California Code
CHAPTER 2.6 - Genetic Privacy
Section 56.18.

56.18. (a) This chapter shall be known, and may be cited, as the Genetic Information Privacy Act.

(b) For purposes of this chapter, the following definitions apply:

(1) “Affirmative authorization” means an action that demonstrates an intentional decision by the consumer.

(2) “Biological sample” means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA).

(3) “Consumer” means a natural person who is a California resident.

(4) “Dark pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decisionmaking, or choice.

(5) “Direct-to-consumer genetic testing company” means an entity that does any of the following:

(A) Sells, markets, interprets, or otherwise offers consumer-initiated genetic testing products or services directly to consumers.

(B) Analyzes genetic data obtained from a consumer, except to the extent that the analysis is performed by a person licensed in the healing arts for diagnosis or treatment of a medical condition.

(C) Collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer.

(6) “Express consent” means a consumer’s affirmative authorization to grant permission in response to a clear, meaningful, and prominent notice regarding the collection, use, maintenance, or disclosure of genetic data for a specific purpose. The nature of the data collection, use, maintenance, or disclosure shall be conveyed in clear and prominent terms in such a manner that an ordinary consumer would notice and understand it. Express consent cannot be inferred from inaction. Agreement obtained through use of dark patterns does not constitute consent.

(7) (A) “Genetic data” means any data, regardless of its format, that results from the analysis of a biological sample from a consumer, or from another element enabling equivalent information to be obtained, and concerns genetic material. Genetic material includes, but is not limited to, deoxyribonucleic acids (DNA), ribonucleic acids (RNA), genes, chromosomes, alleles, genomes, alterations or modifications to DNA or RNA, single nucleotide polymorphisms (SNPs), uninterpreted data that results from the analysis of the biological sample, and any information extrapolated, derived, or inferred therefrom.

(B) “Genetic data” does not include deidentified data. For purposes of this subparagraph, “deidentified data” means data that cannot be used to infer information about, or otherwise be linked to, a particular individual, provided that the business that possesses the information does all of the following:

(i) Takes reasonable measures to ensure that the information cannot be associated with a consumer or household.

(ii) Publicly commits to maintain and use the information only in deidentified form and not to attempt to reidentify the information, except that the business may attempt to reidentify the information solely for the purpose of determining whether its deidentification processes satisfy the requirements of this subparagraph, provided that the business does not use or disclose any information reidentified in this process and destroys the reidentified information upon completion of that assessment.

(iii) Contractually obligates any recipients of the information to take reasonable measures to ensure that the information cannot be associated with a consumer or household and to commit to maintaining and using the information only in deidentified form and not to reidentify the information.

(C) “Genetic data” does not include data or a biological sample to the extent that data or a biological sample is collected, used, maintained, and disclosed exclusively for scientific research conducted by an investigator with an institution that holds an assurance with the United States Department of Health and Human Services pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, in compliance with all applicable federal and state laws and regulations for the protection of human subjects in research, including, but not limited to, the Common Rule pursuant to Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, United States Food and Drug Administration regulations pursuant to Parts 50 and 56 of Title 21 of the Code of Federal Regulations, the federal Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g), and the Protection of Human Subjects in Medical Experimentation Act, Chapter 1.3 (commencing with Section 24170) of Division 20 of the Health and Safety Code.

(8) “Genetic testing” means any laboratory test of a biological sample from a consumer for the purpose of determining information concerning genetic material contained within the biological sample, or any information extrapolated, derived, or inferred therefrom.

(9) “Person” means an individual, partnership, corporation, association, business, business trust, or legal representative of an organization.

(10) “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that is involved in the collection, transportation, and analysis of the consumer’s biological sample or extracted genetic material on behalf of the direct-to-consumer genetic testing company, or on behalf of any other company that collects, uses, maintains, or discloses genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample or genetic material. The contract between the company and the service provider shall prohibit the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the contract for the business, including both of the following:

(A) A provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for a commercial purpose other than providing the services specified in the contract with the business.

(B) A provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from its own interaction with consumers or as required by law.

(Added by Stats. 2021, Ch. 596, Sec. 2. (SB 41) Effective January 1, 2022.)