|
|
A BILL TO BE ENTITLED
|
|
AN ACT
|
|
|
relating to an individual's genetic data, including the use of that |
|
data by certain genetic testing companies for commercial purposes |
|
and the individual's property right in DNA; authorizing a civil |
|
penalty. |
|
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS: |
|
SECTION 1. Subtitle A, Title 11, Business & Commerce Code, |
|
is amended by adding Chapter 503A to read as follows: |
|
CHAPTER 503A. DIRECT-TO-CONSUMER GENETIC TESTING COMPANIES; RIGHTS |
|
REGARDING DNA |
|
Sec. 503A.001. DEFINITIONS. In this chapter: |
|
(1) "Biological sample" means a material part of the |
|
human body, or a discharge or derivative part of the body, including |
|
tissue, blood, urine, or saliva that is known to contain DNA. |
|
(2) "Deidentified data" means data not reasonably |
|
linked to and that cannot reasonably be used to infer information |
|
about an identifiable individual. |
|
(3) "Direct-to-consumer genetic testing company" |
|
means an entity that: |
|
(A) offers genetic testing products or services |
|
directly to individuals as consumers of those products or services; |
|
or |
|
(B) collects, uses, or analyzes genetic data |
|
that: |
|
(i) results from a direct-to-consumer |
|
genetic testing product or service; and |
|
(ii) an individual rather than a health |
|
care provider provides to the entity. |
|
(4) "DNA" means deoxyribonucleic acid. |
|
(5) "Express consent" means an individual's |
|
affirmative response to a clear and meaningful notice regarding the |
|
collection, use, or disclosure of genetic data for a specific |
|
purpose. |
|
(6) "Genetic data" means any data, regardless of |
|
format, concerning an individual's genetic characteristics. The |
|
term: |
|
(A) includes: |
|
(i) raw sequence data derived from |
|
sequencing all or a portion of an individual's extracted DNA; |
|
(ii) genotypic and phenotypic information |
|
obtained from analyzing an individual's raw sequence data; and |
|
(iii) health information regarding the |
|
health conditions that an individual self-reports to a company and |
|
that the company: |
|
(a) uses for scientific research or |
|
product development; and |
|
(b) analyzes in connection with the |
|
individual's raw sequence data; and |
|
(B) does not include deidentified data. |
|
(7) "Genetic testing" means a laboratory test of an |
|
individual's complete DNA, regions of DNA, chromosomes, genes, or |
|
gene products to determine the presence of the individual's genetic |
|
characteristics. |
|
(8) "Person" means an individual, partnership, |
|
corporation, association, business, or business trust or the legal |
|
representative of an organization. |
|
Sec. 503A.002. APPLICABILITY. (a) This chapter applies to |
|
a direct-to-consumer genetic testing company that: |
|
(1) offers its products or services to individuals who |
|
are residents of this state; or |
|
(2) collects, uses, or analyzes genetic data that: |
|
(A) results from the company's products or |
|
services; and |
|
(B) was provided to the company by an individual |
|
who is a resident of this state rather than by or at the direction of |
|
a health care provider. |
|
(b) This chapter does not apply to: |
|
(1) an entity only when they are engaged in |
|
collecting, using, or analyzing genetic data or biological samples |
|
in the context of research, as defined by 45 C.F.R. Section 164.501, |
|
that is conducted in accordance with: |
|
(A) the federal policy for the protection of |
|
human subjects (45 C.F.R. Part 46); |
|
(B) the good clinical practice guidelines issued |
|
by the International Council for Harmonisation of Technical |
|
Requirements for Pharmaceuticals for Human Use (ICH); or |
|
(C) the United States Food and Drug |
|
Administration policy for the protection of human subjects (21 |
|
C.F.R. Parts 50 and 56); |
|
(2) genetic data that is protected health information |
|
collected by a covered entity or business associate, as defined by |
|
45 C.F.R. Part 160, subject to the privacy, security, and breach |
|
notification rules under the Health Insurance Portability and |
|
Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.); |
|
(3) an institution of higher education or a private or |
|
independent institution of higher education, as those terms are |
|
defined by Section 61.003, Education Code; |
|
(4) an entity when the entity is offering genetic |
|
testing products or services through a health care provider; or |
|
(5) the collection, use, or analysis of genetic data |
|
by a health care provider. |
|
Sec. 503A.003. EXCLUSIVE PROPERTY RIGHT IN DNA; |
|
CONFIDENTIALITY. An individual has a property right in, and |
|
retains the right to exercise exclusive control over, the |
|
individual's biological sample and the results of genetic testing |
|
or analysis conducted on the individual's DNA, including to the |
|
collection, use, retention, maintenance, disclosure, or |
|
destruction of the sample or results. The results of the genetic |
|
testing of an individual's DNA, without regard to whether those |
|
results are held by a public or private entity, are confidential and |
|
may not be disclosed to another person without the individual's |
|
express consent. |
|
Sec. 503A.004. REQUIREMENTS FOR CERTAIN USES OF |
|
DEIDENTIFIED DATA. (a) Except as otherwise provided by this |
|
chapter or other law, a direct-to-consumer genetic testing company |
|
that possesses an individual's deidentified data shall: |
|
(1) implement administrative and technical measures |
|
to ensure the data is not associated with a particular individual; |
|
and |
|
(2) publicly commit to maintaining and using data in |
|
deidentified form and refraining from making any attempt to |
|
identify an individual using the individual's deidentified data. |
|
(b) If a direct-to-consumer genetic testing company shares |
|
an individual's deidentified data with another person, the company |
|
shall enter into a legally enforceable contractual obligation |
|
prohibiting the person from attempting to identify an individual |
|
using the individual's deidentified data. |
|
Sec. 503A.005. REQUIREMENTS FOR CERTAIN USES OR DISCLOSURE |
|
OF GENETIC DATA AND BIOLOGICAL SAMPLE. (a) A direct-to-consumer |
|
genetic testing company shall: |
|
(1) develop, implement, and maintain a comprehensive |
|
security program to protect an individual's genetic data against |
|
unauthorized access, use, or disclosure; and |
|
(2) make publicly available: |
|
(A) a high-level privacy policy overview that |
|
includes basic, essential information about the company's |
|
collection, use, or disclosure of genetic data; and |
|
(B) a prominent privacy notice that includes |
|
information about the company's data collection, consent, use, |
|
access, disclosure, transfer, security, retention, and deletion |
|
practices. |
|
(b) Before collecting, using, or disclosing an individual's |
|
genetic data, a direct-to-consumer genetic testing company shall |
|
provide to the individual information about the company's |
|
collection, use, and disclosure of genetic data the company |
|
collects through a genetic testing product or service, including |
|
information that: |
|
(1) clearly describes the company's use of the genetic |
|
data; |
|
(2) specifies the persons who have access to test |
|
results; and |
|
(3) specifies the manner in which the company may |
|
share the genetic data. |
|
(c) A direct-to-consumer genetic testing company shall |
|
provide a process for an individual to: |
|
(1) access the individual's genetic data; |
|
(2) delete the individual's account and genetic data; |
|
and |
|
(3) destroy or require the destruction of the |
|
individual's biological sample. |
|
Sec. 503A.006. REQUIRED CONSENT. (a) A direct-to-consumer |
|
genetic testing company engaging in any of the following activities |
|
must obtain: |
|
(1) an individual's separate express consent for: |
|
(A) the transfer or disclosure of the |
|
individual's genetic data to any person other than the company's |
|
vendors and service providers; |
|
(B) the use of genetic data for a purpose other |
|
than the primary purpose of the company's genetic testing product |
|
or service; or |
|
(C) the retention of any biological sample |
|
provided by the individual following the company's completion of |
|
the initial testing service requested by the individual; |
|
(2) an individual's informed consent in accordance |
|
with guidelines for the protection of human subjects issued under |
|
45 C.F.R. Part 46, for transfer or disclosure of the individual's |
|
genetic data to a third party for: |
|
(A) research purposes; or |
|
(B) research conducted under the control of the |
|
company for the purpose of publication or generalizable knowledge; |
|
and |
|
(3) an individual's express consent for: |
|
(A) marketing by the company to the individual |
|
based on the individual's genetic data; or |
|
(B) marketing by a third party to the individual |
|
based on the individual's ordering or purchasing of a genetic |
|
testing product or service. |
|
(b) For purposes of Subsection (a), "marketing" does not |
|
include providing customized content or offers to an individual |
|
with whom a direct-to-consumer genetic testing company has a |
|
first-party relationship on the company's Internet website or |
|
through an application or service provided by the company to the |
|
individual. |
|
Sec. 503A.007. PROHIBITED DISCLOSURES. (a) A |
|
direct-to-consumer genetic testing company may not disclose an |
|
individual's genetic data to a law enforcement entity or other |
|
governmental body unless: |
|
(1) the company first obtains the individual's express |
|
written consent; or |
|
(2) the entity or body obtains a warrant or complies |
|
with another valid legal process required by the company. |
|
(b) A direct-to-consumer genetic testing company may not |
|
disclose, without first obtaining an individual's written consent, |
|
the individual's genetic data to: |
|
(1) an entity that offers health insurance, life |
|
insurance, or long-term care insurance; or |
|
(2) an employer of the individual. |
|
Sec. 503A.008. CIVIL PENALTY. (a) A direct-to-consumer |
|
genetic testing company that violates this chapter is liable to |
|
this state for a civil penalty in an amount not to exceed $2,500 for |
|
each violation. |
|
(b) The attorney general may bring an action to recover a |
|
civil penalty imposed under Subsection (a) and to restrain and |
|
enjoin a violation of this chapter. The attorney general may |
|
recover reasonable attorney's fees and court costs incurred in |
|
bringing the action. |
|
SECTION 2. The changes in law made by this Act apply only to |
|
genetic information obtained on or after the effective date of this |
|
Act. |
|
SECTION 3. This Act takes effect September 1, 2023. |
|
|
|
* * * * * |