See other bills
under the
same topic
PRINTER'S NO. 1787
THE GENERAL ASSEMBLY OF PENNSYLVANIA
SENATE BILL
No.
1291
Session of
2022
INTRODUCED BY GORDNER, PHILLIPS-HILL, BARTOLOTTA, LAUGHLIN,
DUSH, STEFANO AND MENSCH, JUNE 16, 2022
REFERRED TO CONSUMER PROTECTION AND PROFESSIONAL LICENSURE,
JUNE 16, 2022
AN ACT
Providing for genetic information privacy and setting penalties
for violations.
The General Assembly of the Commonwealth of Pennsylvania
hereby enacts as follows:
Section 1. Short title.
This act shall be known and may be cited as the Genetic
Information Privacy Act.
Section 2. Definitions.
The following words and phrases when used in this act shall
have the meanings given to them in this section unless the
context clearly indicates otherwise:
"Biological sample." Human material known to contain DNA.
The term includes tissue, blood, urine or saliva.
"Company." A direct-to-consumer entity that:
(1) offers consumer genetic testing products or services
directly to consumers; or
(2) collects, uses or analyzes genetic data that a
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
consumer provides to the entity.
"Consumer." A resident of this Commonwealth.
"Deidentified data." Data that:
(1) cannot be reasonably linked to an identifiable
individual; and
(2) is possessed by a company that:
(i) takes administrative or technical measures to
ensure that the data cannot be associated with a
particular consumer;
(ii) makes a public commitment to maintain and use
data in deidentified form and not attempt to re-identify
data; and
(iii) enters into a legally enforceable contractual
obligation that prohibits a recipient of the data from
attempting to re-identify the data.
"DNA." Deoxyribonucleic acid.
"Express consent." A consumer's affirmative response to a
clear, meaningful and prominent notice regarding the collection,
use or disclosure of genetic data for a specific purpose.
"Genetic data." Data, regardless of format, containing
information of a consumer's genetic characteristics. The term
includes any of the following:
(1) Raw sequence data that results from sequencing all
or a portion of a consumer's extracted DNA.
(2) Genotypic and phenotypic information obtained from
analyzing a consumer's raw sequence data.
(3) Self-reported health information regarding a
consumer's health conditions that the consumer provides to a
company for:
(i) Scientific research or product development.
20220SB1291PN1787 - 2 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(ii) Analysis in connection with the consumer's raw
sequence data.
(4) The term does not include deidentified data.
"Genetic testing." A laboratory test of a consumer's
complete DNA, regions of DNA, chromosomes, genes or gene
products to determine the presence of genetic characteristics of
the consumer or an interpretation of the consumer's data.
Section 3. Consumer genetic information.
(a) Disclosure to consumer.--A company shall provide the
following information to consumers:
(1) Essential information about the company's data
collection, use and disclosure of genetic data.
(2) A privacy notice that is prominently and publicly
available and includes information about the company's data
collection, consent, use, access, disclosure, transfer,
security, retention and deletion practices.
(b) Express consent.--A company shall obtain each consumer's
express consent for collecting, use or disclosure of the
consumer's genetic data. Prior to giving express consent, the
company shall provide information to the consumer that:
(1) Clearly describes the company's use of the genetic
data that the company collects through the company's genetic
testing product or service.
(2) Specifies who has access to test results.
(3) Specifies how the company may share the genetic
data.
(c) Specific consent.--A company shall obtain:
(1) Separate express consent for the following services:
(i) The transfer or disclosure of the consumer's
genetic data to other than the company's vendors and
20220SB1291PN1787 - 3 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
service providers.
(ii) The use of genetic data beyond the primary
purpose of the company's genetic testing product or
service.
(iii) The retention of biological samples provided
by the consumer following the company's completion of the
initial testing service requested by the consumer.
(2) Informed consent in accordance with the Federal
Policy for Protection of Human Subjects under 45 CFR Pt. 46
(relating to protection of human subjects), for transfer or
disclosure of the consumer's genetic data to a third party
for:
(i) Research purposes.
(ii) Research conducted under the control of the
company for the purposes of publication or generalized
knowledge.
(3) Express consent for:
(i) Marketing to a consumer based on the consumer's
genetic data.
(ii) Marketing by a third party person to a consumer
based on the consumer having ordered or purchased a
genetic testing product or service.
(d) Legal process.--A company must have a valid legal
process to disclose a consumer's genetic data to law enforcement
or a governmental entity without the consumer's express written
consent.
(e) Security of data.--A company shall develop, implement
and maintain a comprehensive security program to protect a
consumer's genetic data against unauthorized access, use or
disclosure.
20220SB1291PN1787 - 4 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(f) Consumer access to data.--A company shall provide a
process for a consumer to:
(1) Access the consumer's genetic data.
(2) Delete the consumer's genetic data.
(3) Destroy the consumer's biological sample.
(g) First-party data.--A company with a first-party
relationship to a consumer may, without obtaining the consumer's
express consent, provide customized content or offers on the
company's publicly accessible Internet website or through the
company's application or service.
Section 4. Prohibited disclosures.
A company may not disclose a consumer's genetic data without
written consent to:
(1) An entity that offers health insurance, life
insurance or long-term-care insurance.
(2) An employer of the consumer.
Section 5. Penalty.
The Office of Attorney General shall enforce this act by
filing civil actions against individuals or entities which are
in violation of this act. To enforce this act, the Office of
Attorney General may seek one or more of the following:
(1) Actual damages to the consumer.
(2) Costs.
(3) Attorney fees.
(4) A $2,500 penalty for each violation of this act.
Section 6. Applicability.
This act does not apply to:
(1) Protected health information that is collected by a
covered entity or business associate as defined in 45 CFR
Pts. 160 (relating to general administrative requirements)
20220SB1291PN1787 - 5 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
and 164 (relating to security and privacy).
(2) A public or private institution of higher education.
(3) An entity owned or operated by a public or private
institution of higher education.
Section 7. Effective date.
This act shall take effect in 60 days.
20220SB1291PN1787 - 6 -
1
2
3
4
5
6