Nebraska Enacts Genetic Information Privacy Act | Practical Law

Nebraska Enacts Genetic Information Privacy Act | Practical Law

Nebraska has enacted the Genetic Information Privacy Act, which requires direct-to-consumer genetic testing companies to obtain consent to collect, process, and disclose genetic data, provide privacy notices, implement security measures, and enable consumer access, deletion, and biological sample destruction requests.

Nebraska Enacts Genetic Information Privacy Act

Practical Law Legal Update w-042-3432 (Approx. 5 pages)

Nebraska Enacts Genetic Information Privacy Act

by Practical Law Data Privacy & Cybersecurity
Published on 15 Feb 2024Nebraska
Nebraska has enacted the Genetic Information Privacy Act, which requires direct-to-consumer genetic testing companies to obtain consent to collect, process, and disclose genetic data, provide privacy notices, implement security measures, and enable consumer access, deletion, and biological sample destruction requests.
On February 14, 2024, Nebraska Governor Jim Pillen signed LB 308, enacting the Genetic Information Privacy Act (GIPA). Similar to genetic privacy laws recently passed in other states, including Texas and Tennessee, the new law regulates direct-to-consumer genetic testing companies that either:
  • Offer genetic testing products or services directly to Nebraska residents (consumers).
  • Collect, use, or analyze consumer-provided genetic data that resulted from a direct-to-consumer genetic testing product.
Nebraska's GIPA protects data that concerns a consumer's genetic characteristics, regardless of its format. This may include:
  • Raw sequence data from sequencing all or a portion of a consumer's extracted DNA.
  • Genotypic and phenotypic information from analyzing a consumer's raw sequence data.
  • Self-reported health conditions information that a company:
    • uses for scientific research or product development; and
    • analyzes in connection with the consumer's raw sequence data.
However, it does not apply to:
  • De-identified data reasonably incapable of inferring information about or otherwise linking to an identifiable consumer, when maintained under specific conditions designed to protect and maintain its anonymity.
  • Protected health information collected by a covered entity or business associate as defined under HIPAA and related regulations.
  • Entities solely engaged in collecting, using, or analyzing genetic data or biological samples for research conducted in accordance with:
    • the Federal Policy for the Protection of Human Subjects (Common Rule).
    • the International Council for Harmonisation's E6 Good Clinical Practice guidelines; or
    • the FDA's Human Subject Protection Policy.
Direct-to-consumer genetic testing companies must provide consumers with clear and complete information about their policies and procedures for the collection, use, and disclosure of genetic data, including:
  • A high-level privacy policy overview that includes basic information about the company's collection, use, or disclosure of genetic data.
  • A prominent, publicly available privacy notice that includes information about their data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices.
Direct-to-consumer genetic testing companies must also obtain various forms of consumer consent for certain activities, including:
  • Initial express consent for collection, use, or disclosure of consumers' genetic data that:
    • clearly describes the company's use of the genetic data collected through its products or services; and
    • specifies who has access to test results and how the company may share the genetic data.
  • Separate express consent for:
    • transferring or disclosing consumers' genetic data, except to their vendors and service providers;
    • using genetic data beyond their genetic testing products' or services' primary purpose; or
    • retaining a consumer's biological sample following their completion of the initial consumer-requested testing service.
  • Informed consent under the Common Rule to transfer or disclose consumers' genetic data to a third party for:
    • research purposes; or
    • research conducted under the company's control for publication or generalizable knowledge.
  • Written consent before disclosing consumers' genetic data to:
    • entities that offer health insurance, life insurance, or long-term care insurance; or
    • a consumer's employer.
  • Express consent for marketing:
    • to a consumer based on the consumer's genetic data; or
    • by a third party to a consumer based on the consumer's order or purchase of a genetic testing product or service.
However, direct-to-consumer genetic testing companies do not need to obtain express consent to provide customized content or offers through their websites, apps, or services when they have a first-party relationship with the consumer.
Direct-to-consumer genetic testing companies must also:
  • Develop, implement, and maintain a comprehensive security program to protect consumers' genetic data against unauthorized access, use, or disclosure.
  • Provide processes that allow consumers to:
    • access their genetic data;
    • delete their account and genetic data; and
    • request and obtain written documentation verifying the destruction of their biological sample.
  • Require a court order to disclose a consumer's genetic data to any government agency, including law enforcement, without the consumer's express written consent.
  • Meet all state and federal laws for the protection of privacy and security when disclosing genetic data.
The law grants the Attorney General enforcement authority. Violations may result in a civil penalty of $2,500 per violation, actual damages, and costs and reasonable attorney's fees. The law does not include a private right of action.
The bill did not provide a specific effective date, so it will take effect three months after the Nebraska legislature adjourns its 2024 session.