Section 47-18-4904 - Required disclosures to consumer - Permissible offers to consumers(a) A direct-to-consumer genetic testing company shall:(1) Provide to a consumer: (A) Essential information about the company's collection, use, and disclosure of genetic data; and(B) A prominent, publicly available privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices;(2) Obtain a consumer's initial express consent for collection, use, or disclosure of the consumer's genetic data that:(A) Clearly describes the company's use of the genetic data that the company collects through the company's genetic testing product or service;(B) Specifies who has access to test results; and(C) Specifies how the company may share the genetic data;(3) If the company engages in the following conduct, obtain a consumer's:(A) Separate express consent for:(i) The transfer or disclosure of the consumer's genetic data to a person other than the company's vendors and service providers;(ii) The use of genetic data beyond the primary purpose of the company's genetic testing product or service; or(iii) The company's retention of a biological sample provided by the consumer following the company's completion of the initial testing service requested by the consumer;(B) Informed consent in accordance with the Federal Policy for the Protection of Human Subjects, as described in 45 CFR Part 46 , for transfer or disclosure of the consumer's genetic data to a third party for:(i) Research purposes; or(ii) Research conducted under the control of the company for the purpose of publication or generalizable knowledge; and(C) Express consent for:(i) Marketing to a consumer based on the consumer's genetic data; or(ii) Marketing by a third-party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service;(4) Require valid legal process for the company's disclosure of a consumer's genetic data to law enforcement or a government entity without the consumer's express written consent;(5) Develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and(6) Provide a process for a consumer to: (A) Access the consumer's genetic data;(B) Delete the consumer's account and genetic data; and(C) Destroy the consumer's biological sample.(b) Notwithstanding subdivision (a)(3)(C), a direct-to-consumer genetic testing company with a first-party relationship to a consumer may, without obtaining the consumer's express consent, provide customized content or offers on the company's website or through the company's application or service.Added by 2023 Tenn. Acts, ch. 324, s 1, eff. 7/1/2023.