Enter to open, tab to navigate, enter to select
Tennessee Enacts Genetic Information Privacy Act
Practical Law Legal Update w-039-3276 (Approx. 4 pages)
Tennessee Enacts Genetic Information Privacy Act
by Practical Law Data Privacy & Cybersecurity
| Published on 01 May 2023 • Tennessee |
Tennessee has enacted the Genetic Information Privacy Act, which requires direct-to-consumer genetic testing companies to obtain consent to collect, process, and disclose genetic data, implement security measures, and support consumer access, deletion, and biological sample destruction requests.
On April 28, 2023, Tennessee Governor Bill Lee signed HB 1310, the Genetic Information Privacy Act. The law protects data that concerns a consumer's genetic characteristics, including:
- Raw sequence data from sequencing all or a portion of a consumer's extracted DNA.
- Genotypic and phenotypic information from analyzing a consumer's raw sequence data.
- Self-reported health conditions information that a company:
- uses for scientific research or product development; and
- analyzes in connection with the consumer's raw sequence data.
HB 1310:
- Applies to entities that:
- offer genetic testing products or services directly to consumers, defined as Tennessee residents; or
- collect, use, or analyze consumer-provided genetic data.
- Excludes:
- de-identified data, as specified;
- protected health information collected by a covered entity or business associate as defined under the HIPAA regulations; and
- public or private higher education institutions and entities that they own or operate.
Direct-to-consumer genetic testing companies must provide consumers with:
- Essential information about their collection, use, and disclosure of genetic data.
- A prominent, publicly available privacy notice that includes information about their data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices.
Direct-to-consumer genetic testing companies must also obtain various forms of consumer consent for certain activities, including:
- Initial express consent for collection, use, or disclosure of consumers' genetic data that:
- clearly describes the company's use of the genetic data collected through its products or services; and
- specifies who has access to test results and how the company may share the genetic data.
- Separate express consent for:
- transferring or disclosing consumers' genetic data, except to their vendors and service providers;
- using genetic data beyond their genetic testing products' or services' primary purpose; or
- retaining a consumer's biological sample following their completion of the initial consumer-requested testing service.
- Informed consent according to the Federal Policy for the Protection of Human Subjects to transfer or disclose consumers' genetic data to a third party for:
- research purposes; or
- research conducted under the company's control for publication or generalizable knowledge.
- Written consent before disclosing consumers' genetic data to:
- entities that offer health insurance, life insurance, or long-term care insurance; or
- a consumer's employer.
- Express consent for marketing:
- to a consumer based on the consumer's genetic data; or
- by a third party to a consumer based on the consumer's having ordered or purchased a genetic testing product or service.
However, direct-to-consumer genetic testing companies need not obtain express consent to provide customized content or offers through their websites, apps, or services to consumers with whom they have a first-party relationship.
Direct-to-consumer genetic testing companies must also:
- Develop, implement, and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure.
- Support request processes that allow consumers to:
- access their genetic data;
- delete their account and genetic data; and
- destroy their biological sample.
- Require valid legal process to disclose a consumer's genetic data to law enforcement or another government entity without the consumer's express written consent.
The law grants the Division of Consumer Affairs in the Office of the Attorney General and Reporter rulemaking and enforcement authority. The law does not include a specific private right of action.
The Genetic Information Privacy Act takes effect July 1, 2023 and applies to conduct occurring on or after that date.