|
|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
relating to the use of an individual's genetic data by certain |
|
genetic testing companies for commercial purposes; authorizing a |
|
civil penalty. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Subtitle A, Title 11, Business & Commerce Code, |
|
is amended by adding Chapter 503A to read as follows: |
|
CHAPTER 503A. DIRECT-TO-INDIVIDUAL GENETIC TESTING COMPANIES |
|
Sec. 503A.001. DEFINITIONS. In this chapter: |
|
(1) "Biological sample" means a material part of the |
|
human body, or a discharge or derivative part of the body, including |
|
tissue, blood, urine, or saliva that is known to contain DNA. |
|
(2) "Deidentified data" means data not reasonably |
|
linked to and that cannot reasonably be used to infer information |
|
about an identifiable individual. |
|
(3) "Direct-to-individual genetic testing company" |
|
means an entity that: |
|
(A) offers genetic testing products or services |
|
directly to individuals; or |
|
(B) collects, uses, or analyzes genetic data that |
|
results from a direct-to-individual genetic testing product or |
|
service and that an individual provides to the entity. |
|
(4) "DNA" means deoxyribonucleic acid. |
|
(5) "Express consent" means an individual's |
|
affirmative response to a clear and meaningful notice regarding the |
|
collection, use, or disclosure of genetic data for a specific |
|
purpose. |
|
(6) "Genetic data" means any data, regardless of |
|
format, concerning an individual's genetic characteristics. The |
|
term: |
|
(A) includes: |
|
(i) raw sequence data derived from |
|
sequencing all or a portion of an individual's extracted DNA; |
|
(ii) genotypic and phenotypic information |
|
obtained from analyzing an individual's raw sequence data; and |
|
(iii) health information regarding the |
|
health conditions that an individual self-reports to a company and |
|
that the company: |
|
(a) uses for scientific research or |
|
product development; and |
|
(b) analyzes in connection with the |
|
individual's raw sequence data; and |
|
(B) does not include deidentified data. |
|
(7) "Genetic testing" means a laboratory test of an |
|
individual's complete DNA, regions of DNA, chromosomes, genes, or |
|
gene products to determine the presence of the individual's genetic |
|
characteristics. |
|
(8) "Person" means an individual, partnership, |
|
corporation, association, business, or business trust or the legal |
|
representative of an organization. |
|
Sec. 503A.002. APPLICABILITY. (a) This chapter applies to |
|
a direct-to-individual genetic testing company that: |
|
(1) offers its products or services to individuals who |
|
are residents of this state; or |
|
(2) collects, uses, or analyzes genetic data that |
|
results from the company's products or services and was provided to |
|
the company by an individual who is a resident of this state. |
|
(b) This chapter does not apply to: |
|
(1) an entity only when they are engaged in |
|
collecting, using, or analyzing genetic data or biological samples |
|
in the context of research, as defined by 45 C.F.R. Section 164.501, |
|
that is conducted in accordance with: |
|
(A) the federal policy for the protection of |
|
human subjects (45 C.F.R. Part 46); |
|
(B) the good clinical practice guidelines issued |
|
by the International Council for Harmonisation of Technical |
|
Requirements for Pharmaceuticals for Human Use (ICH); or |
|
(C) the United States Food and Drug |
|
Administration policy for the protection of human subjects (21 |
|
C.F.R. Parts 50 and 56); or |
|
(2) genetic data that is protected health information |
|
collected by a covered entity or business associate, as defined by |
|
45 C.F.R. Part 160, subject to the privacy, security, and breach |
|
notification rules under the Health Insurance Portability and |
|
Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.). |
|
Sec. 503A.003. REQUIREMENTS FOR CERTAIN USES OF |
|
DEIDENTIFIED DATA. (a) Except as otherwise provided by this |
|
chapter or other law, a direct-to-individual genetic testing |
|
company that possesses an individual's deidentified data shall: |
|
(1) implement administrative and technical measures |
|
to ensure the data is not associated with a particular individual; |
|
and |
|
(2) publicly commit to maintaining and using data in |
|
deidentified form and refraining from making any attempt to |
|
identify an individual using the individual's deidentified data. |
|
(b) If a direct-to-individual genetic testing company |
|
shares an individual's deidentified data with another person, the |
|
company shall enter into a legally enforceable contractual |
|
obligation prohibiting the person from attempting to identify an |
|
individual using the individual's deidentified data. |
|
Sec. 503A.004. REQUIREMENTS FOR CERTAIN USES OR DISCLOSURE |
|
OF GENETIC DATA AND BIOLOGICAL SAMPLE. (a) A direct-to-individual |
|
genetic testing company shall: |
|
(1) develop, implement, and maintain a comprehensive |
|
security program to protect an individual's genetic data against |
|
unauthorized access, use, or disclosure; and |
|
(2) make publicly available: |
|
(A) a high-level privacy policy overview that |
|
includes basic, essential information about the company's |
|
collection, use, or disclosure of genetic data; and |
|
(B) a prominent privacy notice that includes |
|
information about the company's data collection, consent, use, |
|
access, disclosure, transfer, security, retention, and deletion |
|
practices. |
|
(b) Before collecting, using, or disclosing an individual's |
|
genetic data, a direct-to-individual genetic testing company shall |
|
provide to the individual information about the company's |
|
collection, use, and disclosure of genetic data the company |
|
collects through a genetic testing product or service, including |
|
information that: |
|
(1) clearly describes the company's use of the genetic |
|
data; |
|
(2) specifies the persons who have access to test |
|
results; and |
|
(3) specifies the manner in which the company may |
|
share the genetic data. |
|
(c) A direct-to-individual genetic testing company shall |
|
provide a process for an individual to: |
|
(1) access the individual's genetic data; |
|
(2) delete the individual's account and genetic data; |
|
and |
|
(3) destroy or require the destruction of the |
|
individual's biological sample. |
|
Sec. 503A.005. REQUIRED CONSENT. (a) A |
|
direct-to-individual genetic testing company engaging in any of the |
|
following activities must obtain: |
|
(1) an individual's separate express consent for: |
|
(A) the transfer or disclosure of the |
|
individual's genetic data to any person other than the company's |
|
vendors and service providers; |
|
(B) the use of genetic data for a purpose other |
|
than the primary purpose of the company's genetic testing product |
|
or service; or |
|
(C) the retention of any biological sample |
|
provided by the individual following the company's completion of |
|
the initial testing service requested by the individual; |
|
(2) an individual's informed consent in accordance |
|
with guidelines for the protection of human subjects issued under |
|
45 C.F.R. Part 46, for transfer or disclosure of the individual's |
|
genetic data to a third party for: |
|
(A) research purposes; or |
|
(B) research conducted under the control of the |
|
company for the purpose of publication or generalizable knowledge; |
|
and |
|
(3) an individual's express consent for: |
|
(A) marketing by the company to the individual |
|
based on the individual's genetic data; or |
|
(B) marketing by a third party to the individual |
|
based on the individual's ordering or purchasing of a genetic |
|
testing product or service. |
|
(b) For purposes of Subsection (a), "marketing" does not |
|
include providing customized content or offers to an individual |
|
with whom a direct-to-individual genetic testing company has a |
|
first-party relationship on the company's Internet website or |
|
through an application or service provided by the company to the |
|
individual. |
|
Sec. 503A.006. PROHIBITED DISCLOSURES. (a) A |
|
direct-to-individual genetic testing company may not disclose an |
|
individual's genetic data to a law enforcement entity or other |
|
governmental body unless: |
|
(1) the company first obtains the individual's express |
|
written consent; or |
|
(2) the entity or body obtains a warrant or complies |
|
with another valid legal process required by the company. |
|
(b) A direct-to-individual genetic testing company may not |
|
disclose, without first obtaining an individual's written consent, |
|
the individual's genetic data to: |
|
(1) an entity that offers health insurance, life |
|
insurance, or long-term care insurance; or |
|
(2) an employer of the individual. |
|
Sec. 503A.007. CIVIL PENALTY. (a) A direct-to-individual |
|
genetic testing company that violates this chapter is liable to |
|
this state for a civil penalty in an amount not to exceed $2,500 for |
|
each violation. |
|
(b) The attorney general or a district attorney may bring an |
|
action to recover a civil penalty imposed under Subsection (a) and |
|
to restrain and enjoin a violation of this chapter. The attorney |
|
general or a district attorney may recover reasonable attorney's |
|
fees and court costs incurred in bringing the action. |
|
SECTION 2. The changes in law made by this Act apply only to |
|
genetic information obtained by a direct-to-individual genetic |
|
testing company on or after the effective date of this Act. |
|
SECTION 3. This Act takes effect September 1, 2023. |