Wyoming: Genetic Data Privacy Act - What you need to know
On 8 March 2022, the Wyoming State Governor signed House Bill ('HB') 0086, thereby enacting the Wyoming Genetic Data Privacy Act ('the Act'). The Act will go into effect on 1 July 2022 and applies to any business that collects genetic data from individuals in the state of Wyoming. As such, OneTrust DataGuidance highlights some of the key provisions of the Act, focusing on areas such as consumer rights, business obligations, and what to expect with regards to enforcement.
Scope of application
The Act applies to 'direct to consumer genetic testing companies', which it defines as any person 'that offers consumer genetic testing products or services directly to consumers or who collects, uses or analyzes genetic data provided by a consumer'. In this respect, the Act also provides a definition of 'genetic testing', specifying that it includes 'any laboratory test of an individual's complete DNA, regions of DNA, chromosomes or genes to determine the presence of genetic characteristics of an individual'. Furthermore, the Act aims to protect 'consumers', who are defined as any natural persons who are a resident of the state of Wyoming.
Additionally, the Act applies to the following categories of data:
- 'Biological sample' which is 'any material part of a human, discharge therefrom or derivative thereof known to contain DNA, such as tissue, blood, urine or saliva'; and
- 'Genetic information' which means 'any data, regardless of its format, that concerns an individual's genetic characteristics', and includes:
- 'raw sequence data that result from sequencing of an individual's complete extracted or a portion of the extracted DNA;
- genotypic and phenotypic information that results from analyzing the raw sequence data, including any familial inferences therefrom; and
- self reported health information that an individual submits to a company regarding the individual's health conditions and that is used for scientific research or product development and analyzed in connection with the individual's raw sequence data.'
However, the Act provides that it does not apply to businesses that collect protected health information under the Health Insurance Portability and Accountability Act of 1996 ('HIPAA').
In relation to consumer rights, although the Act does not provide procedural details on the exercising of specific data subject rights, it provides consumers with the statutory right to:
- access their collected genetic data;
- rectify the genetic data collected; and
- delete their collected genetic data when it is no longer being used or needed for the purpose for which it was collected.
These are outlined within company's obligations to provide consumers with a process to exercise their rights. In line with this, the Act also notes that an individual or their authorised representative may inspect, correct, and obtain genetic information data about the individual.
Finally, the Act also provides consumers with a private right of action, which will be further discussed below.
The Act focuses on two principal areas regarding business obligations:
- how to make information available to consumers on data processing practices, through privacy notices and policies; and
- how to obtain different types of consent from consumers.
In this respect, and in order to ensure that a company is safeguarding the privacy, confidentiality, security, and integrity of a consumer's genetic data, it requires companies to:
- provide consumers with detailed, clear, and complete information regarding their processing and procedures, through the implementation of the following multi-layered privacy policies:
- a prominent, publicly available privacy notice that includes, at a minimum, information about the company's data collection, consent, use, access, disclosure, transfer, security and retention, and deletion practices.'
Regarding consent, the Act requires companies to obtain a consumer's consent for the collection, use, or disclosure of their genetic data, including – at least – the following distinct types of consent:
- initial express consent that describes the uses for which the genetic data is collected through the genetic testing product or service, while also specifying who has access to test results and how the genetic data may be shared;
- separate express consent to be obtained for the transfer or disclosure of the genetic data to anyone other than the company's vendors and service providers, as well as needing such consent when genetic data is used beyond the primary purpose for which it was collected;
- separate express consent for retaining biological samples provided by the consumer following completion of the initial testing service requested by the consumer;
- informed consent which must be in compliance with the federal policy for the protection of human research subjects, and obtained for any transfer or disclosure of genetic data to third party persons for research purposes; and
- separate express consent for marketing which is based on the consumer's genetic data, or for marketing by a third-party based on the consumer having ordered or purchased a genetic testing product or service.
Lastly, the Act also establishes a general security obligation for covered entities, requiring them to develop, implement, and maintain security programs which are comprehensive and which protect consumers' genetic data against unauthorised access, use, or disclosure, as well as containing certain requirements for companies around the disclosure of such data to public bodies and law enforcement.
As briefly mentioned above, the Act provides consumers with a private right of action to seek damages from anyone who violates its provisions, by giving them the faculty to bring a civil action to enjoin or restrain any violation of the Act and possibly to seek damages from the violation.
Yet, the Act specifies that before a private right of action is filed, the individual alleging a violation is required to give notice in writing to the alleged violator stating the nature of the alleged violation. Following this, the Act allows the alleged violator a period of not more than 60 days from being provided with the notice, to cure any violation. If, however, after this 60-days period the violation has not been cured, the individual may bring a civil action against the violator.
Finally, the Act grants to the Wyoming Attorney General the authority to enforce its provisions, with the power to enforce penalties of up to $2,500 for each violation, as well as to recover actual damages for harmed consumers on whose behalf the action was brought, and attorneys' fees and costs incurred by the office of the Attorney General.
Marcello Ferraresi Privacy Analyst