Minn. Stat. § 325F.995

Current through Register Vol. 49, No. 8, August 19, 2024
Section 325F.995 - GENETIC INFORMATION PRIVACY ACT
Subdivision 1.Definitions.
(a) For purposes of this section, the following terms have the meanings given.
(b) "Biological sample" means any material part of a human, discharge from a material part of a human, or derivative from a material part of a human, including but not limited to tissue, blood, urine, or saliva, that is known to contain deoxyribonucleic acid (DNA).
(c) "Consumer" means an individual who is a Minnesota resident.
(d) "Deidentified data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identifiable consumer and that is subject to:
(1) administrative and technical measures to ensure the data cannot be associated with a particular consumer;
(2) public commitment by the company to (i) maintain and use data in deidentified form, and (ii) not attempt to reidentify the data; and
(3) legally enforceable contractual obligations that prohibit any recipients of the data from attempting to reidentify the data.
(e) "Direct-to-consumer genetic testing company" or "company" means an entity that:
(1) offers consumer genetic testing products or services directly to consumers; or
(2) collects, uses, or analyzes genetic data that was (i) collected via a direct-to-consumer genetic testing product or service, and (ii) provided to the company by a consumer. Direct-to-consumer genetic testing company does not include an entity that collects, uses, or analyzes genetic data or biological samples only in the context of research, as defined in Code of Federal Regulations, title 45, section 164.501, that is conducted in a manner that complies with the federal policy for the protection of human research subjects under Code of Federal Regulations, title 45, part 46; the Good Clinical Practice Guideline issued by the International Council for Harmonisation; or the United States Food and Drug Administration Policy for the Protection of Human Subjects under Code of Federal Regulations, title 21, parts 50 and 56.
(f) "Express consent" means a consumer's affirmative written response to a clear, meaningful, and prominent written notice regarding the collection, use, or disclosure of genetic data for a specific purpose. Written notices and responses may be presented and captured electronically.
(g) "Genetic data" means any data, regardless of the data's format, that concerns a consumer's genetic characteristics. Genetic data includes but is not limited to:
(1) raw sequence data that results from sequencing a consumer's complete extracted DNA or a portion of the extracted DNA;
(2) genotypic and phenotypic information that results from analyzing the raw sequence data; and
(3) self-reported health information that a consumer submits to a company regarding the consumer's health conditions and that is (i) used for scientific research or product development, and (ii) analyzed in connection with the consumer's raw sequence data.

Genetic data does not include deidentified data.

(h) "Genetic testing" means any laboratory test of a consumer's complete DNA, regions of a consumer's DNA, chromosomes, genes, or gene products to determine the presence of genetic characteristics.
(i) "Person" means an individual, partnership, corporation, association, business, business trust, sole proprietorship, other entity, or representative of an organization.
(j) "Service provider" means a person that is involved in the collection, transportation, analysis of, or any other service in connection with a consumer's biological sample, extracted genetic material, or genetic data on behalf of the direct-to-consumer genetic testing company, or on behalf of any other person that collects, uses, maintains, or discloses biological samples, extracted genetic material, or genetic data collected or derived from a direct-to-consumer genetic testing product or service, or is directly provided by a consumer, or the delivery of the results of the analysis of the biological sample, extracted genetic material, or genetic data.
Subd. 2.Disclosure and consent requirements.
(a) To safeguard the privacy, confidentiality, security, and integrity of a consumer's genetic data, a direct-to-consumer genetic testing company must:
(1) provide easily accessible, clear, and complete information regarding the company's policies and procedures governing the collection, use, maintenance, and disclosure of genetic data by making available to a consumer all of the following written in plain language:
(i) a high-level privacy policy overview that includes basic, essential information about the company's collection, use, or disclosure of genetic data;
(ii) a prominent, publicly available privacy notice that includes at a minimum information about the company's data collection, consent, use, access, disclosure, maintenance, transfer, security, retention, and deletion practices of genetic data; and
(iii) information that clearly describes how to file a complaint alleging a violation of this section, pursuant to section 45.027;
(2) obtain a consumer's express consent to collect, use, and disclose the consumer's genetic data, including at a minimum:
(i) initial express consent that clearly (A) describes the uses of the genetic data collected through the genetic testing product service, and (B) specifies who has access to the test results and how the genetic data may be shared;
(ii) separate express consent, which must include the name of the person receiving the information, for each transfer or disclosure of the consumer's genetic data or biological sample to any person other than the company's vendors and service providers;
(iii) separate express consent for each use of genetic data or the biological sample that is beyond the primary purpose of the genetic testing product or service and inherent contextual uses;
(iv) separate express consent to retain any biological sample provided by the consumer following completion of the initial testing service requested by the consumer;
(v) informed consent in compliance with federal policy for the protection of human research subjects under Code of Federal Regulations, title 45, part 46, to transfer or disclose the consumer's genetic data to a third-party person for research purposes or research conducted under the control of the company for publication or generalizable knowledge purposes; and
(vi) express consent for marketing by (A) the direct-to-consumer genetic testing company to a consumer based on the consumer's genetic data, or (B) a third party to a consumer based on the consumer having ordered or purchased a genetic testing product or service. For purposes of this clause, "marketing" does not include customized content or offers provided on the websites or through the applications or services provided by the direct-to-consumer genetic testing company with the first-party relationship to the customer;
(3) not disclose genetic data to law enforcement or any other governmental agency without a consumer's express written consent, unless the disclosure is made pursuant to a valid search warrant or court order;
(4) develop, implement, and maintain a comprehensive security program and measures to protect a consumer's genetic data against unauthorized access, use, or disclosure; and
(5) provide a process for a consumer to:
(i) access the consumer's genetic data;
(ii) delete the consumer's account and genetic data; and
(iii) request and obtain the destruction of the consumer's biological sample.
(b) Notwithstanding any other provisions in this section, a direct-to-consumer genetic testing company is prohibited from disclosing a consumer's genetic data without the consumer's written consent to:
(1) any entity offering health insurance, life insurance, disability insurance, or long-term care insurance; or
(2) any employer of the consumer. Any consent under this paragraph must clearly identify the recipient of the consumer's genetic data proposed to be disclosed.
(c) A company that is subject to the requirements described in paragraph (a), clause (2), shall provide effective mechanisms, without any unnecessary steps, for a consumer to revoke any consent of the consumer or all of the consumer's consents after a consent is given, including at least one mechanism which utilizes the primary medium through which the company communicates to the consumer. If a consumer revokes consent provided pursuant to paragraph (a), clause (2), the company shall honor the consumer's consent revocation as soon as practicable, but not later than 30 days after the consumer revokes consent. The company shall destroy a consumer's biological sample within 30 days of receipt of revocation of consent to store the sample.
(d) A direct-to-consumer genetic testing company must provide a clear and complete notice to a consumer that the consumer's deidentified data may be shared with or disclosed to third parties for research purposes in accordance with Code of Federal Regulations, title 45, part 46.
Subd. 3.Service provider agreements.
(a) A contract between the company and a service provider must prohibit the service provider from retaining, using, or disclosing any biological sample, extracted genetic material, genetic data, or information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, for any purpose other than for the specific purpose of performing the services specified in the service contract. The mandatory prohibition set forth in this subdivision requires a service contract to include, at minimum, the following provisions:
(1) a provision prohibiting the service provider from retaining, using, or disclosing the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether the consumer has solicited or received genetic testing, as applicable, for any purpose other than providing the services specified in the service contract; and
(2) a provision prohibiting the service provider from associating or combining the biological sample, extracted genetic material, genetic data, or any information regarding the identity of the consumer, including whether that consumer has solicited or received genetic testing, as applicable, with information the service provider has received from or on behalf of another person or persons, or has collected from the service provider's own interaction with consumers or as required by law.
(b) A service provider subject to this subdivision is subject to the same confidentiality obligations as a direct-to-consumer genetic testing company with respect to all biological samples, extracted genetic materials, and genetic material, or any information regarding the identity of any consumer in the service provider's possession.
Subd. 4.Enforcement.

The commissioner of commerce may enforce this section under section 45.027.

Subd. 5.Limitations.

This section does not apply to:

(1) protected health information that is collected by a covered entity or business associate, as those terms are defined in Code of Federal Regulations, title 45, parts 160 and 164;
(2) a public or private institution of higher education; or
(3) an entity owned or operated by a public or private institution of higher education.
Subd. 6.Construction.

This section does not supersede the requirements and rights described in section 13.386 or the remedies available under chapter 13 for violations of section 13.386.

Minn. Stat. § 325F.995

Added by 2023 Minn. Laws, ch. 57,s 4-18, eff. 7/1/2023.