44-8002. Direct-to-consumer genetic testing company requirements; prohibition
A. A direct-to-consumer genetic testing company shall:
1. Provide clear and complete information regarding the company's policies and procedures for collecting, using or disclosing genetic data by making available to a consumer both of the following:
(a) A high-level privacy policy overview that includes basic, essential information about the company's collection, use or disclosure of genetic data.
(b) A prominent, publicly available privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security and retention and deletion practices.
2. Obtain a consumer's consent for collecting, using or disclosing the consumer's genetic data, including:
(a) Initial express consent that clearly describes the uses of the genetic data collected through the genetic testing product or service and that specifies who has access to test results and how the genetic data may be shared.
(b) Separate express consent for any of the following:
(i) Transferring or disclosing the consumer's genetic data to any person other than the company's vendors and service providers.
(ii) Using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses.
(iii) Retaining any biological sample provided by the consumer following completion of the initial testing service requested by the consumer.
(c) Informed consent in compliance with the federal policy for the protection of human research subjects prescribed by 45 Code of Federal Regulations part 46 for transferring or disclosing the consumer's genetic data to third-party persons for research purposes or research conducted under the control of the company for the purpose of publication or generalizable knowledge.
(d) Express consent for marketing to a consumer based on the consumer's genetic data or for marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service. For the purposes of this subdivision, marketing does not include providing customized content or offers on websites or through applications or services provided by the direct-to-consumer genetic testing company with the first-party relationship to the consumer.
3. Require a valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent.
4. Develop, implement and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use or disclosure.
5. Provide a process for a consumer to do all of the following:
(a) Access the consumer's genetic data.
(b) Delete the consumer's account and genetic data.
(c) Request and obtain the destruction of the consumer's biological sample.
6. Disclose genetic data only in accordance with section 12-2802.
B. Notwithstanding any other provision in this section, a direct-to-consumer genetic testing company may not disclose a consumer's genetic data to any entity offering health insurance, life insurance or long-term care insurance or to any employer of the consumer.