The DNA of Genetic Privacy Legislation: Montana, Tennessee, Texas, and Virginia Enter 2024 with New Genetic Privacy Laws Incorporating FPF’s Best Practices
In 2023, four states enacted new genetic privacy laws regulating direct-to-consumer genetic testing companies. This blog post provides details on what these new laws cover and how they compare to FPF’s widely-adopted Best Practices for Consumer Genetic Testing Services.
Genetic privacy has been under increasing scrutiny at the state and federal levels, and regulators are prioritizing efforts to examine how businesses handle and disclose genetic data. For instance, the Federal Trade Commission (FTC) obtained orders against genetic testing providers Vitagene (2023) and CRI Genetics (2023) over alleged deceptive trade practices, including a claim that Vitagene had left sensitive data unsecured and retroactively changed its privacy policy without user consent. The White House has also taken a keen interest in genetic data privacy protections; genetic data privacy was flagged as an area of interest in the Biden Administration’s recent executive order that seeks to restrict “countries of concern” from accessing Americans’ sensitive personal data in bulk. The Department of Justice has also indicated that genetic data will be a focus of an upcoming Advance Notice of Proposed Rulemaking related to the executive order.
While federal agencies and lawmakers have been active in this area, state legislators have been the most active in mandating protections for this particularly sensitive category of personal information. In 2023, Montana, Tennessee, Texas, and Virginia joined six other states (Arizona, California, Kentucky, Maryland, Utah, and Wyoming) that have enacted privacy laws for direct-to-consumer genetic testing companies. These four newly enacted laws follow the trend of the six existing laws in adopting baseline requirements–including requirements to publish privacy notices and create consumer rights of access and deletion–in line with FPF’s Privacy Best Practices for Consumer Genetic Testing Services, first released in 2018.
However, the four state laws leave out key elements of the best practices around transparency about law enforcement access to data, children’s and teens’ online privacy, and consent for revised privacy policies that reflect the use of emerging technologies in genetic testing. As these privacy issues take center stage in 2024, states should consider expanding the scope of direct-to-consumer genetic testing privacy laws to address emerging technologies like artificial intelligence and persistent concerns about law enforcement access to data and minors’ rights to their genetic data.
New State Laws on Genetics Privacy Include Strong, Important Protections for Individuals
These four new state genetic privacy laws largely incorporate the foundational principles of the Future of Privacy Forum’s 2018 best practices. All four states’ genetic privacy laws create a consumer right to access and delete personal data, prohibit sharing genetic information with insurers and employers, and require companies to create a comprehensive security program to protect individuals’ data. All four laws also require companies to collect separate express consent to use data for marketing, research, and third-party sharing, with some laws extending this requirement to any secondary use or additional retention of individuals’ genetic data.
Laws in Tennessee, Texas, and Virginia exclude de-identified data from their definitions of “genetic data.” This is in line with FPF’s best practices on de-identified data, which note that de-identified data is not subject to the remaining best practices, as long as “de-identification measures taken establish strong assurance that the data is not identifiable.” In addition, Tennessee, Texas and Virginia follow the guidance from the FTC and the Department of Health and Human Services (HHS) for de-identified data; the three state laws require that companies (1) take measures to ensure that individuals’ data cannot be linked to them, (2) commit to maintain and use data only in its de-identified form, and (3) contractually obligate data recipients to do the same.
Montana and Texas, meanwhile, each go beyond any existing consumer genetic privacy laws and the scope of FPF’s best practices to create additional requirements for direct-to-consumer genetic testing companies. Montana imposed data localization requirements for its residents’ genetic data and Texas established a property right for its residents over their genetic samples and data.
New State Laws Differ on Key Privacy Issues, Including Law Enforcement Access to Data, Kids’ Privacy Needs, and Transparency
The four state genetic privacy laws passed in 2023 are the first such laws to be passed in the wake of the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization (2022), overruling the precedent set in Roe v. Wade and negating constitutional protections for reproductive health services. These four new laws have created essential genetic data privacy protections in line with the existing direct-to-consumer genetic privacy laws, but they differ on some key privacy issues that are the subjects of intense debate, including law enforcement access to data, children’s and teens’ online privacy, and transparency requirements around changing privacy policies to consider emerging technologies, including AI.
Law Enforcement Access to Data
FPF’s best practices call for genetic testing companies to notify individuals when their personal data is shared with law enforcement agencies and to publicly report on data requests from law enforcement on at least an annual basis. In the wake of Dobbs, the processes by which law enforcement agencies may gain access to health data have come under increased public and regulatory scrutiny. Data collected by direct-to-consumer genetic testing companies may reveal relationship and health data that could be used in abortion prosecutions; for example, fetal tissue samples could be compared to genetic data held by direct-to-consumer genetic testing companies to determine paternity or maternity, and retained biological samples could be repurposed by law enforcement for saliva-based pregnancy tests. As a result, even though none of the four laws specifically refer to reproductive health data or post-Dobbs privacy issues, some of them may impact how law enforcement can access genetic data to enforce restrictions on abortion and how direct-to-consumer genetic testing companies may respond to law enforcement requests for data.
Of the four laws, only Montana’s specifies that government agencies must provide a warrant to access genetic data after June 1, 2025, unless the disclosure is otherwise permitted by a specific state law. Two of the remaining new genetic privacy laws (Tennessee and Texas) explicitly permit law enforcement and government agencies to access individuals’ genetic data with valid legal process, which may include a warrant or subpoena, depending on the specific data being requested. While legal process may require notification to the impacted individual, in practice individuals can be prevented from receiving that notice under non-disclosure provisions. Only Virginia’s law does not specify detailed procedural requirements for genetic testing companies to share data with government agencies.
While the four state laws diverge in their requirements for valid legal process and consumer notification, none of the laws include a requirement for companies to publish reports on data requests from law enforcement agencies. Leading direct-to-consumer genetic testing companies voluntarily publish reports on government requests for consumers’ data–including 23andMe and Ancestry, both of which report on data multiple times a year. Those reports are not often broken out by topic or type of data. Notably, some of the disclosures in these reports may be limited by law, including the U.S. Foreign Intelligence Surveillance Act.
Children’s and Teens’ Online Privacy
In recognition of the need for heightened privacy protections for children, FPF’s best practices recommend that direct-to-consumer genetic testing companies not market or directly offer their services to minors (under age 18). When parents and guardians provide consent for minors to submit their DNA samples, FPF recommends that genetic testing companies provide minors with a right to access their data and become the primary account holder once they reach age 18.
2023 was also a banner year for debate around children’s online privacy and safety issues, including a unanimous vote by the Senate Commerce Committee to advance a bill to expand children’s privacy protections and cover teens aged 13 to 16. However, despite FPF’s recommendations and the recent attention given to children’s online privacy, none of the four state genetic privacy laws explicitly address children’s privacy interests when engaging with direct-to-consumer genetic testing companies, including scenarios where parents and guardians may submit genetic samples on behalf of their children.
Emerging Technologies and New Privacy Policies
Consent is an important part of all of the new genetic privacy laws, in line with the baseline standards for consent established in the six other existing state laws and in FPF’s best practices. Montana, Tennessee, and Virginia establish a specific requirement for direct-to-consumer genetic testing companies to collect initial express consent from users seeking genetic testing products and services–this initial consent must specify the inherent contextual uses of the data. Texas does not specifically require initial express consent but does require separate express consent for several different types of data processing.
FPF’s best practices state that companies should notify individuals and seek their consent before making any changes to privacy policies–over the past year, this has also become a major topic for regulatory enforcement. For instance, in 2023, the FTC issued its first genetic privacy enforcement action. In the Vitagene (2023) case, the FTC argued that the company engaged in deceptive behavior when it updated its privacy policy in 2020 and retroactively expanded third-party data sharing without notifying existing consumers or seeking their consent for the policy change. In the press release about the settlement order, Director of the FTC Bureau of Consumer Protection Samuel Levine noted, “[c]ompanies that try to change the rules of the game by re-writing their policy policy are on notice” for any unilateral applications of new privacy policies to existing consumer data.
The practice of ensuring that consent is obtained with updates to privacy policies and practices is becoming more important with the incorporation of new technologies into genetic testing business models. As AI becomes increasingly integrated in direct-to-consumer genetic testing companies’ platforms and product offerings, the inherent contextual uses of individuals’ genetic data may evolve, requiring updates to privacy policies.
All four laws also require entities to collect separate express consent for any secondary uses of individuals’ genetic data that are beyond the scope of the initial genetic testing product or service. However, none of the four laws explicitly include any procedural requirements for how companies should collect consent before implementing policy changes. The absence of an explicit provision in the laws means that the need to notify individuals of policy changes and seek consumer consent to implement those changes will largely be a matter of judicial or regulatory interpretation, and may vary from state to state.
State Legislatures Should Consider Expanded Genetic Privacy Protections in 2024
In addition to the four states that enacted genetic privacy laws in 2023, eight other states considered bills to regulate direct-to-consumer genetic testing companies’ privacy practices, demonstrating state lawmakers’ growing appetite for state genetic privacy legislation in the absence of comprehensive federal legislation. The 2024 legislative session is another opportunity for additional states to establish new protections, and state legislatures in Alabama, Indiana, Nebraska, and West Virginia have already considered legislation largely based on FPF’s best practices.
2024 is also an opportunity for states with existing laws, including the four states that passed laws in 2023, to establish additional protections for individuals’ genetic data and adopt FPF’s best practices around law enforcement access to data, minors’ rights to their genetic data, and transparency for privacy policy changes. While these laws establish baseline genetic privacy protections that are in line with FPF’s best practices and consistent with existing state genetic privacy laws, they have left space for future legislators to further consider additional protections needed in the areas of law enforcement access to data post-Dobbs, children’s and teens’ online privacy, and direct-to-consumer genetic testing companies’ embrace of emerging technologies.
By fully incorporating FPF’s best practices, states can promote a more privacy-protective genetic testing ecosystem and strive to better address the privacy issues that emerged in 2023 and continue to be a priority in 2024. In doing so, states can also raise the standard for genetic data privacy and effectively complement the federal government’s approach to regulating direct-to-consumer genetic testing companies.
