Section 13-60-104 - Consumer genetic information - Privacy notice - Consent - Access - Deletion - Destruction(1) A direct-to-consumer genetic testing company shall: (a) provide to a consumer: (i) essential information about the company's collection, use, and disclosure of genetic data; and(ii) a prominent, publicly available privacy notice that includes information about the company's data collection, consent, use, access, disclosure, transfer, security, retention, and deletion practices;(b) obtain a consumer's initial express consent for collection, use, or disclosure of the consumer's genetic data that:(i) clearly describes the company's use of the genetic data that the company collects through the company's genetic testing product or service;(ii) specifies who has access to test results; and(iii) specifies how the company may share the genetic data;(c) if the company engages in any of the following, obtain a consumer's:(i) separate express consent for: (A) the transfer or disclosure of the consumer's genetic data to any person other than the company's vendors and service providers;(B) the use of genetic data beyond the primary purpose of the company's genetic testing product or service; or(C) the company's retention of any biological sample provided by the consumer following the company's completion of the initial testing service requested by the consumer;(ii) informed consent in accordance with the Federal Policy for the Protection of Human Subjects, 45 C.F.R. Part 46 , for transfer or disclosure of the consumer's genetic data to a third party for: (A) research purposes; or(B) research conducted under the control of the company for the purpose of publication or generalizable knowledge; and(iii) express consent for: (A) marketing to a consumer based on the consumer's genetic data; or(B) marketing by a third party person to a consumer based on the consumer having ordered or purchased a genetic testing product or service;(d) require valid legal process for the company's disclosure of a consumer's genetic data to law enforcement or any government entity without the consumer's express written consent;(e) develop, implement, and maintain a comprehensive security program to protect a consumer's genetic data against unauthorized access, use, or disclosure; and(f) provide a process for a consumer to:(i) access the consumer's genetic data;(ii) delete the consumer's account and genetic data; and(iii) destroy the consumer's biological sample.(2) Notwithstanding Subsection (1)(c)(iii), a direct-to-consumer genetic testing company with a first-party relationship to a consumer may, without obtaining the consumer's express consent, provide customized content or offers on the company's website or through the company's application or service.Added by Chapter 361, 2021 General Session ,§ 4, eff. 5/5/2021.Technically renumbered to avoid duplication of section number also enacted in HB314, Chapter 185, and HB202, Chapter 138.