BILL ANALYSIS

 

 

 

C.S.H.B. 2545

By: Capriglione

Business & Industry

Committee Report (Substituted)

 

 

 

BACKGROUND AND PURPOSE

 

There are many websites that allow individuals to explore their family heritage and genetic susceptibility through at-home DNA testing kits. However, the rise in these types of testing kits creates the market for many of these sites to sell genetic information to third parties such as pharmaceutical companies and online advertisers. Federal law, mainly the Genetic Information Nondiscrimination Act (GINA) of 2008, only limits the use of genetic information with respect to health insurance and employment, and Texas has passed a similar measure. Beyond those laws, Texas consumers using these kits have no protections to control their genetic data. C.S.H.B. 2545 seeks to address this issue by setting out provisions regarding the use of an individual's genetic data by direct-to-individual genetic testing companies for commercial purposes and to authorize the imposition of a civil penalty for a violation of those provisions.

 

CRIMINAL JUSTICE IMPACT

 

It is the committee's opinion that this bill does not expressly create a criminal offense, increase the punishment for an existing criminal offense or category of offenses, or change the eligibility of a person for community supervision, parole, or mandatory supervision.

 

RULEMAKING AUTHORITY

 

It is the committee's opinion that this bill does not expressly grant any additional rulemaking authority to a state officer, department, agency, or institution.

 

ANALYSIS

 

C.S.H.B. 2545 amends the Business & Commerce Code to set out provisions regarding the use of an individual's genetic data by direct-to-individual genetic testing companies for commercial purposes and to authorize the imposition of a civil penalty for a violation of those provisions. The bill defines such a company as an entity that offers genetic testing products or services directly to individuals or that collects, uses, or analyzes genetic data that results from a direct‑to‑individual genetic testing product or service and that an individual provides to the entity. The bill applies only to genetic information obtained by a company on or after the bill's effective date.

 

Requirements for Certain Uses of Deidentified Data

 

C.S.H.B. 2545 requires a direct-to-individual genetic testing company that possesses an individual's deidentified data to do the following:

·         implement administrative and technical measures to ensure the data is not associated with a particular individual;

·         publicly commit to maintaining and using the data in deidentified form and refraining from making any attempt to identify an individual using the data; and

·         enter into a legally enforceable contractual obligation prohibiting a person from attempting to identify an individual using the data if the company shares the data with another person.

The bill defines "deidentified data" as data not reasonably linked to and that cannot reasonably be used to infer information about an identifiable individual.

 

Requirements for Certain Uses or Disclosure of Genetic Data and Biological Sample

 

C.S.H.B. 2545 requires a direct-to-individual genetic testing company to do the following:

·         develop, implement, and maintain a comprehensive security program to protect the data against unauthorized access, use, or disclosure;

·         make publicly available a high-level privacy policy overview that includes basic, essential information about the company's collection, use, or disclosure of the data and a prominent privacy notice with information about the company's data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices;

·         before collecting, using, or disclosing the data, provide to the individual information about the company's collection, use, and disclosure of genetic data the company collects through a genetic testing product or service, including information that:

o   clearly describes the company's use of the genetic data;

o   specifies the persons who have access to test results; and

o   specifies the manner in which the company may share the genetic data; and

·         provide a process for the individual to access the data, delete the individual's account and data, and destroy or require the destruction of the individual's biological sample.

 

Required Consent

 

C.S.H.B. 2545 requires a direct-to-individual genetic testing company to obtain from an individual the following forms of consent for the respective activities:

·         the company must obtain an individual's separate express consent for:

o   transfer or disclosure of the data to any person other than the company's vendors and service providers;

o   use of the data other than for the primary purpose of the company's genetic testing product or service; or

o   retention of any biological sample provided by the individual following the company's completion of the initial testing service requested by the individual;

·         the company must obtain an individual's informed consent in accordance with guidelines issued under applicable federal regulations for transfer or disclosure of the data to a third party for certain research purposes; and

·         the company must obtain an individual's express consent for marketing by the company to the individual based on genetic data or marketing by a third party to the individual based on the individual's ordering or purchasing of a genetic testing product or service.

For purposes of these consent provisions, "marketing" does not include providing customized content or offers to an individual with whom the company has a first-party relationship on the company's website or through an application or service provided by the company to the individual. In addition, "express consent" is defined for the bill's overall purposes as an individual's affirmative response to a clear and meaningful notice regarding the collection, use, or disclosure of genetic data for a specific purpose.

 

Prohibited Disclosures

 

C.S.H.B. 2545 prohibits a direct-to-individual genetic testing company from disclosing an individual's genetic data to a law enforcement entity or other governmental body unless the company obtains the individual's express written consent or the entity or body obtains a warrant or complies with another valid legal process required by the company.

 

C.S.H.B. 2545 prohibits a company from disclosing an individual's genetic data, without first obtaining the individual's written consent, to an entity that offers health insurance, life insurance, or long-term care insurance or the individual's employer.

 

Civil Penalty

 

C.S.H.B. 2545 makes a direct-to-individual genetic testing company that violates the bill's provisions liable to the state for a civil penalty in an amount not to exceed $2,500 for each violation and authorizes the attorney general to bring an action to recover the civil penalty and restrain and enjoin a violation, and to recover reasonable attorney's fees and court costs incurred in bringing the action.

 

Applicability

 

C.S.H.B. 2545 applies to a direct-to-individual genetic testing company that:

·         offers its products or services to individuals who are Texas residents; or

·         collects, uses, or analyzes genetic data that results from the company's products or services and was provided to the company by an individual who is a Texas resident.

The bill does not apply to the following:

·         a public, private, or independent institution of higher education;

·         an entity only when they are engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined by specified federal regulation, that is conducted in accordance with:

o   the federal policy for the protection of human subjects;

o   the good clinical practice guidelines issued by the International Council for Harmonisation of Technical Requirements for Pharmaceuticals for Human Use; or

o   the FDA policy for the protection of human subjects; or

·         genetic data that is protected health information collected by a covered entity or business associate, as defined by federal regulation, subject to the privacy, security, and breach notification rules under the federal Health Insurance Portability and Accountability Act of 1996.

 

EFFECTIVE DATE

 

September 1, 2023.

 

COMPARISON OF INTRODUCED AND SUBSTITUTE

 

While C.S.H.B. 2545 may differ from the introduced in minor or nonsubstantive ways, the following summarizes the substantial differences between the introduced and committee substitute versions of the bill.

 

The substitute includes a provision absent from the introduced establishing that the bill's provisions do not apply to a public, private, or independent institution of higher education.

 

Both the substitute and the introduced provide for the recovery of the civil penalty imposed by the bill and for restraining and enjoining violations of the bill's provisions. However, while the introduced provided for those actions by both the attorney general and a district attorney, the substitute authorizes only the attorney general to take those actions.