See other bills
under the
same topic
PRINTER'S NO. 2665
THE GENERAL ASSEMBLY OF PENNSYLVANIA
HOUSE BILL
No.
2283
Session of
2022
INTRODUCED BY KINKEAD, HILL-EVANS, SANCHEZ, N. NELSON, ZABEL,
SCHLOSSBERG, KINSEY, MADDEN, BURGOS, DeLUCA, ISAACSON,
BRADFORD, ROZZI, CIRESI, DELLOSO, STURLA, DIAMOND AND
SHUSTERMAN, JANUARY 26, 2022
REFERRED TO COMMITTEE ON CONSUMER AFFAIRS, JANUARY 26, 2022
AN ACT
Providing for privacy, transparency and compensation regarding
the disclosure of information collected by genetic material
testing entities; and providing for powers and duties of the
Office of Attorney General.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Short title.
This act shall be known and may be cited as the Genetic
Materials Privacy and Compensation Act.
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Data collection." Information collected, or planned to be
collected, by a genetic material testing entity about the
content accessed, personal identifiers, reports or knowledge
derived from testing and any other reports or statistics
combined with the information or data.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
"Genetic material." Deoxyribonucleic acid, including
mitochondrial DNA, complementary DNA, and DNA derived from
ribonucleic acid, including a gene, chromosome or alteration of
a gene or chromosome that may be tested to determine the
existence or risk of a disease, disorder, trait, propensity,
syndrome or information identifying an individual or a blood
relative. The term does not include family history or a
genetically transmitted characteristic whose existence or
identity is determined through means other than a genetic test.
"Genetic material testing." DNA or genetic typing and
testing to determine the presence or absence of genetic
characteristics in an individual, including a test of nucleic
acids or chromosomes in order to diagnose or identify a genetic
characteristic. The term does not include a routine physical
measurement; a test for drugs, alcohol, cholesterol, human
immunodeficiency virus; a chemical, blood, or urine analysis; or
other diagnostic test that is widely accepted and in use in
clinical practice.
"Genetic material testing entity." An entity collecting,
testing or otherwise analyzing the genetic material of
individuals, including:
(1) A medical facility.
(2) An entity that provides genealogy services.
(3) A law enforcement official.
"Prominently disclose." To communicate in a manner that is
difficult to miss and easily understandable by ordinary
individuals, including the following:
(1) A visual disclosure that, by its size, contrast,
location, length, appearance and other characteristics,
stands out from accompanying text or other visual elements so
20220HB2283PN2665 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
that it is easily noticed, read and understood.
(2) An audible disclosure, including by telephone or
streaming video, that is delivered in a volume, speed and
cadence sufficient for ordinary individuals to easily hear
and understand.
(3) An interactive electronic medium, such as in
connection with an update to device firmware, the disclosure
of which is unavoidable.
(4) A disclosure that uses diction and syntax
understandable to ordinary individuals and appears in each
language in which the triggering representation appears.
(5) A disclosure that complies with the requirements in
each medium through which it is received, including all
electronic devices and face-to-face communications.
(6) A disclosure that is not contradicted, mitigated by
or inconsistent with anything else in the communication.
When the communication targets a specific audience, such as
children, the elderly or the terminally ill, the term
"ordinary individuals" includes reasonable members of that
group.
"Third party." An entity that gathers or otherwise has
access to an individual's genetic material whether obtained for
the entity's purposes or accessed from another entity.
Section 3. Disclosure requirements.
(a) General rule.--In addition to other requirements imposed
by law, a genetic material testing entity, directly or through a
corporation, subsidiary, division, website or other device or
affiliate, may not misrepresent, expressly or by implication:
(1) The extent to which data is collected, used or
maintained or methods for protecting the privacy,
20220HB2283PN2665 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
confidentiality or security of genetic material.
(2) The purpose of the collection, use or disclosure of
genetic material.
(b) Notice and consent.--
(1) A genetic material testing entity or third party,
directly or through a corporation, subsidiary, division,
website or other device or affiliate, in connection with the
collection of genetic material of an individual, shall:
(i) Prior to collection of the genetic material
undertaken after the effective date of this section,
prominently disclose to the individual, separate and
apart from a privacy policy, terms of use page or other
similar documents, the following:
(A) The type of genetic material that will be
collected and used.
(B) The type of genetic material that will be
shared with a third party.
(C) The identity of the third party.
(D) The purpose for any genetic testing entity
sharing of the data collected.
(E) A data sharing agreement between the genetic
testing entity or third party and a Federal, State or
local law enforcement agency or other government
agency.
(ii) Obtain the individual's affirmative express
consent to the genetic material collection as follows:
(A) At the time the disclosure under
subparagraph (i) is made.
(B) Upon a material change to the terms
disclosed under subparagraph (i).
20220HB2283PN2665 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(iii) Provide instruction, if the individual's
affirmative express consent is sought under subparagraph
(ii), for how the individual may revoke consent to the
genetic material collection and sharing.
(iv) Obtain the individual's affirmative express
consent to continued genetic material collection or
sharing.
(2) A genetic testing entity or third party, directly or
through a corporation, subsidiary, division, website or other
device or affiliate, may not collect the genetic material of
an individual who does not provide affirmative express
consent under paragraph (1)(ii).
(3) A genetic material testing entity or third-party
collecting or accessing the genetic material of an individual
shall not provide information on the genetic material to law
enforcement without a warrant or the explicit, affirmative
permission of the individual providing the genetic material.
Section 4. Compensation.
(a) General rule.--A genetic material testing entity or
third party collecting or accessing the genetic material of an
individual is prohibited from:
(1) selling or donating information about an
individual's genetic material without getting express
authorization from the individual or, in the case the
individual is deceased, the next of kin; and
(2) providing fair and adequate compensation at a rate
of not less than 90% of the amount received in compensation
for the sale of the individual's genetic material.
(b) Nonapplicability.--Subsection (a)(2) does not apply if
an individual or, in the case the individual is deceased, the
20220HB2283PN2665 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
next of kin, makes a voluntary and direct genetic material
donation of the individual's genetic material for medical
treatment or medical or scientific study.
Section. 5. Genetic materials database requests.
(a) Insurance companies.--An insurance company may not
request genetic material or related data of an insured or an
individual applying for insurance from a company or entity
maintaining a genetic database.
(b) Employers.--An employer may not request genetic material
or related data of an employee or a prospective employee from a
company or entity maintaining a genetic database.
Section 6. Data deletion requirements.
(a) General rule.--Within 120 days of the effective date of
this section, a genetic material testing entity or third party,
in connection with genetic material collection for a product or
service, and any person or entity in active concert or
participation, directly or through a corporation, subsidiary,
division, website or other device or affiliate, shall destroy
genetic material collected prior to the effective date of this
section, except:
(1) If the genetic material collected was requested by a
government agency or required by law, regulation or court
order, including without limitation as required by rules
applicable to the safeguarding of evidence in pending
litigation.
(2) If the individual associated with the genetic
material collected has expressly consented to the collection,
use or disclosure as provided under section 3(b).
(b) Individual request.--After the effective date of this
section, a genetic material testing entity or third party in
20220HB2283PN2665 - 6 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
connection with genetic material collection, and any person or
entity in active concert or participation with a genetic
material testing entity or third party, directly or through a
corporation, subsidiary, division, website or other device or
affiliate, shall destroy the genetic material within 30 days of
the individual requesting that the genetic material be
destroyed.
Section 7. Mandated genetic materials privacy program.
(a) General rule.--A genetic material testing entity or
third party, directly or through a corporation, subsidiary,
division, website or affiliate, shall establish, implement and
maintain a comprehensive privacy program that is reasonably
designed to:
(1) Address privacy risks related to the development and
management of new and existing products and services for
individuals.
(2) Protect the privacy and confidentiality of genetic
material collected directly or indirectly by a genetic
material testing entity or third party, directly or through a
corporation, subsidiary, division, website or other device or
affiliate.
(b) Requirements.--A privacy program, the content and
implementation of which shall be documented in writing, shall
contain controls and procedures appropriate to the size and
complexity of the party collecting the genetic material, the
nature and scope of the party's activities and the sensitivity
of the genetic material, including:
(1) The designation of an employee or employees to
coordinate and be responsible for the privacy program.
(2) The identification of reasonably foreseeable risks,
20220HB2283PN2665 - 7 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
both internal and external, that could result in the
unauthorized collection, use or disclosure by the party
collecting the genetic material or its agents and an
assessment of the sufficiency of any safeguards in place to
control these risks. At a minimum, the risk assessment shall
include consideration of risks in each area of relevant
operation, including:
(i) Employee training and management including
training on the requirements of this act.
(ii) Product design, development and research.
(3) The design and implementation of reasonable controls
and procedures to address risks and regular testing or
monitoring of the effectiveness of those controls and
procedures.
(4) The development and use of reasonable steps to
select and retain Internet service providers capable of
appropriately protecting the privacy of information they
receive from the genetic material testing entity or third
party or its agents and requiring the Internet service
providers, by contract, to implement and maintain appropriate
privacy protections for genetic material.
(5) The evaluation and adjustment of the genetic
material testing entity or third party's privacy program in
light of the results of the testing and monitoring required
under paragraph (3), a change to the genetic material testing
entity or third party operations or business arrangements or
other circumstance that the manufacturer or third party or
its agents know or have reason to know may have an impact on
the effectiveness of the privacy program.
Section 8. Ownership.
20220HB2283PN2665 - 8 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Individuals shall have inherent ownership rights for their
genetic material and a privacy interest in it, even when
voluntarily providing their genetic material to a for-profit
company.
Section 9. Violations.
Conduct that is unlawful or otherwise prohibited under this
act shall constitute an "unfair method of competition" and
"unfair or deceptive act or practice" under section 2 of the act
of December 17, 1968 (P.L.1224, No.387), known as the Unfair
Trade Practices and Consumer Protection Law, and shall be
subject to enforcement and the remedies as provided in that act.
Section 10. Remedies available to individuals.
Nothing in this act shall be construed to limit the remedies
available to individuals, the Attorney General or a district
attorney under the act of December 17, 1968 (P.L.1224, No.387),
known as the Unfair Trade Practices and Consumer Protection Law,
or other Federal or State law.
Section 11. Effective date.
This act shall take effect in 120 days.
20220HB2283PN2665 - 9 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19