Section 311.705 - Genetic testing - Guidelines for collection and use of genetic data(1) As used in this section: (a) "Biological sample" means any material part of the human, discharge therefrom, or derivative thereof, such as tissue, blood, urine, or saliva, known to contain deoxyribonucleic acid (DNA);(b) "Consumer" means an individual who is a resident of the state;(c)1. "Direct-to-consumer genetic testing company" means an entity that: a. Offers genetic testing products or services directly to a consumer; orb. Collects, uses, or analyzes genetic data that resulted from a direct-to-consumer genetic testing product or service and was provided to the company by a consumer.2. "Direct-to-consumer genetic testing company" does not include any entity only when they are engaged in collecting, using, or analyzing genetic data or biological samples in the context of research, as defined in 45 C.F.R. sec. 164.501, conducted in accordance with the Federal Policy for the Protection of Human Subjects, 45 C.F.R. pt. 46, the Good Clinical Practice Guideline issued by the International Council for Harmonisation, or the United States Food and Drug Administration Policy for the Protection of Human Subjects under 21 C.F.R. pts. 50 and 56;(d) "Express consent" means a consumer's affirmative response, or the affirmative response of a consumer's legal guardian, attorney-in-fact, health care surrogate, or authorized representative, to a clear, meaningful, and prominent notice regarding the collection, use, or disclosure of genetic data for a specific purpose;(e)1. "Genetic data" means any data, regardless of its format, that concerns a consumer's genetic characteristics and includes but is not limited to: a. Raw sequence data that result from a sequencing of a consumer's complete extracted or a portion of the extracted DNA;b. Genotypic and phenotypic information that results from analyzing the raw sequence data; andc. Self-reported health information that a consumer submits to a company regarding the consumer's health conditions and that is used for scientific research or product development and analyzed in connection with the consumer's raw sequence data.2. "Genetic data" does not include de-identified data;(f) "Genetic testing" means any laboratory test of a consumer's complete DNA, regions of DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics of a consumer; and(g) "Person" has the same meaning as KRS 446.010.(2) To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, a direct-to-consumer genetic testing company shall: (a) Provide clear and complete information regarding the company's policies and procedures for collection, use, or disclosure of genetic data by making available to a consumer: 1. A high-level privacy policy overview that includes basic, essential information about the company's collection, use, or disclosure of genetic data; and2. A prominent, publicly available privacy notice that includes, at a minimum, information about the company's data collection, consent, use, access, disclosure, transfer, security, and retention and deletion practices;(b) Obtain a consumer's consent for collection, use, or disclosure of the consumer's genetic data including, at a minimum:1. Initial express consent that clearly describes the uses of the genetic data collected through the genetic testing product or service, and specifies who has access to test results and how the genetic data may be shared;2. Separate express consent for transferring or disclosing the consumer's genetic data to any person other than the company's vendors and service providers, or for using genetic data beyond the primary purpose of the genetic testing product or service and inherent contextual uses;3. Separate express consent for the retention of any biological sample provided by the consumer following completion of the initial testing service requested by the consumer;4. Informed consent in compliance with the Federal Policy for the Protection of Human Subjects, 45 C.F.R. pt. 46, for transfer or disclosure of the consumer's genetic data to third party persons for research purposes or research conducted under the control of the company for the purpose of publication or generalizable knowledge; and5.a. Express consent for marketing to a consumer based on the consumer's genetic data; or for marketing by a third party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service.b. Marketing does not include the provision of customized content or offers on the Web sites or through the applications or services provided by the direct-to-consumer genetic testing company with the first-party relationship to the customer;(c) Require valid legal process for disclosing genetic data to law enforcement or any other government agency without a consumer's express written consent;(d) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and(e) Provide a process for a consumer to: 1. Access the consumer's genetic data;2. Delete the consumer's account and genetic data; and3. Request and obtain the destruction of the consumer's biological sample.(3) Notwithstanding any other provisions in this section, a direct-to-consumer genetic testing company may not disclose a consumer's genetic data to any entity offering health insurance, life insurance, or long-term care insurance, or to any employer of the consumer without the consumer's written consent.(4) The Attorney General may bring an action in the name of the Commonwealth, or as parens patriae on behalf of consumers, to enforce this section. In any action brought by the Attorney General to enforce this section, a violation of this section is subject to a civil penalty of the following: (a) Two thousand five hundred dollars ($2,500) for each violation of this section;(b) The recovery of actual damages incurred by consumers on whose behalf the action was brought; and(c) Costs and expenses incurred by the office of the Attorney General.(5) The disclosure of genetic data pursuant to this section shall comply with all state and federal laws for the protection of privacy and security. This section shall not apply to protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. pts. 160 and 164, established pursuant to the federal Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, and the federal Health Information Technology for Economic and Clinical Health Act, Pub. L. No. 111-5.Added by 2022 Ky. Acts ch. 169,§ 1, eff. 7/13/2022.