California SB 980 Would Codify Many of FPF’s Best Practices for Consumer Genetic Testing Services, but Key Differences Remain

|

Authors: John Verdi (Vice President of Policy) and Katelyn Ringrose (Christopher Wolf Diversity Law Fellow) 


In July 2018, the Future of Privacy Forum released Privacy Best Practices for Consumer Genetic Testing Services. FPF developed the Best Practices following consultation with technical experts, regulators, leading consumer genetic and personal genomic testing companies, and civil society. The FPF Best Practices include strict standards for the use and sharing of genetic information generated in the consumer context. Companies that pledged to follow the guidelines, including Ancestry, 23andMe, and Helix promised to: 

  • provide safeguards for how genetic information is collected, used, shared, and retained;
  • implement consent requirements for the initial collection and certain subsequent disclosures of genetic information; 
  • guarantee consumer rights to access, correction, and deletion; 
  • ban sharing genetic information absent consent or legal process; and
  • implement strong data security protections and privacy by design principles.

California lawmakers are currently considering SB 980 (the “Genetic Information Privacy Act”). SB 980 would establish obligations for direct-to-consumer genetic testing companies and others that collect or process genetic information. If passed by the legislature and approved by the Governor, the bill would become effective on January 1, 2021. 

Many of SB 980’s provisions align closely with FPF’s Best Practices, including the bill’s emphasis on consumers’ rights to notice, choice, and transparency. Leading direct-to-consumer genetic testing companies are already obliged to follow the Best Practices, as they have made public commitments that are enforceable by the Federal Trade Commission and state Attorneys General. SB 980’s provisions would extend these requirements to all covered entities that do business in California. 

Some of SB 980’s provisions diverge from the FPF Best Practices. For example, FPF’s Best Practices and SB 980 both require companies to obtain opt-in consent before they use DNA test results for marketing, but proposed amendments to SB 980 would further require companies to provide consumers with an opportunity to opt out of contextual marketing – ads placed on web pages and apps based on page content rather than sensitive personal information. SB 980’s treatment of contextual advertising is also inconsistent with the California Privacy Rights Act of 2020 (CPRA) – the comprehensive privacy ballot initiative that would govern the use of much sensitive health data and would not require companies to provide an opt-out for non-personalized, contextual advertising. In addition, SB 980 diverges from FPF’s Best Practices regarding government access to DNA information, with SB 980 preserving an option for companies to voluntarily provide genetic data to law enforcement in the absence of a court order or consumer consent; FPF’s Best Practices would prohibit such disclosures in most cases. 

Below, we analyze SB 980’s approach to: (1) consent; (2) marketing; (3) privacy policies; (4) research; and (5) penalties and enforcement. We also examine (6) several other federal and state laws that currently regulate genetic privacy. 

  1. Consent for Genetic Data //

FPF’s Best Practices and SB 980 take similar approaches – requiring different methods of consent (express opt-in vs. opt-out), depending on the sensitivity and uses of the data. Both SB 980 and the Best Practices emphasize express, affirmative consent as a baseline requirement for collecting genetic information. They each require that companies provide opt-out consent mechanisms for consumers regarding use of non-genetic information, such as purchase histories or web browsing information.

FPF’s Best Practices require initial express consent for genetic information collection, as well as separate express consent for the use of genetic material outside of the initial scope of collection. Secondary express consent is also required before a company engages in the onward transfer of individual-level information or the use of genetic information for incompatible or materially different secondary uses. Companies are also required to provide additional consent measures for consumers or organizations that submit genetic information on behalf of others. In a similar vein, SB 980 would require prior authorization from consumers for the initial collection of their genetic information and separate authorization for each subsequent disclosure.

FPF’s Best Practices define express consent as a consumer’s statement or clear affirmative action in response to a clear, meaningful, and prominent notice, while encouraging companies to use flexible consent mechanisms that are effective within the context of the service, in-app or in-browser experience, and relationship between the company and individual. 

  1. Marketing //

The FPF Best Practices and SB 980 differ in their approach to consent for marketing and advertising purposes, including marketing on the basis of non-genetic information. The Best Practices prohibit companies from marketing to consumers on the basis of their genetic information, unless the consumer provides separate express consent for such marketing or marketing is clearly described in the initial express consent as a primary function of the product or service. Marketing to a consumer on the basis of their purchase history is permitted if the consumer is provided the option to opt-out of such marketing. Marketing to anyone under the age of 18 is prohibited. 

The Best Practices do not require companies to obtain opt-in consent or provide an opt-out for “customized content or offers by the company on its own websites and services.” This provision is intended to permit 1) contextual advertising (i.e., advertising that is tailored to the other content on a particular page on a website, rather than targeted to a particular user); and 2) first-party offers displayed to users on the basis of information within the same platform, such as when a logged in user receives an email offer based on information they viewed on the company’s own website while logged in. This approach aligns with leading privacy norms, including the approach taken by the Department of Health and Human Services in interpreting the Health Insurance Portability and Accountability Act (HIPAA), which exempts certain first-party communications related to treatment and health-related products from its definition of “marketing.” It is also consistent with the California Privacy Rights Act of 2020 (CPRA), the privacy ballot initiative that would establish rights to opt out of the sale and uses of sensitive health data and would codify a narrow exemption for non-personalized, contextual advertising.

Like FPF’s Best Practices, SB 980 also requires companies to obtain opt-in consent before marketing based on a consumer’s genetic data. A recent amendment would align SB 980’s and FPF’s approaches to marketing based on purchase history, requiring provision of an opt-out. However, a related SB 980 amendment would require companies to provide users with mechanisms to opt out of contextual advertising. This approach would be inconsistent with most leading norms, including HIPAA and the California Privacy Rights Act. This is because, in contrast to targeted or behavioral advertising, contextual advertising is not typically viewed as implicating significant privacy risks. Indeed, privacy advocates have cited contextual advertising as a privacy-protective model that displays marketing messages on web pages based on the content of the page, not information about an individual. 

  1. Privacy Policies // 

FPF’s Best Practices require companies to furnish privacy notices that are prominent, publicly accessible, and easy to read. The Best Practices require companies to include certain information within their policies, including standards regarding: data collection, consent, use, onward transfer, access, security, and retention/deletion practices. Furthermore, the Best Practices note that “a high-level overview of the key principles should be provided preceding the full privacy policy.” The overview should take the form of a short document or statement that provides basic, essential information, including whether the privacy policy for genetic information is different than that of other data (e.g. registration data, browsing (cookies or website) tracking, and/or personal information). 

Similarly, SB 980 would require all direct-to-consumer genetic or illness testing services companies to provide consumers with “clear and complete information regarding the company’s policies and procedures for the collection, use, and disclosure, of genetic data” through “a summary of its privacy practices, written in plain language” and “a prominent and easily accessible privacy notice.”  

  1. Research //

FPF’s Best Practices encourage the socially beneficial use of genetic information in research while providing strong privacy protections. This nuanced approach strikes a careful balance between the societal benefits of genetic research and individual’s privacy interests. The Best Practices require companies to obtain informed consent before using identifiable data for research, and promote research on strongly deidentified datasets. The Best Practices require companies to engage in consumer education and make resources available regarding the implications and consequences of research. 

The consumer genetic and personal genomic testing industry produces an unprecedented amount of genetic information, which in turn provides the research community the ability to analyze large and diverse genetic datasets. Genetic research enables scientists better understand the role of genetic variation in our ancestry, health, well-being, and more. In order to recognize the role of big data in corporate research and the difficulty of obtaining individual consent (see Omer Tene and Jules Polonetsky’s Beyond IRBs: Ethical Guidelines for Data Researchidentifying the regulatory gaps between federally funded human subject research and corporate research) the Best Practices recognize the important role of Institutional Review Boards (IRBs) and ethical review processes. 

FPF’s Best Practices also provide incentives for researchers and others to deidentify genetic data when practical. Deidentification of genetic information is an incredibly complex issue (see FPF and Privacy Analytics’s “A Practical Path Toward Genetic Privacy”), and the risk of reidentification of genetic data can be limited by rigorous technical, legal, and organizational controls.

SB 980 also requires informed consent before using data for research, “in compliance with the federal policy for the protection of human research subjects” — effectively the same standard as the FPF Best Practices. Similarly, SB 980 also promotes strong deidentification of data, meaning data that “cannot be used to infer information about, or otherwise be linked to, a particular identifiable individual,” provided it is also subject to public commitments and contractual obligations to not make attempts to reidentify the data.

  1. Penalties and Enforcement //

Companies that have publicly committed to comply with FPF’s Best Practices are subject to enforcement by the Federal Trade Commission (FTC) under the agency’s Section 5 authority to prohibit deceptive trade practices. State Attorneys General and other authorities have similar powers to bring enforcement actions against companies that violate broadly applicable consumer protection laws. 

SB 980 includes a tiered penalty structure, with negligent violations of the act subject to civil penalties not to exceed one thousand dollars ($1,000) and willful violations between $1,000 and $10,000 plus court costs. Penalties for wilful violations would be paid to the individual to whom the genetic information pertains. Penalties could add up quickly – they are calculated on a per violation, per consumer basis. Earlier versions of SB 980 included criminal penalties; the bill sponsors recently removed criminal liability in favor of a higher civil penalty, raising the maximum fine from $5,000 to $10,000. 

  1. Other Federal and State Laws //

In the United States, a growing number of sectoral laws are applicable to companies that process genetic information. The federal Genetic Information Nondiscrimination Act (GINA) prevents genetic discrimination in health insurance and employment, but GINA does not prohibit discrimination in life insurance, disability or long term care insurance, nor does it provide general privacy protections or limits on law enforcement uses. In an attempt to close regulatory gaps, several states have enacted legislation around law enforcement access to genetic information and discriminatory practices on the behalf of life insurance organizations

Key state laws governing genetic information include:

  • Alaska’s Genetic Privacy Act (2004) which regulates access, retention, and disclosure of genetic information without the “informed and written consent” of the consumer; recognizes that both the genetic information and the DNA samples collected are the property of the consumer; and provides for both civil and criminal penalties for violations of genetic privacy rights. Alaska’s law does not require valid legal process (such as a court order) for law enforcement access to genetic information. 
  • Florida’s House Bill 1189, Genetic Information for Insurance Purposes (passed and awaiting the Governor’s approval as of March 2020), would bar life, disability and long-term care insurance companies from using consumer genetic test results for coverage purposes. 
  • Nevada’s comprehensive Genetic Information Act (2013) prohibits the collection, retention, or disclosure of genetic information without prior consent from the individual; requires law enforcement to obtain a court order prior to accessing genetic information; provides consumers the right to inspect and obtain genetic records; requires entities holding genetic information to destroy that information if consent is withdrawn; and provides criminal penalties and a private right of action for violations of the law.

Conclusion //

Genetic and personal genomic tests increase consumers’ access to and control of their genetic information; empower consumers to learn more about their biology and take a proactive role in their health, wellness, ancestry, and lifestyle; and enhance biomedical research efforts. The consumer genetic and personal genomic testing industry is producing an unprecedented amount of genetic information, which provides the research community the ability to analyze a significantly larger and more diverse range of genetic data to observe and discover new patterns and connections. Access to genetic information enables researchers to gain a better understanding of the role of genetic variation in our ancestry, health, well-being, and much more. While genetic information poses incredible benefits, genetic information is also sensitive information that warrants a high standard of privacy protection. 

FPF’s Best Practices provide a model for strong privacy safeguards with detailed provisions that support clinical research and public health. Key portions of California SB 980 are consistent with the Best Practices, and would require all companies to provide consumers with important transparency, choice, and security safeguards. Several SB 980 amendments and provisions diverge from the Best Practices in important ways, including how the bill would treat contextual advertising and government access to data.