The US does not currently have an overarching federal data privacy and protection law, despite broad bipartisan consumer support for such regulation. California, with its large population and status as a major global economy – particularly for technology – often acts as a bellwether for data-driven policy in the US. In January 2022, several California laws went into effect that seek to further protect genetic data, especially that derived from direct-to-consumer test kits.
Existing industry-specific laws in the US, such as HIPAA, provide rights for certain datasets, such as healthcare records documented by a medical professional, but direct-to-consumer data collection methods related to health often fell into a regulatory grey zone. The federal Genetic Information Nondiscrimination Act, enacted in 2008, provides certain prohibitions against the use of genetic information in healthcare and employment decisions, but it is not a comprehensive law in the privacy sense.
California is building off the momentum of the California Consumer Privacy Act and subsequent voter-approved California Privacy Rights Act to expand additional protections to genetic data, particularly for direct-to-consumer models that circumvent the doctor’s office.
While several laws related to data privacy were signed in late 2021 by California’s governor, going into effect immediately in January 2022, the most relevant to genetic data include AB 825 and SB 41. The former – AB 825 – essentially closes a gap in existing California data-breach-notification laws, now including genetic data in the definition of ‘personal data.’ This means consumers have the right to be notified if their genetic data is the subject of a personal data breach, further potentially providing the right to action (lawsuit) for some laws that depend on this definition of personal data.
Notably, however, none of the new California laws establish a new right to action, instead building upon past definitions.
IoT Enables Hospitals to Provide Healthcare at Home
Potentially more significant is California’s SB 41, which establishes the Genetic Information Privacy Act. This law is targeted at direct-to-consumer genetic testing companies and provides California consumers with numerous rights regarding transparency of genetic data use, consent mechanisms, clarity of third-party relationships, account/data deletion mechanisms, rules for baseline security practices for data, and requirements for destruction of biological samples when consumer consent is revoked (unless otherwise prohibited by superseding law).
The sum of these laws is a potential pivot toward recognition of health-adjacent data collected and analyzed by private direct-to-consumer companies as sensitive in the US. Formal healthcare records as protected by HIPAA only represent a small slice of medically relevant data, particularly in a US economy where wearable fitness technology and direct-to-consumer testing flourishes.
Where California goes, other US states often follow. Time will tell if individual states seek to close gaps in existing genetic data protections, or if California’s actions will set the stage for eventual federal standards.
Want insights on healthcare technology delivered to your inbox? Join the 451 Alliance.