New Genetic Privacy Laws

Posted by

The National Law Review recently reported that Florida and California are enacting laws protecting people’s genetic information. Both states are taking different approaches to this new type of privacy protection, but their intent is similar. The National Law Review outlines the specifics of these laws in the table below.

Effective DateOctober 1, 2021January 1, 2022
Individuals ProtectedAny person who has their DNA sample collected in Florida is protectedCalifornia residents
Regulated EntitiesAny person or entity who collects, uses, retains, or maintains a DNA sample or the results of a DNA analysis or conducts the DNA analysis is coveredGIPA applies to direct-to-consumer genetic testing companies, meaning a company that meets one of the following: Sells, markets, interprets, or offers genetic testing products or services directly to consumers;Analyzes genetic data obtained from a consumer; or  Collects, uses, maintains, or discloses genetic data from another direct-to-consumer genetic testing product or service or is directly provided by a consumer. 
RequirementsEntities in Florida that collect DNA samples will need to obtain express consent from the person giving the DNA sample. Entities can use a single express consent form to authorize every instance of a specified purpose or use. Additionally, entities that perform DNA analysis or receives the results must provide the person with a notice that the analysis was performed.Entities in California must be transparent about the business’s privacy practices regarding genetic data.  They also must obtain express consent from consumers for the collection, use, and disclosure of the consumer’s genetic data.  They must obtain separate, express consent for use of the genetic data for different uses and before transferring it to parties other than service providers.  They must obtain consent before directly marketing based on consumer’s genetic data or third party marketing based on a consumer’s order, purchase, use of a genetic testing product or service.  Business are required to have reasonable security procedures and practices to protect the consumer’s genetic data against unauthorized access, destruction, use, modification, or disclosure.  They must give consumers a way to easily withdraw consent, provide access to data, allow consumers to delete their account, and request destructions of their DNA samples.  Companies cannot discriminate against consumers that exercise their rights.  
EnforceabilityThe Protecting DNA Privacy Act does not include a private right of action. The law will be enforced by the state. There is no cure period. GIPA does not create a private right of action. The law is enforced exclusively through the Attorney General, district attorney, county attorney, city attorney, or city prosecutor. There is a 30-day period for the company to comply with a request to revoke consent, but no other cure period. 
Penalties for Violation of the LawThe criminal penalties range from first degree misdemeanor for the unlawful collection of another person’s DNA sample with the intent to perform a DNA analysis to second degree felony for the unlawful sell or transfer of another person’s DNA sample or results of DNA analysis even if the person originally gave express consent for the collection and retention of the DNA sample.For a negligent violation of the law, the court can assess a penalty capped at $1,000 plus court costs. For a willful violation of the law, the court can assess a penalty capped at $10,000 plus court costs. The assessed penalties are paid directly to the consumer whose genetic data was used. Each violation can be assessed a separate penalty.
ExceptionsIf the DNA sample, analysis, or results are used for criminal investigations, compliance with lawful court orders, compliance with federal law, determining paternity, or conducting research that is subject to federal regulations.The law exempts certain entities governed by federal regulations, certain universities conducting scientific research, California Newborn Screening Program, tests conducted to diagnose whether an individual has a specific disease, and genetic data used or maintained by an employer or disclosed to an employer by the employee to comply with other laws or regulations.

Would you like to see more articles like this one? Visit the rest of our blog at