By: Capriglione, et al. (Senate Sponsor - Johnson) H.B. No. 2545
         (In the Senate - Received from the House May 1, 2023;
  May 1, 2023, read first time and referred to Committee on Business &
  Commerce; May 10, 2023, reported adversely, with favorable
  Committee Substitute by the following vote:  Yeas 11, Nays 0;
  May 10, 2023, sent to printer.)
Click here to see the committee vote
 
  COMMITTEE SUBSTITUTE FOR H.B. No. 2545 By:  Johnson
 
 
A BILL TO BE ENTITLED
 
AN ACT
 
  relating to an individual's genetic data, including the use of that
  data by certain genetic testing companies for commercial purposes
  and the individual's property right in DNA; authorizing a civil
  penalty.
         BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF TEXAS:
         SECTION 1.  Subtitle A, Title 11, Business & Commerce Code,
  is amended by adding Chapter 503A to read as follows:
  CHAPTER 503A. DIRECT-TO-CONSUMER GENETIC TESTING COMPANIES; RIGHTS
  REGARDING DNA
         Sec. 503A.001.  DEFINITIONS. In this chapter:
               (1)  "Biological sample" means a material part of the
  human body, or a discharge or derivative part of the body, including
  tissue, blood, urine, or saliva that is known to contain DNA.
               (2)  "Deidentified data" means data not reasonably
  linked to and that cannot reasonably be used to infer information
  about an identifiable individual.
               (3)  "Direct-to-consumer genetic testing company"
  means an entity that:
                     (A)  offers genetic testing products or services
  directly to individuals as consumers of those products or services;
  or
                     (B)  collects, uses, or analyzes genetic data
  that:
                           (i)  results from a direct-to-consumer
  genetic testing product or service; and
                           (ii)  an individual rather than a health
  care provider provides to the entity.
               (4)  "DNA" means deoxyribonucleic acid.
               (5)  "Express consent" means an individual's
  affirmative response to a clear and meaningful notice regarding the
  collection, use, or disclosure of genetic data for a specific
  purpose.
               (6)  "Genetic data" means any data, regardless of
  format, concerning an individual's genetic characteristics. The
  term:
                     (A)  includes:
                           (i)  raw sequence data derived from
  sequencing all or a portion of an individual's extracted DNA;
                           (ii)  genotypic and phenotypic information
  obtained from analyzing an individual's raw sequence data; and
                           (iii)  health information regarding the
  health conditions that an individual self-reports to a company and
  that the company:
                                 (a)  uses for scientific research or
  product development; and
                                 (b)  analyzes in connection with the
  individual's raw sequence data; and
                     (B)  does not include deidentified data.
               (7)  "Genetic testing" means a laboratory test of an
  individual's complete DNA, regions of DNA, chromosomes, genes, or
  gene products to determine the presence of the individual's genetic
  characteristics.
               (8)  "Person" means an individual, partnership,
  corporation, association, business, or business trust or the legal
  representative of an organization.
         Sec. 503A.002.  APPLICABILITY. (a) This chapter applies to
  a direct-to-consumer genetic testing company that:
               (1)  offers its products or services to individuals who
  are residents of this state; or
               (2)  collects, uses, or analyzes genetic data that:
                     (A)  results from the company's products or
  services; and
                     (B)  was provided to the company by an individual
  who is a resident of this state rather than by or at the direction of
  a health care provider.
         (b)  This chapter does not apply to:
               (1)  an entity only when they are engaged in
  collecting, using, or analyzing genetic data or biological samples
  in the context of research, as defined by 45 C.F.R. Section 164.501,
  that is conducted in accordance with:
                     (A)  the federal policy for the protection of
  human subjects (45 C.F.R. Part 46);
                     (B)  the good clinical practice guidelines issued
  by the International Council for Harmonisation of Technical
  Requirements for Pharmaceuticals for Human Use (ICH); or 
                     (C)  the United States Food and Drug
  Administration policy for the protection of human subjects (21
  C.F.R. Parts 50 and 56);
               (2)  genetic data that is protected health information
  collected by a covered entity or business associate, as defined by
  45 C.F.R. Part 160, subject to the privacy, security, and breach
  notification rules under the Health Insurance Portability and
  Accountability Act of 1996 (42 U.S.C. Section 1320d et seq.);
               (3)  an institution of higher education or a private or
  independent institution of higher education, as those terms are
  defined by Section 61.003, Education Code;
               (4)  an entity when the entity is offering genetic
  testing products or services through a health care provider; or
               (5)  the collection, use, or analysis of genetic data
  by a health care provider.
         Sec. 503A.003.  EXCLUSIVE PROPERTY RIGHT IN DNA;
  CONFIDENTIALITY.  An individual has a property right in, and
  retains the right to exercise exclusive control over, the
  individual's biological sample and the results of genetic testing
  or analysis conducted on the individual's DNA, including to the
  collection, use, retention, maintenance, disclosure, or
  destruction of the sample or results.  The results of the genetic
  testing of an individual's DNA, without regard to whether those
  results are held by a public or private entity, are confidential and
  may not be disclosed to another person without the individual's
  express consent.
         Sec. 503A.004.  REQUIREMENTS FOR CERTAIN USES OF
  DEIDENTIFIED DATA. (a) Except as otherwise provided by this
  chapter or other law, a direct-to-consumer genetic testing company
  that possesses an individual's deidentified data shall:
               (1)  implement administrative and technical measures
  to ensure the data is not associated with a particular individual;
  and
               (2)  publicly commit to maintaining and using data in
  deidentified form and refraining from making any attempt to
  identify an individual using the individual's deidentified data.
         (b)  If a direct-to-consumer genetic testing company shares
  an individual's deidentified data with another person, the company
  shall enter into a legally enforceable contractual obligation
  prohibiting the person from attempting to identify an individual
  using the individual's deidentified data.
         Sec. 503A.005.  REQUIREMENTS FOR CERTAIN USES OR DISCLOSURE
  OF GENETIC DATA AND BIOLOGICAL SAMPLE. (a) A direct-to-consumer
  genetic testing company shall:
               (1)  develop, implement, and maintain a comprehensive
  security program to protect an individual's genetic data against
  unauthorized access, use, or disclosure; and
               (2)  make publicly available:
                     (A)  a high-level privacy policy overview that
  includes basic, essential information about the company's
  collection, use, or disclosure of genetic data; and
                     (B)  a prominent privacy notice that includes
  information about the company's data collection, consent, use,
  access, disclosure, transfer, security, retention, and deletion
  practices.
         (b)  Before collecting, using, or disclosing an individual's
  genetic data, a direct-to-consumer genetic testing company shall
  provide to the individual information about the company's
  collection, use, and disclosure of genetic data the company
  collects through a genetic testing product or service, including
  information that:
               (1)  clearly describes the company's use of the genetic
  data;
               (2)  specifies the persons who have access to test
  results; and
               (3)  specifies the manner in which the company may
  share the genetic data.
         (c)  A direct-to-consumer genetic testing company shall
  provide a process for an individual to:
               (1)  access the individual's genetic data;
               (2)  delete the individual's account and genetic data;
  and
               (3)  destroy or require the destruction of the
  individual's biological sample.
         Sec. 503A.006.  REQUIRED CONSENT. (a)  A direct-to-consumer
  genetic testing company engaging in any of the following activities
  must obtain:
               (1)  an individual's separate express consent for:
                     (A)  the transfer or disclosure of the
  individual's genetic data to any person other than the company's
  vendors and service providers;
                     (B)  the use of genetic data for a purpose other
  than the primary purpose of the company's genetic testing product
  or service; or
                     (C)  the retention of any biological sample
  provided by the individual following the company's completion of
  the initial testing service requested by the individual;
               (2)  an individual's informed consent in accordance
  with guidelines for the protection of human subjects issued under
  45 C.F.R. Part 46, for transfer or disclosure of the individual's
  genetic data to a third party for:
                     (A)  research purposes; or
                     (B)  research conducted under the control of the
  company for the purpose of publication or generalizable knowledge;
  and
               (3)  an individual's express consent for:
                     (A)  marketing by the company to the individual
  based on the individual's genetic data; or
                     (B)  marketing by a third party to the individual
  based on the individual's ordering or purchasing of a genetic
  testing product or service.
         (b)  For purposes of Subsection (a), "marketing" does not
  include providing customized content or offers to an individual
  with whom a direct-to-consumer genetic testing company has a
  first-party relationship on the company's Internet website or
  through an application or service provided by the company to the
  individual.
         Sec. 503A.007.  PROHIBITED DISCLOSURES. (a) A
  direct-to-consumer genetic testing company may not disclose an
  individual's genetic data to a law enforcement entity or other
  governmental body unless:
               (1)  the company first obtains the individual's express
  written consent; or
               (2)  the entity or body obtains a warrant or complies
  with another valid legal process required by the company.
         (b)  A direct-to-consumer genetic testing company may not
  disclose, without first obtaining an individual's written consent,
  the individual's genetic data to:
               (1)  an entity that offers health insurance, life
  insurance, or long-term care insurance; or
               (2)  an employer of the individual.
         Sec. 503A.008.  CIVIL PENALTY. (a)  A direct-to-consumer
  genetic testing company that violates this chapter is liable to
  this state for a civil penalty in an amount not to exceed $2,500 for
  each violation. 
         (b)  The attorney general may bring an action to recover a
  civil penalty imposed under Subsection (a) and to restrain and
  enjoin a violation of this chapter.  The attorney general may
  recover reasonable attorney's fees and court costs incurred in
  bringing the action.
         SECTION 2.  The changes in law made by this Act apply only to
  genetic information obtained on or after the effective date of this
  Act.
         SECTION 3.  This Act takes effect September 1, 2023.
 
  * * * * *