Virginia Enacts Genetic Privacy Law | Practical Law

Virginia Enacts Genetic Privacy Law | Practical Law

Virginia has enacted a genetic privacy law, requiring direct-to-consumer genetic testing companies to obtain consent to collect, process, and disclose genetic data, implement security measures, create procedures for data deletion and destruction requests, and to flow down obligations to their service providers.

Virginia Enacts Genetic Privacy Law

Practical Law Legal Update w-038-9709 (Approx. 3 pages)

Virginia Enacts Genetic Privacy Law

by Practical Law Data Privacy & Cybersecurity
Published on 28 Mar 2023Virginia
Virginia has enacted a genetic privacy law, requiring direct-to-consumer genetic testing companies to obtain consent to collect, process, and disclose genetic data, implement security measures, create procedures for data deletion and destruction requests, and to flow down obligations to their service providers.
On March 26, 2023, Virginia Governor Glenn Youngkin signed SB 1087, a genetic data privacy law applicable to companies that offer customer-initiated genetic testing products, and companies that process the associated genetic data.
Under SB 1087, covered companies must:
  • Obtain informed consent to collect, use, or disclose an individual's data, and obtain separate express consent for activities such as secondary data uses and disclosures to third parties.
  • Inform consumers of the express consent requirement and how they can revoke consent.
  • Provide consumers with a summary of the company's data collection, use, maintenance, retention, disclosure, transfer, deletion, security, and access policies and privacy practices.
  • Implement and maintain reasonable security measures.
  • Create processes for consumers to easily access and delete their data, and to revoke consent and request destruction of their biological sample.
  • Contractually prohibit service providers from retaining, using, disclosing, associating, or combining biological samples, genetic data, or customer identity information for a purpose not authorized by the contract.
The law prohibits discrimination based on a consumer's exercise of rights.
SB 1087 excludes:
  • Genetic data used or maintained by an employer or disclosed by an employee, to the extent the use, maintenance, or disclosure is necessary to comply with a federal or state workplace health and safety law, rule, or regulation.
  • To the extent genetic data is maintained, used, and disclosed in the same manner as protected health information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act:
    • HIPAA covered entities and business associates.
    • Protected health information held by HIPAA covered entities and business associates.
    • Tests solely to determine if an individual has a certain disease.
  • Scientific research or educational activities that meet certain requirements.
The Attorney General may investigate potential violations and seek civil penalties up to $1,000 plus fees and costs, or up to $10,000 for willful violations.
The law becomes effective July 1, 2023.