By Kaitlyn Saberin.
In recent years, consumer data has become a critical facet of a business’ financial success, so much so that good quality consumer data has become a prized market commodity. However, the business desire to have, use, and control consumer data is directly at odds with how consumers want to protect their personal information in an increasingly digitalized world. A sector-specific legal framework further complicates this issue. In response, more and more states—including California—have begun to rapidly expand consumer privacy and protection laws to give consumers more control over their personal data. Currently, only Colorado and Virginia have passed comprehensive data privacy laws akin to California, but six other states have similar bills pending.
Earlier this month, California took another step to protect consumer data when Governor Newsom signed Senate Bill No. 41 (“SB 41”) into law. SB 41, also known as the Genetic Information Privacy Act, goes into effect on January 1, 2022. Its aim is to cover data that otherwise falls outside of California’s Confidentiality of Medical Information Act (“CMIA”) and the Health Insurance Portability and Accountability Act (“HIPAA”). SB 41 requires direct-to-consumer genetic testing companies to obtain express consent from consumers to collect, use, or disclose their genetic data, and also to honor a consumer’s revocation of consent and destroy the consumer’s genetic sample within 30 days. In addition to the revocation of consent provisions, SB 41 requires direct-to-consumer genetic testing companies to implement and maintain security processes and procedures necessary to protect against unauthorized access of consumers’ genetic information and to enable users to access their genetic data and delete their accounts, as desired.
Ultimately, SB 41 is merely one of California’s latest—and certainly not last—additions to its complicated and expanding data privacy framework. In fact, Governor Newsom signed several other data privacy-related bills into law this month, including technical changes to the California Privacy Rights Act (also known as Proposition 24) and expanding the definition of “personal information” so that the breach of genetic data would also trigger California’s data breach notification law.
Nothing in this blog is intended to constitute legal advice and your interactions with this blog do not result in the formation of an attorney-client relationship. All matters are different and, as such, nothing in this blog is intended to guarantee, warrant, or predict a specific outcome.