Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Virginia: Overview of new genetic data privacy law

Virginia continues to emerge as a leader on privacy legislation passing a new genetic data privacy law which goes into effect on 1 July 2023. Beth Waller, from Woods Rogers Vandeventer Black, and Scott Bauer dissect the genetic data privacy law, covering its main definitions, scope, and provisions, as well as highlighting how it fits within the broader privacy legislation landscape.

Mableen / Signature collection / istockphoto.com

Background

Virginia's genetic data privacy law provides Virginia consumers with greater control over the genetic data they share with direct-to-consumer genetic testing companies. The genetic data privacy law will also impact any service providers that these companies contract with by requiring certain contract provisions aimed at protecting consumers' rights and privacy. The genetic data privacy law also contains a non-discrimination provision that prohibits all persons and public entities from differentiating consumers who exercise any rights provided in the law.

The genetic data privacy law comes in the wake of a number of milestone decisions regarding Illinois' Biometric Information Privacy Act of 2008 ('BIPA'). Virginia continues to emerge as a national leader in the privacy space with this new genetic data privacy law.

What is 'genetic data'?

'Genetic data' under the genetic data privacy law means any data, regardless of format, that results from the analysis of a biological sample concerning genetic material (e.g. DNA, RNA, genes, and chromosomes)1. The biological sample may come from a consumer or another element that enables equivalent information to be obtained.

The genetic data privacy law excludes certain genetic data from its provisions, such as deidentified genetic data and data used by employers to comply with legal requirements. It also excludes genetic data used for scientific research that meets federal and state laws for human subject protection, as well as protected health information collected by covered entities and their business associates under Health Insurance Portability and Accountability Act of 1996 ('HIPAA') and the Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH Act').

Because 'genetic data' under the genetic data privacy law includes uninterpreted data from the analysis of a biological sample or any information extrapolated, derived, or inferred from such analysis, it may likely be interpreted more broadly than 'genetic information' as defined by the federal Genetic Information Nondiscrimination Act of 2008 ('GINA')2.

Who is in scope?

Consumers: The genetic data privacy law is aimed at protecting the genetic data privacy of natural persons residing in Virginia.

Direct-to-consumer genetic testing companies: Any entity that 'offers consumer-initiated genetic testing products or services directly to a consumer', which includes any entity that might collect, use, or analyse this genetic data on behalf of a testing company, is in scope.

Service providers: Service providers are for-profit entities involved in the collection, transportation, or analysis of the genetic sample on behalf of any direct-to-consumer genetic testing company or another company that uses the genetic data derived from a direct-to-consumer testing product or service. An entity that delivers the results of a genetic test is a service provider.

Persons and public entities: A provision prohibiting discrimination applies broadly to individuals, businesses, and public organisations.

What are the key components of the law?

The genetic data privacy law sets forth guidelines for relevant genetic testing companies to provide notice to consumers and obtain express consent for the collection, use, and disclosure of genetic data. The genetic data privacy law will also regulate the contracts between genetic testing companies and their service providers, and generally prohibit discrimination against consumers who exercise their rights under the law.

Provide notice: Direct-to-consumer genetic testing companies will be required to accompany every genetic testing product with specific information that must also be published on the company's website. This information will be required to include, at a minimum, the company's:

  • privacy policy;
  • policies and procedures related to how the company collects, uses, maintains, discloses, transfers, secures, accesses, and deletes consumer genetic data;
  • notice to consumers that their express consent is required for the collection, use, and disclosure of genetic data, as well as the means by which consumers may revoke this express consent;
  • notice to consumers that their deidentified genetic data may be shared with or disclosed to third parties for research purposes in accordance with federal regulation; and
  • the means by which consumers may file a complaint alleging a violation of these requirements.

Obtain express consent: Companies that fall under the scope of the genetic data privacy law will need to obtain express and separate consent from consumers for the following activities:

  • the use of genetic data, including separate consent for any use beyond the primary purpose of the genetic testing and inherent contextual uses;
  • the storage of biological samples after completion of testing;
  • with exceptions, marketing efforts using consumers' genetic data; and
  • transfer or disclosure of genetic data or biological samples to third parties (other than service providers), including separate consent for any disclosure to entities involved with health insurance, life insurance, long-term care insurance, disability insurance, or employment, whereby the third parties must be identified by name.

For express consent to be valid, consumers must be informed regarding who will access their data, how it will be shared, and the purpose for which it will be collected, used, and disclosed. Also, express consent specifically excludes consent inferred from consumer inaction. Finally, companies must establish a mechanism for consumers to revoke their consent, using the primary medium through which the companies normally communicate with consumers.

Protect genetic data: In-scope testing companies must implement reasonable security measures to safeguard genetic data.

Develop processes for consumers to exercise their rights: In-scope testing companies must establish procedures that allow consumers to easily access their genetic data, request its deletion, and revoke their consent for their biological sample to be stored. Additionally, companies must provide for consumers to request the destruction of their biological sample.

Prohibiting discrimination: Persons and public entities will be prohibited from discriminating against consumers for exercising their rights under the genetic data privacy law, which describes several forms of discrimination that are prohibited, including:

  • denying goods, services, or benefits;
  • charging or suggesting that they will charge different prices;
  • providing different levels of quality; or
  • suspecting consumers of wrongdoing based on their exercise of the rights under the genetic data privacy law.

Regulating contracts with service providers: Applicable testing companies and their service providers will be subject to additional requirements aimed at protecting the privacy of the consumer's identify, genetic data, and biological sample. Broadly, these requirements will prohibit the service provider from making disclosures or using the genetic data for reasons beyond its contracted purpose.

How will the law be enforced?

As with Virginia's Consumer Data Protection Act ('CDPA'), Virginia's Attorney General ('AG') will be the sole authority to investigate and enforce its provisions. The AG will bring actions in the appropriate circuit court on behalf of the Commonwealth. Civil penalties for a violation cannot exceed $1,000, but wilful violations can result in penalties of at least $1,000 and no more than $10,000. Each violation will be considered separately and subject to the applicable penalties. Violators will also be responsible for reasonable attorneys' fees, expenses, and court costs.

How does the genetic data privacy law fit within the broader privacy legislation landscape?

The genetic data privacy law will add requirements specifically aimed at direct-to-consumer genetic testing companies and their service providers to existing Virginia law. The recently enacted CDPA includes genetic data in its definition of 'sensitive data' and imposes regulations on how data controllers and third parties handle this information.

Direct-to-consumer genetic testing companies that operate nationally are likely already subject to similar genetic privacy laws from other states. In 2020, Florida became the first state to enact a DNA privacy law, which regulates insurance licensees. In 2021, Utah enacted its Genetic Information Privacy Act ('GIPA'), which like Virginia's new law, more specifically targets direct-to-consumer genetic testing companies. California's Genetic Information Privacy Act and Arizona's Genetic Information Privacy Act similarly regulate direct-to-consumer testing companies and each went into effect in 2022.

What are next steps?

Before taking any further steps, companies should evaluate themselves according to the definitions of existing state laws and the genetic data privacy law to determine whether they are subject to any further requirements. Now is the time for companies to start identifying and documenting controls and processes to enable consumers to exercise rights that may be afforded to them. Many processes may already be in place, either to comply with existing regulations or simply to protect the company regardless of genetic data privacy statutes.

Beth Waller Principal
[email protected]
Woods Rogers Vandeventer Black, Richmond
Scott Bauer Third Year Law Student at William & Mary School of Law, Spring 2023 Legal Extern at Woods Rogers Vandeventer Black


1. See at: https://lis.virginia.gov/cgi-bin/legp604.exe?231+ful+SB1087ER
2. Available at: https://www.eeoc.gov/statutes/genetic-information-nondiscrimination-act-2008