on the various types of consent that must be obtained from consumers.
In this respect, and to safeguard the privacy, confidentiality, security, and integrity of consumers' genetic data, the Act requires direct-to-consumer genetic testing companies to:
- provide consumers with clear and complete information regarding the company's policies and procedures for collection, use, or disclosure of genetic data by making available to them:
- a prominent and publicly available privacy notice that, at a minimum, includes information about the company's practices around data collection, consent, use, access, disclosure, transfer, security, retention, and deletion of data.
In terms of rules on consent, the Act requires direct-to-consumer genetic testing companies to obtain a consumer's consent for the collection, use, or disclosure of their genetic data. This consent should include, at least:
- initial express consent which describes the uses of the collected genetic data, specifying who has access to test results and how the genetic data may be shared;
- separate express consent which is used for:
- the transfer or disclosure of the consumer's genetic data to anyone other than the company's vendors and service providers, as well as for use of the genetic data that goes beyond the primary purpose for which it was initially collected; and
- retaining biological samples provided by the consumer, following completion of the initial testing service that was requested;
- informed consent which should be compliant with the federal policy for the protection of human research subjects, with regard to the transfer or disclosure of the consumer's genetic data to a third party for research purposes or research conducted under the control of the company for the purpose of publication or generalisable knowledge; and
- express consent which is used for marketing to a consumer based on their genetic data, or for marketing by a third party based on the fact that the consumer had ordered or purchased a genetic testing product or service - in this regard, marketing is to be intended as not including the provision of customised content or offers on websites, or through applications or services provided by the direct-to-consumer genetic testing company, with the first-party relationship to the customer.
With regard to the security of the obtained consumer's genetic data, the Act establishes that covered organisations must develop, implement, and maintain security programs to the end of protecting such data against unauthorised access, use, or disclosure.
Finally, the Act restricts the ability of direct-to-consumer genetic testing companies to disclose consumers' genetic data to public bodies and law enforcement, as this requires the consumer's express written consent.
The Act grants the Kentucky Attorney General ('AG’) the authority to enforce its provisions, entitling such authority to enforce civil penalties of $2,500 for each violation, as well as to recover actual damages incurred by consumers on whose behalf the action was brought, and costs incurred by the Office of the AG.
Francesco Saturnino Privacy Analyst