A new set of California privacy laws expands the definition of personal information to include genetic data.
If it’s January, that must mean new privacy laws passed in 2021 are coming online. California – the nation’s leader in state-issued privacy legislation – has a new data privacy law on the books. SB 41, also known as the Genetic Information Privacy Act, or GIPA, went into effect on January 1, 2022.
GIPA speaks directly to companies who collect genetic samples from consumers and requires that these DNA-testers adhere to the same privacy and security measures as those entities already covered by California’s CCPA and CPRA laws.
An earlier back-fill law, California AB-825, went into effect in May of 2021, adding genetic data to the list of personal information that entities already governed by CCPA and CPRA must protect.
Expanding “personal information”
Together these two laws point to an emerging privacy legislation trend: expanding the definition of what is considered personal information under state and federal data privacy and security laws to include health and medical data.
But wait, you say, isn’t health and medical data already covered by HIPAA’s PI and PHI breach notification rules? Actually, federal HIPAA privacy laws only have jurisdiction over health plan providers, health care providers, health care clearinghouses, and value-added business affiliates of those entities.
As more and more non-medical provider entities are interacting directly with consumers and collecting medical and health data about them, states and federal agencies are rushing in to fill the legislative void.
In addition to California, Utah passed its own GIPA (SB 227 effective May 2021) which also speaks directly to genetic testing companies. And Oregon and Illinois acted several years ago to protect genetic information and biometric data by law.
Data regulation proliferation
Meanwhile, in September of 2021, the Federal Trade Commission issued a Policy Statement clarifying its Health Breach Notification Rule, which exists to, “ensure that entities who are not covered by the Health Insurance Portability and Accountability Act (“HIPAA”) nevertheless face accountability when consumers’ sensitive health information is compromised.”
The Statement stems from what the FTC calls a “proliferation of apps and connected devices that capture sensitive health data.” In the Statement, the FTC acknowledges it has not as of yet enforced the Rule, but gives notice that it intends to do so now, and that entities that deal in the collection and management of an individual’s personal health data must follow the Rule or expect heavy civil penalties.
Effectively, with these laws and policy clarifications, states and federal agencies are giving themselves the teeth they will need to move forward with privacy law enforcement measures.