Section 47-18-4904 - Required disclosures to consumer - Permissible offers to consumers(a) A direct-to-consumer genetic testing company shall:(1) Provide to a consumer: (A) Essential information about the company's collection, use, and disclosure of genetic data; and(B) A prominent, publicly available privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices;(2) Obtain a consumer's initial express consent for collection, use, or disclosure of the consumer's genetic data that:(A) Clearly describes the company's use of the genetic data that the company collects through the company's genetic testing product or service;(B) Specifies who has access to test results; and(C) Specifies how the company may share the genetic data;(3) If the company engages in the following conduct, obtain a consumer's:(A) Separate express consent for:(i) The transfer or disclosure of the consumer's genetic data to a person other than the company's vendors and service providers;(ii) The use of genetic data beyond the primary purpose of the company's genetic testing product or service; or(iii) The company's retention of a biological sample provided by the consumer following the company's completion of the initial testing service requested by the consumer;(B) Informed consent in accordance with the Federal Policy for the Protection of Human Subjects, as described in 45 CFR Part 46, for transfer or disclosure of the consumer's genetic data to a third party for:(i) Research purposes; or(ii) Research conducted under the control of the company for the purpose of publication or generalizable knowledge; and(C) Express consent for:(i) Marketing to a consumer based on the consumer's genetic data; or(ii) Marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service;(4) Require valid legal process for the company's disclosure of a consumer's genetic data to law enforcement or a government entity without the consumer's express written consent;(5) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and(6) Provide a process for a consumer to: (A) Access the consumer's genetic data;(B) Delete the consumer's account and genetic data; and(C) Destroy the consumer's biological sample.(b) Notwithstanding subdivision (a)(3)(C), a direct-to-consumer genetic testing company with a first-party relationship to a consumer may, without obtaining the consumer's express consent, provide customized content or offers on the company's website or through the company's application or service.Added by 2023 Tenn. Acts, ch. 324, s 1, eff. 7/1/2023.